Users and groups

Users

A system user is required to access many services provided by NethServer Enterprise (email, shared folders, etc..).

Each user is characterized by a pair of credentials (user and password). A newly created user account remains locked until it has set a password. A blocked user can not use the services of servers that require authentication.

When creating a user, following fields are mandatory:

  • Username
  • Name
  • Surname

Optional fields:

  • Company
  • Office
  • Address
  • City
  • Phone

Just after creation, the user is disabled. To enable the user, set a password using the Change password button. When a user is enabled, the user can access to the Server Manager and change his/her own password: Change user password.

A user can be added to one or more group from the Users page or from the Groups one.

Sometimes you need to block user’s access to service without deleting the account. This behavior can be achieved using the Lock and Unlock buttons.

Note

When a user is deleted, all user data will be also deleted.

Access to services

After creation a user can be enabled only to some (or all) services. This configuration can be done using the Services tab page.

Groups

A group of user can be used to assign special permissions to some users or to create email distribution lists.

As for the users, a group can be enabled to some (or all) services.

Tip

For delegating permissions to the Server Manager, use the groups managers or administrators.

Two special groups can be created, the users who belong in one of these groups are granted access to the panels of the Server Manager

  • administrators: Users of this group have the same permissions as the root or admin user.
  • managers: Users of this group are granted access to the Management section.

Admin account

The Users page has one default entry: admin. This account allows access to the Server Manager with the same permissions of the root account. It is initially disabled and has no access from the console.

Tip

To enable admin account set its password.

Where applicable, the admin user also is granted special privileges on some specific services, such as joining a workstation in Samba domain.

Password management

The system provides the ability to set constraints on password complexity and expiration.

Password policies can be changed from web interface after installing nethserver-password module.

Complexity

The password complexity is a set of minimum conditions that password must match to be accepted by the system: You can choose between two different management policies about password complexity:

  • none: there is no specific control over the password entered, but minimum length is 7 characters
  • strong

The strong policy requires that the password must comply with the following rules:

  • Minimum length of 7 characters
  • Contain at least 1 number
  • Contain at least 1 uppercase character
  • Contain at least 1 lowercase character
  • Contain at least 1 special character
  • At least 5 different characters
  • Must be not present in the dictionaries of common words
  • Must be different from the username
  • Can not have repetitions of patterns formed by 3 or more characters (for example the password As1.$ AS1. $ is invalid)

The default policy is strong.

Warning

Changing the default policies is highly discouraged. The use of weak passwords often lead to compromised servers by external attackers.

To change the setting to none

config setprop passwordstrength Users none

To change the setting to strong

config setprop passwordstrength Users strong

Check the policy currently in use on the server

config getprop passwordstrength Users

Expiration

The password expiration is enabled by default to 6 months from the time when the password is set. The system will send an e-mail to inform the users when their password is about to expire.

Note

The system will refer to the date of the last password change, whichever is the earlier more than 6 months, the server will send an email to indicate that password has expired. In this case you need to change the user password. For example, if the last password change was made in January, and the activation of the deadline in October, the system will assume the password changed in January is expired, and notify the user.

If you wish to bypass the password expiration globally (also allow access for users with expired password)

config setprop passwordstrength PassExpires no
signal-event password-policy-update

To disable password expiration for a single user (replace username with the user)

db accounts setprop <username> PassExpires no
signal event password-policy-update

Below are the commands to view enabled policies.

Maximum number of days for which you can keep the same password (default: 180)

config getprop passwordstrength MaxPassAge

Minimum number of days for which you are forced to keep the same password (default 0)

config getprop passwordstrength MinPassAge

Number of days on which the warning is sent by email (default: 7)

config getprop passwordstrength PassWarning

To change the parameters replace the getprop command with setprop, then add the desired value at end of the line. Finally apply new configurations:

signal-event password-policy-update

For example, to change to 5 “Number of days on which the warning is sent by email”

config setprop passwordstrength PassWarning 5
signal-event password-policy-update

Effects of expired password

After password expiration, the user will be able to read and send mails but can no longer access the shared folders and printers (Samba) or other computer if the machine is part of the domain.

Domain password

If the system is configured as a domain controller, users can change their password using the Windows tools.

In the latter case you can not set passwords shorter than 6 characters regardless of the server policies. Windows performs preliminary checks and sends the password to the server where they are then evaluated with enabled policies.

Notification language

Default language for notifications is English. If you wish to change it, use the following command:

config setprop sysconfig DefaultLanguage <lang>

Example for Italian:

config setprop sysconfig DefaultLanguage it_IT.utf8

Import users

The system can import a list of users from a CSV file. The file must contain a line per user, each line must have TAB-separated fields and must respect following format:

username    firstName    lastName    email    password

Example:

mario   Mario   Rossi   mario@example.org       112233

Make sure the mail server is installed, then execute:

/usr/share/doc/nethserver-directory-<ver>/import_users <youfilename>

For example, if the user’s file is /root/users.csv, execute following command:

/usr/share/doc/nethserver-directory-`rpm --query --qf "%{VERSION}" nethserver-directory`/import_users /root/users.csv

The command can be executed multiple times: already existing users will be skipped.

Note

The command will fail if mail server module is not installed