---
sidebar_position: 40
sidebar_label: Identity Management
---

# Identity Management Setup

:::tip
If you are using an alternative Identity Management system or local user accounts, skip this page and go straight
to [Deploying with Ansible](./deploy.md).
:::

## Host Setup

It can be helpful to keep track of the following information in a text editor's buffer until deployment is complete.
None of these details are sensitive after the completion of the deployment.

```text
Hostname:
IPv4 Address:
IPv6 Address:
OTP:
```

### Add Host to DNS

1. Create an A record for the host
1. Create an AAAA record for the host
1. Create a null MX record for the host (e.g. `example.cdr.link IN MX 0 .`)

### Add Host to Identity Management

1. Begin by logging in to the Identity Management server with your privileged identity
1. Open the **Identity** tab, and select the **Hosts** subtab
1. Click **Add** at the top of the hosts list
1. Enter the name of the new host, e.g. `example.cdr.link`
1. The IP address will be automatically resolved from DNS, you can leave this blank but may need to allow a moment for
   the authoritative DNS servers to update
1. Activate the **Generate OTP** checkbox
1. Click **Add** to add the new host
1. Save the generated OTP for later

![Screenshot of the Add Host Wizard in Identity Management](/img/host-add.png)

## User Setup

### Create the Service User

This is the user on the host that will run the Podman containers.

1. Open the **Identity** tab, and select the **Users** subtab
1. Click **Add** at the top of the users list
1. Enter a **Username**, we prefix all our Link service users with `link_` for easy identification
1. Enter a **First Name** and **Last Name**, these values do not matter but the LDAP schema requires them
1. Do not enter a **New Password** as this user will never need to authenticate with a password
1. Click **Add**

![Screenshot of the Add User Wizard in Identity Management](/img/user-add.png)

### Generate subordinate IDs for the user

1. Open the **Identity** tab, and expand the **Subordinate IDs** subtab
1. Choose the **Subordinate IDs** option from the drop-down menu
1. Click the **Add** button in the upper-right corner of the interface
1. In the **Add subid** window, select the user you have just created as the **Owner**
1. Click **Add**

The range is automatically generated and managed by Identity Management.

:::tip
If you are not using our baseline Ansible role, ensure that the `with-subid` feature of the `sssd` authselect profile is
enabled to allow hosts to look up subids in LDAP.
:::