sr2/docs.sr2.uk
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: more operator guide

Browse source
This commit is contained in:
Iain Learmonth 2025-11-09 14:39:28 +00:00
parent 8f7d0d372e
commit e72c729735
13 changed files with 240 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

73
docs/operator/identity.md Normal file
View file

@ -0,0 +1,73 @@
---
sidebar_position: 40
sidebar_label: Identity Management
---
# Identity Management Setup
:::tip
If you are using an alternative Identity Management system or local user accounts, skip this page and go straight
to [Deploying with Ansible](./deploy.md).
:::
## Host Setup
It can be helpful to keep track of the following information in a text editor's buffer until deployment is complete.
None of these details are sensitive after the completion of the deployment.
```text
Hostname:
IPv4 Address:
IPv6 Address:
OTP:
```
### Add Host to DNS
1. Create an A record for the host
1. Create an AAAA record for the host
1. Create a null MX record for the host (e.g. `example.cdr.link IN MX 0 .`)
### Add Host to Identity Management
1. Begin by logging in to the Identity Management server with your privileged identity
1. Open the **Identity** tab, and select the **Hosts** subtab
1. Click **Add** at the top of the hosts list
1. Enter the name of the new host, e.g. `example.cdr.link`
1. The IP address will be automatically resolved from DNS, you can leave this blank but may need to allow a moment for
the authoritative DNS servers to update
1. Activate the **Generate OTP** checkbox
1. Click **Add** to add the new host
1. Save the generated OTP for later
![Screenshot of the Add Host Wizard in Identity Management](/img/host-add.png)
## User Setup
### Create the Service User
This is the user on the host that will run the Podman containers.
1. Open the **Identity** tab, and select the **Users** subtab
1. Click **Add** at the top of the users list
1. Enter a **Username**, we prefix all our Link service users with `link_` for easy identification
1. Enter a **First Name** and **Last Name**, these values do not matter but the LDAP schema requires them
1. Do not enter a **New Password** as this user will never need to authenticate with a password
1. Click **Add**
![Screenshot of the Add User Wizard in Identity Management](/img/user-add.png)
### Generate subordinate IDs for the user
1. Open the **Identity** tab, and expand the **Subordinate IDs** subtab
1. Choose the **Subordinate IDs** option from the drop-down menu
1. Click the **Add** button in the upper-right corner of the interface
1. In the **Add subid** window, select the user you have just created as the **Owner**
1. Click **Add**
The range is automatically generated and managed by Identity Management.
:::tip
If you are not using our baseline Ansible role, ensure that the `with-subid` feature of the `sssd` authselect profile is
enabled to allow hosts to look up subids in LDAP.
:::