Skip to content
Snippets Groups Projects
Verified Commit 9a27d03a authored by anarcat's avatar anarcat
Browse files

how to add a sysadmin in ldap and puppet

parent bd83042f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
howto/ldap.md
+ 20
0
View file @ 9a27d03a
...@@ -236,6 +236,26 @@ Save the file and exit the editor. `ldapvi` will prompt you to confirm ...@@ -236,6 +236,26 @@ Save the file and exit the editor. `ldapvi` will prompt you to confirm
the changes, you can review with the <kbd>v</kbd> key or save with the changes, you can review with the <kbd>v</kbd> key or save with
<kbd>y</kbd>. <kbd>y</kbd>.
### Adding/removing an admin
The LDAP administrator group is a special group that is not defined
through the `supplementaryGid` field, but by adding users into the
group itself. With `ldapvi` (see above), you need to add a `member:`
line, for example:
```
2 cn=LDAP Administrator,ou=users,dc=torproject,dc=org
objectClass: top
objectClass: groupOfNames
cn: LDAP administrator
member: uid=anarcat,ou=users,dc=torproject,dc=org
```
To remove the user from the admin group, remove the line.
The group grants the user access to administer LDAP directly, for
example making any change through `ldapvi`.
## Searching LDAP ## Searching LDAP
This will load a text editor with a dump of all the users (useful to This will load a text editor with a dump of all the users (useful to
......
howto/new-person.md
+ 2
2
View file @ 9a27d03a
...@@ -133,8 +133,8 @@ Many of those are granted as part of the routine "core tor membership" admission ...@@ -133,8 +133,8 @@ Many of those are granted as part of the routine "core tor membership" admission
Other accounts required for full TPA access: Other accounts required for full TPA access:
1. [ ] LDAP admin access 1. [ ] [LDAP admin access](howto/ldap#adding-removing-an-admin)
2. [ ] [puppet](howto/puppet) git repository access 2. [ ] [puppet](howto/puppet#adding-removing-a-global-admin) git repository access
3. [ ] TPA password manager access (`admin/tor-passwords.git` in gitolite) 3. [ ] TPA password manager access (`admin/tor-passwords.git` in gitolite)
4. [ ] Sunet cloud access (e.g. `Message-ID: <87bm1gb5wk.fsf@nordberg.se>`) 4. [ ] Sunet cloud access (e.g. `Message-ID: <87bm1gb5wk.fsf@nordberg.se>`)
5. [ ] [Nextcloud](https://nc.torproject.net) admin account 5. [ ] [Nextcloud](https://nc.torproject.net) admin account
......
howto/puppet.md
+ 9
0
View file @ 9a27d03a
...@@ -487,6 +487,15 @@ argument from Hiera. This is how the transition to a managed ...@@ -487,6 +487,15 @@ argument from Hiera. This is how the transition to a managed
operate a change. You can then examine the output and see if the operate a change. You can then examine the output and see if the
change is legitimate or abort the configuration change. change is legitimate or abort the configuration change.
## Adding/removing a global admin
To add a new sysadmin, you need to add their SSH key to the root
account everywhere. This can be done in the `profile::admins::key`
field in `hiera/common.yaml`.
You also need to add them to the `adm` group in LDAP, see [adding
users to a group in LDAP](howto/ldap#adding-removing-users-in-a-group).
## Troubleshooting ## Troubleshooting
### Running Puppet by hand and logging ### Running Puppet by hand and logging
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment