@@ -153,8 +153,11 @@ Provider replicas
153153Provider replicas implement fault tolerance for user domains.
154154To achieve real fault tolerance, replicas should be installed on different nodes.
155155
156- You can add a replica from the ``Domains and users `` page by selecting the ``Configuration `` link from the three-dots menu.
157- Then click the :guilabel: `Add provider ` button, select the target node and proceed with the installation.
156+ You can add a replica from the ``Domains and users `` page by selecting the
157+ ``Configuration `` tab in the domain details. Then click the :guilabel: `Add
158+ provider ` button, select the target node, and proceed with the
159+ installation.
160+
158161
159162Replicas are configured in master-master mode.
160163
@@ -166,14 +169,21 @@ Replicas are configured in master-master mode.
166169LDAP bind settings
167170==================
168171
169- .. note :: External applications can connect only to a local Active Directory provider.
170-
171172Binding is the process where the LDAP server authenticates the client and, if the client is successfully authenticated,
172173the server allows client access.
173174
174175Many applications may require to be bound to an existing NethServer 8 user domain.
175- Bind settings can be accessed by selecting the ``Configuration `` link from the three-dots menu: user domain
176- details are displayed on the top of the page.
176+ Bind settings can be accessed from the ``Configuration `` tab of the domain details.
177+
178+ The Samba AD provider exposes standard LDAP and LDAPS ports (389/636) to
179+ applications outside the cluster only if it has been created with
180+ ``Provide file shares and authentication to Windows clients `` (see
181+ :ref: `active_directory-section `).
182+
183+ OpenLDAP RFC2307 providers do not expose any port for external
184+ applications. They listen on a single clear-text LDAP port accessible to
185+ services inside the cluster network. Manual configurations are not
186+ needed.
177187
178188.. _ldap_proxy-section :
179189
@@ -372,6 +382,11 @@ Changes to the user base must be done on the external server.
372382On the other hand, if a local AD or LDAP account provider has been installed, the page
373383allows to create, modify and delete users and groups.
374384
385+ .. _create-users-and-groups-section :
386+
387+ Create users and groups
388+ -----------------------
389+
375390When creating a user, the following fields are mandatory:
376391
377392* User name
@@ -399,7 +414,59 @@ account. The safest approach is:
3994141. (optionally) change the user's password with a random one
4004152. disable the user using the ``Disable `` action from the three-dots menu
401416
402- When a user is deleted, user data will not be removed.
417+ When a user is deleted, user data will not be removed. Deleting a user
418+ does not remove mailbox contents, home directories, or
419+ application-specific data. These must be cleaned up manually depending on
420+ the installed applications.
421+
422+ User names must be unique within the same domain but can be reused across
423+ different domains hosted on the cluster.
424+
425+ .. _import-export-data-section :
426+
427+ Import and export data
428+ ----------------------
429+
430+ Users and groups can be managed in bulk with the *import * and *export
431+ data * actions. The supported data format is CSV _ (comma-separated values)
432+ with the following fields:
433+
434+ .. _CSV : https://www.rfc-editor.org/rfc/rfc4180
435+
436+ 1. *username *
437+ 2. *display_name * -- An empty value removes the LDAP ``displayName ``
438+ attribute.
439+ 3. *password * -- If the password contains a comma (e.g.
440+ ``Nethesis,1234 ``), enclose this field in double quotes. An empty value
441+ leaves the password unchanged for existing users, and sets a random
442+ initial password for newly created users.
443+ 4. *mail * -- A valid email address. Note that unlike Samba Active
444+ Directory, the OpenLDAP RFC2307 schema does not allow special
445+ characters. An empty value removes the corresponding ``mail `` LDAP
446+ attribute.
447+ 5. *groups * -- A list of groups separated by the ``| `` (pipe) character.
448+ If a group does not exist yet, it is created on the fly during the
449+ import. If this field is empty, the user is removed from all groups.
450+ 6. *locked * (boolean)
451+ 7. *must_change_password * (boolean)
452+ 8. *no_password_expiration * (boolean)
453+
454+ The fields must be present in the above, exact order. They correspond to
455+ the attributes described in the previous section; refer to
456+ :ref: `create-users-and-groups-section ` for more information.
457+
458+ The last three fields are boolean values. Accepted values are limited to
459+ the strings ``true `` and ``false ``. The empty string, and any value other
460+ than ``true ``, is interpreted as ``false ``.
461+
462+ For example, this CSV file includes an optional header line with the eight
463+ mandatory fields, followed by one record for user ``john ``, who is a
464+ member of the ``devs `` and ``web `` groups.
465+
466+ ::
467+
468+ user,display_name,password,mail,groups,locked,must_change_password,no_password_expiration
469+ john,Johnny Smith,s3Cr3tXX,[email protected] ,devs|web,false,true,false 403470
404471.. _user-management-portal-section :
405472
0 commit comments