Local LDAP Linux User Accounts

You can manage regular Linux (shadow) user accounts on any host in the cluster using standard Linux commands.

  • Local Linux user accounts should NOT be configured, only use local LDAP accounts for internal system purposes that would usually not be created by an end-user.

  • Password changes are not enforced automatically on the first login, and they are not propagated by the system (only for ‘sysadmin’).

  • If the administrator wants to provision additional access to the system, it is better to configure local LDAP Linux accounts.

  • LDAP accounts are centrally managed; changes made on any host are propagated automatically to all hosts on the cluster.

  • LDAP user accounts behave as any local user account. They can be added to the sudoers list and can acquire OpenStack administration credentials.

  • The initial password must be changed immediately upon the first login.

  • Login sessions are logged out automatically after about 15 minutes of inactivity.

  • The accounts block following five consecutive unsuccessful login attempts. They unblock automatically after a period of about five minutes.

  • All authentication attempts are recorded on the file /var/log/auth.log of the target host.

Note

For security reasons, it is recommended that ONLY admin level users be allowed to SSH to the nodes of the StarlingX. Non-admin level users should strictly use remote CLIs or remote web GUIs.

Operational complexity:

  • Passwords aging is automatically configured.

  • LDAP user accounts (operator, admin) are available by default on newly deployed hosts. For increased security, the admin and operator accounts must be used from the console ports of the hosts; no SSH access is allowed.

  • StarlingX includes a script for creating LDAP Linux accounts with built-in Keystone user support. It provides an interactive method for setting up LDAP Linux user accounts with access to OpenStack commands. You can assign a limited shell or a bash shell.