From 117b265378d6ab4866225360f9949ccb2ec51cef Mon Sep 17 00:00:00 2001 From: Elisamara Aoki Goncalves Date: Fri, 19 Jan 2024 13:16:03 +0000 Subject: [PATCH] Update procedure for deleting ldap user (r8,dsR8) Applying comments made in merged review https://review.opendev.org/c/starlingx/docs/+/901833 Closes-bug: 2044541 Change-Id: Icd3293abec74e373b23d0b2f0540557ea9c5504c Signed-off-by: Elisamara Aoki Goncalves --- ...elete-ldap-linux-accounts-7de0782fbafd.rst | 53 ++++++++++--------- 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/doc/source/security/kubernetes/delete-ldap-linux-accounts-7de0782fbafd.rst b/doc/source/security/kubernetes/delete-ldap-linux-accounts-7de0782fbafd.rst index ec8429ce1..c4c78f294 100644 --- a/doc/source/security/kubernetes/delete-ldap-linux-accounts-7de0782fbafd.rst +++ b/doc/source/security/kubernetes/delete-ldap-linux-accounts-7de0782fbafd.rst @@ -4,17 +4,26 @@ Delete LDAP Linux Accounts ========================== +.. rubric:: |context| + +When a |LDAP| user account is created in the |LDAP| server, using +:command:`sudo ldapusersetup` command, a corresponding |LDAP| Linux user is +created on the |prod| by mapping the |LDAP| user attributes to Linux user +attributes. The delete operation of a |LDAP| Linux account involves both the +deletion from the Linux system as well as the deletion of the corresponding +|LDAP| server object. + +The home directory for a new |LDAP| Linux user will be created after the first +login, as: ``/home/``. At the same time, the user will be prompted to +change the default password to a secure password based on mandatory format +rules. + +.. rubric:: |proc| + The following steps describe the procedure to delete |LDAP| Linux accounts. -#. Log in as **sysadmin**, and create a new LDAP user, if not already created. - - .. code-block:: none - - ~(keystone_admin)]$ sudo ldapusersetup - - -#. Check that the Linux user has been created on |prod| using one of the - commands: +#. |Optional| Logged in as sysadmin, check that the user exists on |prod| using one of + the commands: .. code-block:: none @@ -24,22 +33,15 @@ The following steps describe the procedure to delete |LDAP| Linux accounts. getent passwd -#. SSH to |prod| as the new |LDAP| user and change the initial password when - prompted at first login. - - .. note:: - - This step is only required for new users that were never used to login - the platform. - -#. Check that the home directory was created as ``/home/``. - #. Delete |LDAP| user. .. code-block:: none ~(keystone_admin)]$ sudo ldapdeleteuser + This command will remove the |LDAP| user from both the |LDAP| server as + well as from the Linux platform. + #. Check that the |LDAP| user was removed from the local |LDAP| server. .. code-block:: none @@ -70,9 +72,12 @@ The following steps describe the procedure to delete |LDAP| Linux accounts. ~(keystone_admin)]$ getent passwd -#. Check that the Linux home directory still exists after the user has - been removed. +The |LDAP| Linux user home directory still exists after the user has been +removed. - The Linux home directories of the deleted Linux |LDAP| users will be - managed by the system administrator. The platform will not remove them - together with the removal of the user. +The Linux home directories of the deleted Linux |LDAP| users will be managed by +the system administrator. The platform will not remove them together with the +removal of the user. + +The system administrator can backup (off system) and/or delete the home +directories. \ No newline at end of file