From 6d2f14a1fafc49966600b60fc7e38484526b764d Mon Sep 17 00:00:00 2001
From: hiro <hiro@torproject.org>
Date: Tue, 2 Jun 2020 10:08:06 +0200
Subject: [PATCH] Update documentation on how to add a new user on LDAP -
create a new account procedure
---
tsa/howto/create-a-new-user.mdwn | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/tsa/howto/create-a-new-user.mdwn b/tsa/howto/create-a-new-user.mdwn
index a9afe647..9bb13226 100644
--- a/tsa/howto/create-a-new-user.mdwn
+++ b/tsa/howto/create-a-new-user.mdwn
@@ -30,21 +30,24 @@ The short version is:
FINGERPRINT=0123456789ABCDEF0123456789ABCDEF01234567 &&
NEW_USER=alice &&
REQUESTOR=bob &&
- ./NEW "$FINGERPRINT" "$NEW_USER" &&
+ ./NEW "$FINGERPRINT" "$NEW_USER" &&
git add torproject-keyring/"${NEW_USER}-${FINGERPRINT}.gpg" &&
git commit -m"new user ${NEW_USER} requested by ${REQUESTOR}" &&
git push &&
git push alberti &&
ssh -tt $USER@alberti.torproject.org "ud-useradd -n && sudo -u sshdist ud-generate && sudo -H ud-replicate"
-See below for detailed instructions.
+The last line will create the user on the LDAP server. If you are interested about
+the details see below for detailed instructions.
+Notice that when prompted for whom to add (`a GPG search`), enter the full
+`$FINGERPRINT` verified above
## on your own machine
For example, your laptop.
1. verify the OpenPGP key provided
-
+
It should be signed by a trusted key in the keyring or in a
message signed by a trusted key. See [[doc/accounts]] when
unsure.
@@ -54,12 +57,12 @@ For example, your laptop.
FINGERPRINT=0123456789ABCDEF0123456789ABCDEF01234567
NEW_USER=alice
REQUESTOR=bob
- ./NEW "$FINGERPRINT" "$NEW_USER" &&
+ ./NEW "$FINGERPRINT" "$NEW_USER" &&
git add torproject-keyring/"${NEW_USER}-${FINGERPRINT}.gpg" &&
git commit -m"new user ${NEW_USER} requested by ${REQUESTOR}"
3. push to both repositories:
-
+
git push &&
git push alberti
@@ -69,13 +72,13 @@ This is currently `alberti`. Make sure you run as a regular user with
LDAP write access.
1. create the user:
-
+
ud-useradd -n
This command asks a bunch of questions interactively that have
good defaults, mostly taken from the OpenPGP key material, but
it's important to review them anyways. in particular:
-
+
* when prompted for whom to add (`a GPG search`), enter the full
`$FINGERPRINT` verified above
@@ -96,7 +99,7 @@ LDAP write access.
`ldapvi`.
2. synchronize the change:
-
+
sudo -u sshdist ud-generate && sudo -H ud-replicate
## on other servers
@@ -106,11 +109,11 @@ change to another server manually. In this case, we force the change
to propagate to the email server, which is currently `eugeni`.
1. synchronize the change:
-
+
sudo -H ud-replicate
2. verify the email alias was correctly created:
-
+
egrep -q "${NEW_USER}@torproject.org" /etc/postfix/debian || echo "new user missing, please fix"
3. run puppet:
@@ -129,7 +132,7 @@ Here's how to create a role account:
2. On LDAP host (currently alberti.tpo), as a user with LDAP write
access, do:
-
+
ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D uid=${USER},ou=users,dc=torproject,dc=org
3. Create a new `group` role for the new account:
--
GitLab