Creating User Accounts
8 minute read.Last Modified 2023-11-30 10:15 EST
TrueCommand has a robust user management system designed to allow TrueCommand administrators to personalize the TrueCommand experience for each user account. You can either individually create user accounts in the TrueCommand interface or allow LDAP to automatically create new user accounts when someone logs into TrueCommand with their LDAP credentials.
TrueCommand also organizes user accounts into teams which allows admins to simultaneously manage many user accounts.
TrueCommand has two types of accounts, administrators and users.
Administrators can add and remove users and servers and assign users to teams and servers to groups. Administrators have full access to all alerts, reports, and system LDAP configuration settings.
Users can only interact with the systems assigned to them by an administrator.
Users can configure alerts, add datasets, shares, snapshots and snapshot tasks, create and generate reports, and manage systems assigned to them, but cannot add or manage users, systems, or perform tasks for other systems.
To create a new user account, click the gear settings icon, then click Users > NEW USER. Enter a descriptive user name and an authentication method for the user.
TrueCommand uses the password authentication method by default to create unique credentials for logging in to the web interface. The administrator must provide these credentials to the intended user.
To create an administrator account, select TrueCommand Administrator.
Two-factor authentication double-checks the authentication of an account user. The first verification occurs when the user logs in with a username and a password. Two-factor authentication adds an extra step in the process, a second security layer, that reconfirms their identity. If basic password security measures are in place, two-factor authentication makes it more difficult for unverified users to log in to your account.
Enabling two-factor authentication requires an already-authenticated email address. Authenticating a user email address requires first setting up SMTP email on the Alert Services screen.
To verify a user email address and set 2FA:
- Enter the email address for the user and click Save Changes.
- Check the user email account for the verification code. Copy the code from the email.
- Paste the code in the Confirmation code field in the confirmation window. Click OK.
- Set Enable 2FA and click Save Changes.
TrueCommand supports using LDAP to better integrate within an established network environment. LDAP/AD allows using single sign-on credentials from the Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). Users can log in with an LDAP or AD account without creating a separate TrueCommand login.
LDAP and AD require the server IP address or DNS hostname and domain to use. The LDAP or AD Username (optional) is required when the TrueCommand user name does not match the LDAP or AD credentials.
Click on the settings (Gear) > Administration.
Click Add on the LDAP Servers widget to open the Add LDAP Server configuration screen.
To configure LDAP, type the LDAP server IP address or DNS host name into the LDAP Server URL field, type the domain name in the Domain field, and click ADD SERVER. You can add multiple LDAP servers and domains.
Click on the Test LDAP Config icon to open a window that allows you to test your connection to the LDAP server. The Remove LDAP Server icon removes the selected LDAP server.
|Hostname||(Required) Enter the host name, IP or DNS name, of the LDAP server, with port number on the end. For example: ldap.mycorp.com:636 (SSL port is typically 636 for AD/LDAP).|
|Domain||(Required) Base domain settings of the user. For example: dc=mycorp,dc=com for a typical |
|Group Domain||Enter the alternative domain setting to use when searching for groups. The default value is the same as Domain.|
|Verify SSL||Select to require strict SSL certificate verification. The default value is false. Disable this option if the system host name is not the one on the SSL certificate, the system uses an IP to connect instead of the DNS host name, or the LDAP server uses a self-signed certificate.|
|User ID Field||Enter the user ID for the user that logs in (this is class-matched to the login username). Enter Domain name to use for user-matching. The default value is uid (user ID). Another commonly-used field is cn (common name).|
|Group ID Field||Enter the class for finding groups associated with a user. The default is cn (common name). Enter the Domain name to use when searching for a group name.|
|BIND User Domain||Enter the full domain setting for a pre-authenticated bind to the server. For example: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com. For an unauthenticated bind, enter just a name (example: truecommand-bin). This is sometimes used for logging purposes on the LDAP but otherwise is not validated.|
|Realm||Enter the realm that performs authentication against the LDAP server.|
|BIND Password||Enter the password to use for the bind user. For an unauthenticated bind, leave blank while setting the BIND User Domain to a non-empty value.|
|KDC||Enter the key distribution center (KDC) that supplies session tickets and temporary session keys to users and computers within the LDAP server.|
TrueCommand supports two methods of validating LDAP user credentials:
The direct BIND method uses the Domain and User ID Field values to create a static domain string for user authentication.
- Domain: dc=mycorp,dc=com
- User ID Field: uid
When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server and attempts to bind with the static domain uid=bobby.singer,dc=mycorp,dc=com and the user-provided password. If successful, the user authentication verifies, and Bobby Singer may access TrueCommand.
The indirect BIND authentication method is more dynamic and searches for the proper user domain settings rather than making format assumptions. With TrueCommand, indirect BIND configures a bind user (typically a read-only, minimal-permissions user account) with a known domain/password to perform the initial bind to the LDAP server. After logging in, TrueCommand searches for the user domain requesting to log in. It then attempts a second bind with the user domain and provided password.
- Domain: dc=mycorp,dc=com
- User ID Field: uid
- BIND User Domain: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com
- BIND Password: pre-shared-key
When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server. TrueCommand uses the BIND User Domain and BIND Password settings to perform an initial bind using pre-known settings from your LDAP provider. When bound, TrueCommand searches for the user matching uid=bobby.singer, but only within the subdomains that include the domain setting (dc=mycorp,dc=com in this example). If TrueCommand finds a user, it uses the entire user domain string from the search result to initialize a second bind along with the user-provided password. If successful, TrueCommand verifies the user authentication, and Bobby Singer is allowed access to TrueCommand.
If the LDAP server uses an SSL certificate generated by a custom certificate authority (CA), then one of two things must occur before TrueCommand can use the LDAP server. Either:AD/LDAP authentication requires SSL connections.
Users must register the custom certificate authority with TrueCommand via the Certificates tab on the Administration screen.
Users can disable the Verify SSL option to accept whatever SSL certificate the server provides. Users might need to choose this if the LDAP server host name differs from the one listed on the certificate or if the server uses a self-signed SSL certificate.
Selecting Allow LDAP user creation means TrueCommand creates user accounts when someone logs in to the User Interface with their LDAP credentials. JOIN TEAM automatically adds LDAP users to specific TrueCommand teams.
You can assign users to existing teams by selecting a team from the Teams dropdown to add the user to that team. You can assign users to multiple teams. For more in-depth information regarding teams, see the Teams Documentation.
To limit non-administrative account access to connected systems, configure the System Access and/or System Groups sections. This requires first configuring system connections and/or system groups in TrueCommand.
Click ADD SYSTEM and select a system from the dropdown to give the user access to that system. To restrict the user to only viewing details about the system, set the read permission. To remove user access to a particular system, click - (minus) on that system.
When system groups are available, the ADD GROUP button displays. Click ADD GROUP and select a group from the dropdown list to give the user access to all the systems in that group. To assign a user a type of access to the group, choose read or read/write permissions. To remove user access to a particular system group, click - (minus) on the desired group.
It is possible to configure multiple permissions for the same user account and system in different screens within TrueCommand.
When this happens, TrueCommand follows a specific flow to determine which permission settings control the account:
flowchart TB A(User settings for individual systems) --> B(User settings for system groups) --> C(Teams settings for individual systems) --> D(Teams settings for system groups)
For example, user A is configured to have direct read and write access to system 1. This permission remains in place, even if user A joins a TrueCommand team that is configured with read permission for system 1.
When a user account has multiple permissions at the same level (user is a member of two teams that have different permissions to the same system), TrueCommand defaults to granting the user account the most permissive option between the conflicting permissions.
TrueCommand users can reset their passwords from the login screen. Enter the username then click FORGOT PASSWORD.
Enter the user email address (or where you want to send the reset login code).
An [AUTH] TrueCommand Password Reset email should arrive with the reset password login code.
Enter the user name in the login screen and the reset password code, then click SIGN IN. The user can then go to their profile to change their password.