The USER_ADM module allows secure remote user administration on a single or group of nodes. The module communicates with a remote agent daemon called vacm_user_admd to perform the remote operations. This module requires that OpenSSL be built into your VACM installation, otherwise the module will not be installed. This is purely for security reasons.
The USER_ADM module provides the end user or client with the following administrative capabilities:
User account creation and removal
User account group manipulation
Group creation and manipulation
User home directory modification
User group, shell, uid modification
User account expiry and inactive day count modification
User comment and password modification
User account locking and unlocking
The agent daemon is part of the vacm_node_exports package and must be installed on any system which is to be user account managed via USER_ADM. In order for USER_ADM to be used, OpenSSL must be installed on the node controller, as well as each system the agent is to run on (See 'Encryption and Security Considerations for VACM'.) The SSL certificate 'pem' file should be installed as /etc/vacm_user_admd.pem.
To install the agent, simply transfer and install the vacm_node_exports package on every remote system you wish to monitor. Then add the agent daemon into your system startup scripts. Once installed, a Nexxus authentication password must be assigned to the daemon to ensure that only authorized Node Controllers may connect to the daemon. To initialize the Nexxus authentication password, simply run the daemon manually. You will be prompted for the password which will be used to authenticate remote connections. This password is stored in /etc/vacm_user_admd.passwd and may be copied to the remaining nodes you wish to monitor if you wish to have the same Nexxus authentication password for every node.
Once the password is set, you can restart the daemon to begin normal operation.
If your remote systems use PAM authentication, you will have to specify the configuration option --enable-pam to the autogen.sh script when building VACM.
Before a node can be administered with USER_ADM, the module needs to know the Nexxus authentication password for a node. This password is used to ensure that only authorized Nexxus connections are accepted by a remote agent daemon. The address of the remote machine is pulled out from the 'IP_ADDRESS' node global variable. The maximum password length is 40 characters and must contain only printable characters.
FORMAT:
USER_ADM:CONFIGURATION:<NODE_ID>:<PASSWORD>
RESPONSES:
JOB_STARTED
JOB_ERROR:PASSWORD_TOO_LONG -- Password exceeds 40 characters
JOB_ERROR:BAD_PASSWORD -- Password contains non printable
characters
JOB_COMPLETED |
To add a user to a remote node, use the 'USER_ADD' command:
FORMAT:
USER_ADM:USER_ADD:<NODE_ID>:<NAME>:<UID>:<GROUP>:<HOME>:<SHELL>:<PASSWD>:<EXPIRE>:<INACTIVE>:<COMMENT>
RESPONSES:
JOB_STARTED
JOB_ERROR:UID_IN_USE -- User number (UID) is already in use
JOB_ERROR:NAME_IN_USE -- User name is already in use
JOB_ERROR:BAD_HDIR_PATH -- Unable to create home directory
JOB_ERROR:BAD_SHELL_PATH -- Shell does not exist
JOB_ERROR:COMMENT_TOO_LONG -- Comment length too long
JOB_ERROR:BAD_COMMENT -- Comment contains bad characters
JOB_COMPLETED
FIELDS:
<NAME> -- User name to add
<UID> -- UID to assign
(may be 'DEFAULT' to have one assigned)
<GROUP> -- Primary group number / name (may be 'DEFAULT')
<HOME> -- Home directory (may be 'DEFAULT')
<SHELL> -- Default shell (may be 'DEFAULT')
<PASSWD> -- Password (may be 'NONE')
<EXPIRE> -- Expire Date (YYYY-MM-DD, 'NONE' for no expiry)
<INACTIVE> -- Inactive days ('NONE' to disable, 0 for immediate)
<COMMENT> -- Comment / Gecos field
(may be 'NONE', max 40 chars)
NOTES:
If the primary group is 'DEFAULT', then a new primary group with the name of the user will be created. |
To remove a user account from a remote system, use the 'USER_REMOVE' command. The users home directory is deleted if the 'DELETE_DIR_FLAG' argument is set to 'YES'.
FORMAT: USER_ADM:USER_REMOVE:<NODE_ID>:<USER_NAME>:<DELETE_DIR_FLAG> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:PERMISSION_DENID -- ROOT user delete prohibited JOB_COMPLETED NOTES: You cannot delete the ROOT user on a node. |
A group is added to the list of groups to which a user is a member of with the 'USER_GRP_ADD' command:
FORMAT:
USER_ADM:USER_GRP_ADD:<NODE_ID>:<USER_NAME>:<GROUP_NAME>
RESPONSES:
JOB_STARTED
JOB_ERROR:USER_NOT_FOUND -- User does not exist on system
JOB_ERROR:ALREADY_MEMBER -- User is already a member of
the specified group
JOB_COMPLETED |
A group is removed from a group with the 'USER_GRP_REM' command:
FORMAT:
USER_ADM:USER_GRP_REM:<NODE_ID>:<USER_NAME>:<GROUP_NAME>
RESPONSES:
JOB_STARTED
JOB_ERROR:USER_NOT_FOUND -- User does not exist on system
JOB_ERROR:NOT_MEMBER -- User is not a member of the
specified group
JOB_ERROR:PRIMARY_GROUP -- Specified group is the users
primary group
JOB_COMPLETED
NOTES:
You cannot remove a user from it's primary group. To modify a users primary group, use the 'USER_CHG_GROUP' command. |
A list of the groups which a user is a member of is obtained with the 'USER_GRP_LIST' command:
FORMAT: USER_ADM:USER_GRP_LIST:<NODE_ID>:<USER_NAME> RESPONSES: JOB_STARTED USER_GRP_LIST:<GROUP_NAME>:<GROUP_ID> JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_COMPLETED |
The primary group to which a user belongs is modified with the 'USER_CHG_GRP' command:
FORMAT:
USER_ADM:USER_CHG_GRP:<NODE_ID>:<USER_NAME>:<GROUP_NAME>
RESPONSES:
JOB_STARTED
JOB_ERROR:USER_NOT_FOUND -- User does not exist on system
JOB_ERROR:ALREADY_PRIMARY -- Group specified is already the
users primary group
JOB_COMPLETED |
The default home directory for a user is modified with the 'USER_CHG_DIR' command:
FORMAT: USER_ADM:USER_CHG_DIR:<NODE_ID>:<USER_NAME>:<HOME_DIR> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:BAD_HDIR_PATH -- Bad pathname JOB_ERROR:DIR_ERROR:<REASON>-- Unable to create directory JOB_COMPLETED |
The users default shell is modified with the 'USER_CHG_SHELL' command:
FORMAT: USER_ADM:USER_CHG_SHELL:<NODE_ID>:<USER_NAME>:<SHELL_PATH> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:BAD_SHELL_PATH -- Bad pathname JOB_COMPLETED |
A users unique UID is modified with the 'USER_CHG_UID' command. Once issued, all files in the users home directory are changed to reflect the new UID
FORMAT: USER_ADM:USER_CHG_UID:<NODE_ID>:<USER_NAME>:<UID> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:PERMISSION_DENIED -- Invalid UID request JOB_ERROR:UID_IN_USE:<USER_NAME> -- UID in use by <USER_NAME> USER_CHG_UID:IN_PROGRESS -- File ownership being updated USER_CHG_UID:PROCESS_FAILURE -- Child process failure JOB_COMPLETED |
The users expiry date is modified with the 'USER_CHG_EXP' command:
FORMAT: USER_ADM:USER_CHG_EXP:<NODE_ID>:<USER_NAME>:<YYY-MM-DD> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_COMPLETED |
A users inactive account timer is modified with the 'USER_CHG_EXP' command. The inactive account timer determines how many days after a password expiry the account will remain available until it is permanently disabled (until admin intervention).
FORMAT: USER_ADM:USER_CHG_INA:<NODE_ID>:<USER_NAME>:<INACTIVE_DAYS> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:BAD_VALUE -- Bad value specified JOB_COMPLETED |
The users comment / Gecos field is modified with the 'USER_CHG_COMMENT' command:
FORMAT: USER_ADM:USER_CHG_COMMENT:<NODE_ID>:<USER_NAME>:<COMMENT> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:COMMENT_TOO_LONG -- Comment exceeds 40 characters JOB_COMPLETED |
If PAM has been compiled into USER_ADM, it is possible to change a users password with the 'USER_CHG_PASSWD' command:
FORMAT: USER_ADM:USER_CHG_PASSWD:<NODE_ID>:<USER_NAME>:<OLD>:<NEW> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:BAD_PASSWORD -- Bad <NEW> password specified JOB_ERROR:PERMISSION_DENIED-- Bad <OLD> password specified JOB_ERROR:NO_PAM_SUPPORT -- No PAM support on node JOB_ERROR:PAM_ERR:<REASON> -- PAM specific error JOB_COMPLETED |
A list of all user accounts on a node is retrieved with the 'USER_LIST' command:
FORMAT:
USER_ADM:USER_LIST:<NODE_ID>
RESPONSES:
JOB_STARTED
USER_LIST:<NAME>:<UID>:<GID>/<GROUP_NAME>:<HDIR>:<SHELL>:<EXP>:
<INACTIVE>:<COMMENT>
JOB_COMPLETED |
A list of all groups existing a node is obtained with the 'GROUP_LIST' command:
FORMAT: USER_ADM:GROUP_LIST:<NODE_ID> RESPONSES: JOB_STARTED GROUP_LIST:<GROUP_NAME>:<GROUP_ID> JOB_COMPLETED |
Locking a user account with the 'LOCK_USER' command temporarily disables the user account so that the user cannot log in.
FORMAT: USER_ADM:LOCK_USER:<NODE_ID>:<USER_NAME> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:ALREADY_LOCKED -- User account is already locked JOB_COMPLETED |
Unlocking a user account with the 'UNLOCK_USER' command, restores a user account which has been previously locked with 'LOCK_USER.
FORMAT: USER_ADM:UNLOCK_USER:<NODE_ID>:<USER_NAME> RESPONSES: JOB_STARTED JOB_ERROR:USER_NOT_FOUND -- User does not exist on system JOB_ERROR:ALREADY_UNLOCKED -- User account is already unlocked JOB_COMPLETED |
The USER_ADM module requires that the IP_ADDRESS variable be set to the internet address of a node. This address is used to connect to the remote vacm_user_admd.