This is the latest in a series of articles on Cockpit, the easy-to-use, integrated, glanceable, and open web-based interface for your servers. In the first article, we introduced the web user interface. The second and third articles focused on how to perform storage and network tasks respectively.
This article demonstrates how to create and modify local accounts. It also shows you how to install the 389 Directory Server add-on (or plugin). Finally, you’ll see how 389 DS integrates into the Cockpit web service.
Managing local accounts
To start, click the Accounts option in the left column. The main screen provides an overview of local accounts. From here, you can create a new user account, or modify an existing account.
Creating a new account in Cockpit
Cockpit gives sysadmins the ability to easily create a basic user account. To begin, click the Create New Account button. A box appears, requesting basic information such as the full name, username, and password. It also provides the option to lock the account. Click Create to complete the process. The example below creates a new user named Demo User.
Managing accounts in Cockpit
Cockpit also provides basic management of local accounts. Some of the features include elevating the user’s permissions, password expiration, and resetting or changing the password.
Modifying an account
To modify an account, go back to the accounts page and select the user you wish to modify. Here, we can change the full name and elevate the user’s role to Server Administrator — this adds user to the wheel group. It also includes options for access and passwords.
The Access options allow admins to lock the account. Clicking Never lock account will open the “Account Expiration” box. From here we can choose to Never lock the account, or to lock it on a scheduled date.
Admins can choose to Set password and Force Change. The first option prompts you to enter a new password. The second option forces users to create a new password the next time they login.
Selecting the Never change password option opens a box with two options. The first is Never expire the password. This allows the user to keep their password without the need to change it. The second option is Require Password change every … days. This determines the amount of days a password can be used before it must be changed.
Adding public keys
We can also add public SSH keys from remote computers for password-less authentication. This is equivalent to the ssh-copy-id command. To start, click the Add Public Key (+) button. Finally, copy the public key from a remote machine and paste it into the box.
To remove the key, click the remove (-) button to the right of the key.
Terminating the session and deleting an account
Near the top right-corner are two buttons: Terminate Session, and Delete. Clicking the Terminate Session button immediately disconnects the user. Clicking the Delete button removes the user and offers to delete the user’s files with the account.
Managing 389 Directory Server
Cockpit has a plugin for managing the 389 Directory Service. To add the 389 Directory Server UI, run the following command using sudo:
$ sudo dnf install cockpit-389-ds
Because of the enormous number of settings, Cockpit provides detailed optimization of the 389 Directory Server. Some of these settings include:
- Server Settings: Options for server configuration, tuning & limits, SASL, password policy, LDAPI & autobind, and logging.
- Security: Enable/disable security, certificate management, and cipher preferences.
- Database: Configure the global database, chaining, backups, and suffixes.
- Replication: Pertains to agreements, Winsync agreements, and replication tasks.
- Schema: Object classes, attributes, and matching rules.
- Plugins: Provides a list of plugins associated with 389 Directory Server. Also gives admins the opportunity to enable/disable, and edit the plugin.
- Monitoring: Shows database performance stats. View DB cache hit ratio and normalized DN cache. Admins can also configure the amount of tries, and hits. Furthermore, it provides server stats and SNMP counters.
Due to the abundance of options, going through the details for 389 Directory Server is beyond the scope of this article. For more information regarding 389 Directory Server, visit their documentation site.
As you can see, admins can perform quick and basic user management tasks. However, the most noteworthy is the in-depth functionality of the 389 Directory Server add-on.
The next article will explore how Cockpit handles software and services.
Photo by Daniil Vnoutchkov on Unsplash.
Running freeIPA on one of my server VMs, I also tinkered around with the 389 Cockpit extension, but I was afraid that it may dis- or corrupts the information of freeIPA as Cockpit’s web interface is fairly simple compared to that of freeIPA.
Would be cool to highlight it in the article if it is generally safe to work with Cockpit on a freeIPA instance, which is (mostly) also based on 389 DS.