RH362 - ch06s02

Bookmark this page

Guided Exercise: Managing IdM Users and Hosts

Create and edit user, group and host accounts, and configure accounts to advance through the stages of a user account life cycle.

Outcomes

Create users with lifecycle parameters.
Change user passwords.
Configure user group membership.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start users-accounts

Instructions

Delegate user management to a regular user.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student

Authenticate to IdM as the admin user, using RedHat123^ as the password:

[root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Create the User Provisioning role. Use Role for Provisioning Users as the role description:

[root@idm ~]# ipa role-add --desc "Role for Provisioning Users" \
  "User Provisioning"
--------------------------------
Added role "User Provisioning"
--------------------------------
  Role name: User Provisioning
  Description: Role for Provisioning Users

Add the User Administrators privilege to the User Provisioning role:

[root@idm ~]# ipa role-add-privilege "User Provisioning" \
  --privileges="User Administrators"
  Role name: User Provisioning
  Description: Role for Provisioning Users
  Privileges: User Administrators
----------------------------
Number of privileges added 1
----------------------------

Grant the idmuser01 user the privilege required for adding users:

[root@idm ~]# ipa role-add-member "User Provisioning" --users=idmuser01
  Role name: User Provisioning
  Description: Role for Provisioning Users
  Member users: idmuser01
  Privileges: User Administrators
-------------------------
Number of members added 1
-------------------------

View the member users of the User Provisioning role:

[root@idm ~]# ipa role-show "User Provisioning"
  Role name: User Provisioning
  Description: Role for Provisioning Users
  Member users: idmuser01
  Privileges: User Administrators

Create the idmgroup05 group and define a rule for automatic membership.

Create the idmgroup05 group:

[root@idm ~]# ipa group-add idmgroup05 \
  --desc "Auto Membership Group"
------------------------
Added group "idmgroup05"
------------------------
  Group name: idmgroup05
  Description: Auto Membership Group
  GID: 1370600012

Define a password policy for the group. Set the password policy to require a minimum of eight characters, and to prevent further login attempts after two failures. Make it the top policy if other password policies also pertain to this user:
```
[root@idm ~]# ipa pwpolicy-add idmgroup05 \
  --minlength 8 --priority 0 --maxfail 2
  Group: idmgroup05
  Min length: 8
  Priority: 0
  Max failures: 2
  Grace login limit: -1
```

Create the idmgroup05 automatic group membership rule for the idmgroup05 group:

[root@idm ~]# ipa automember-add idmgroup05 \
  --type="group" \
  --desc="Auto Member Rule for idmgroup05"
----------------------------------
Added automember rule "idmgroup05"
----------------------------------
  Automember Rule: idmgroup05
  Description: Auto Member Rule for idmgroup05

Add a condition to the idmgroup05 group membership rule that automatically adds to the group any users whose UID starts with the idmuser string:

[root@idm ~]# ipa automember-add-condition
Automember Rule: idmgroup05
Attribute Key: uid
Grouping Type: group
[Inclusive Regex]: ^idmuser.*
[Exclusive Regex]: [Enter]
----------------------------------
Added condition(s) to "idmgroup05"
----------------------------------
  Automember Rule: idmgroup05
  Description: Auto Member Rule for idmgroup05
  Inclusive Regex: uid=idmuser.*
----------------------------
Number of conditions added 1
----------------------------

Add a condition that automatically adds all Active Directory users to the idmgroup05 group:

[root@idm ~]# ipa automember-add-condition
Automember Rule: idmgroup05
Attribute Key: objectclass
Grouping Type: group
[Inclusive Regex]: ntUser
[Exclusive Regex]: [Enter]
----------------------------------
Added condition(s) to "idmgroup05"
----------------------------------
  Automember Rule: idmgroup05
  Description: Auto Member Rule for idmgroup05
  Inclusive Regex: uid=idmuser.*, objectclass=ntUser
----------------------------
Number of conditions added 1
----------------------------

Rebuild the automember groups to implement the newly defined group conditions with existing users:

[root@idm ~]# ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished.
Processed (7) entries.
--------------------------------------------------------

List the users in the idmgroup05 group. Ensure that IdM users have been automatically added as members of the group.

Note

The output does not display Active Directory users; it only shows IdM users.

[root@idm ~]# ipa group-show idmgroup05
  Group name: idmgroup05
  Description: Auto Membership Group
  GID: 1370600012
  Member users: idmuser05, idmuser04, idmuser03, idmuser02, idmuser01

Manage user lifecycle settings in the IdM web interface.
1. On the workstation machine, open a browser and navigate to the IdM console at https://idm.lab.example.com. Log in as the admin user with RedHat123^ as the password.
  Navigate to Identity → Users → Active users and then click Add.
2. Create a user according to the following information. Leave all other fields untouched:
  Field Value
  User login idmuser06
  First name user06
  Last name idm
  New Password and Verify Password redhatexp
  Click Add and Edit to create the user and change its properties.
3. Set /bin/bash as the value of Login shell.
4. For the SSH public keys entry, click Add.
  Copy the full content of the /home/student/idmuser06-key.pub file on the workstation machine.
  Paste the copied content into SSH public key in the SSH public keys window, and then click Set to import the user's public key.
  Important
  Do not modify the resulting pasted content, even though it appears to have embedded line feeds.
  Click Save at the top of the page to update the user settings.
Verify the lifecycle settings. The workstation machine has public key access configured to the client machine and the SSH service uses that method by default. To test a password, force the SSH service to use password authentication by using the PubkeyAuthentication=no option.
1. Open a new terminal tab, and log in to the client machine as the idmuser06 user.
  Ignore any errors related to the user's home directory:
```
[student@workstation ~]$ ssh -o PubkeyAuthentication=no idmuser06@client
(idmuser06@client) Password: redhatexp
...output omitted...
[idmuser06@client /]$
```
2. Verify that bash is the default shell for the user and change the user password. Enter a six-character password:
```
[idmuser06@client /]$ env | grep -i shell
SHELL=/bin/bash
[idmuser06@client /]$ passwd
Changing password for user idmuser06.
Current Password: redhatexp
New Password: fedora
Retype new password: fedora
*Password change failed. Server message: Password is too short

Password not changed.
passwd: Authentication token manipulation error
```
3. Update the idmuser06 password. Use redhatrst, a nine-character password to satisfy the password policy:
```
[idmuser06@client /]$ passwd
Changing password for user idmuser06.
Current Password: redhatexp
New Password: redhatrst
Retype new password: redhatrst
passwd: all authentication tokens updated successfully.
```
4. Exit the client machine and try to authenticate with the redhatexp password. Cancel the connection after the failed attempt:
```
[idmuser06@client /]$ exit
logout
Connection to client closed.
[student@workstation ~]$ ssh -o PubkeyAuthentication=no idmuser06@client
(idmuser06@client) Password: redhatexp
(idmuser06@client) Password: Ctrl+C
```
5. On the first terminal tab, verify that the user idmuser06 has not exceeded the maximum number of logins and that the account is enabled. The value of Failed logins must be less than 2 and the value of Account disabled must be set to False.
```
[root@idm ~]# ipa user-status idmuser06
-----------------------
Account disabled: False
-----------------------
  Server: idm.lab.example.com
  Failed logins: 1
  Last successful authentication: N/A
  Last failed authentication: 20230607035020Z
  Time now: 2023-06-07T03:59:05Z
  Password grace count: 0
...output omitted...
```
6. Switch to the second terminal tab, log in again to the client machine as the idmuser06 user. Use the /home/student/idmuser06-key file as the private key and exit the client machine:
```
[student@workstation ~]$ ssh -i idmuser06-key idmuser06@client
[idmuser06@client /]$ exit
logout
Connection to client closed.
```
7. In the IdM web console, disable the idmuser06 user and test access to client machine.
  In the IdM web console, navigate to Identity → Users → Active Users and select the idmuser06 user. Click Disable and then click OK.
8. Switch to the first terminal tab, and verify that the idmuser06 user has not exceeded the maximum number of logins, but that the account remains disabled.
  The value of Account disabled must set to True and the value of Failed logins must set to 1.
```
[root@idm ~]# ipa user-status idmuser06
-----------------------
Account disabled: True
-----------------------
  Server: idm.lab.example.com
  Failed logins: 1
  Last successful authentication: N/A
  Last failed authentication: 20230607043421Z
  Time now: 2023-06-07T04:21:10Z
  Password grace count: 0
...output omitted...
```
9. Return to the second terminal tab and log in again to the client machine as the idmuser06 user with the /home/student/idmuser06-key as private key. Access to the client machine fails:
```
[student@workstation ~]$ ssh -i idmuser06-key idmuser06@client
Connection closed by 172.25.250.11 port 22
```
  Although there are failed attempts to log in, the Failed logins value does not increment because the account is disabled.
10. Re-enable the idmuser06 user and verify that the user can log in using the password and the SSH key.
  On the IdM web console, navigate to Identity → Users → Active Users. Select the idmuser06 user, click Enable, and then click OK.
11. Log in to the client machine as the idmuser06 user with the idmuser06-key private key and exit the client machine:
```
[student@workstation ~]$ ssh -i idmuser06-key idmuser06@client
[idmuser06@client /]$ exit
```

Field	Value
User login	`idmuser06`
First name	`user06`
Last name	`idm`
New Password and Verify Password	`redhatexp`

Verify that exceeding the Failed logins value locks the user account.

Log in again to the client machine as the idmuser06 user, using password authentication. Use an incorrect password for the first three attempts, and then use the correct password.

Notice that the login continues to fail because the account has been locked:

[student@workstation ~]$ ssh -o PubkeyAuthentication=no idmuser06@client
(idmuser06@client) Password: fedora
(idmuser06@client) Password: fedora
(idmuser06@client) Password: fedora
idmuser06@client: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

On the first terminal tab, on the idm machine, verify that the Failed logins value is now set to 2, but the user account is enabled:

[root@idm ~]# ipa user-status idmuser06
-----------------------
Account disabled: False
-----------------------
  Server: idm.lab.example.com
  Failed logins: 2
  Last successful authentication: N/A
  Last failed authentication: 20230607054315Z
  Time now: 2023-06-07T05:23:57Z
  Password grace count: 0
...output omitted...

Use the web console to reset the failed login attempts of the user account. Navigate to Identities → Users → Active Users and click idmuser06.
Click Actions → Unlock and confirm the action.
Switch to the second terminal tab and log in again to the client machine as idmuser06 using redhatrst as the password. Then exit the client machine and close the second terminal tab:
```
[student@workstation ~]$ ssh -o PubkeyAuthentication=no idmuser06@client
Password: redhatrst
[idmuser06@client /]$ exit
logout
```

On the first terminal tab, verify that the Failed logins value is set to 0 and that the user account is enabled:

[root@idm ~]# ipa user-status idmuser06
-----------------------
Account disabled: False
-----------------------
  Server: idm.lab.example.com
  Failed logins: 0
  Last successful authentication: N/A
  Last failed authentication: 20230607054315Z
  Time now: 2023-06-07T06:08:47Z
  Password grace count: 0
...output omitted...

Return to the workstation machine as the student user:

[root@idm ~]# exit
logout
[student@idm ~]$ exit
logout
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish users-accounts

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8

Red Hat Security: Identity Management and Authentication

Guided Exercise: Managing IdM Users and Hosts

Note

Important