Creating User Accounts
6 minute read.Last Modified 2021-07-12 16:37 EDT
TrueCommand has a robust user management system designed to allow TrueCommand administrators to personalize the TrueCommand experience for each user account. You can create user accounts in the TrueCommand interface. Alternatively, LDAP can automatically create new user accounts when someone logs into TrueCommand with their LDAP credentials.
User accounts also organize into “Teams” for simultaneous management of large numbers or related user accounts.
TrueCommand has two levels of accounts - Administrators and Users:
Administrators can add and remove users and servers. Administrators can also assign Users to Teams and Servers to Groups. Administrators have full access to all Alerts and Reports.
Users on the other other hand can only interact with the servers they have been assigned by an Administrator.
Users can configure alerts and generate reports on their respective systems.
To create a new user account, open the Configure settings menu and click Users > + NEW USER. Enter a descriptive user name and an authentication method for the user.
TrueCommand uses the DEFAULT authentication method to create unique credentials for logging in to the web interface. The administrator has to provide these credentials to the intended user.
TrueCommand supports using LDAP to better integrate within an established network environment. LDAP/AD allows using single sign-on credentials from the Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). This means a user can log in with an LDAP or AD account without creating a separate TrueCommand login.
The LDAP server IP address or DNS hostname and Domain are required to use LDAP/AD. The LDAP or AD Username (optional) is required when the TrueCommand user name does not match the LDAP or AD credentials.
Click on the settings (Gear) > Administration.
Open the Configuration Tab to access the LDAP configuration section.
To configure LDAP, add an LDAP server IP address or DNS hostname, fill in the Domain, and click ADD SERVER. Multiple LDAP servers and Domains can be added.
|LDAP Server URL (string, Required)||IP or DNS name of the LDAP server, with port number on the end.|
Example: “ldap.mycorp.com:636” (SSL port is typically 636 for AD/LDAP)
|Domain (string, Required)||Base domain settings of the user.|
Example: “dc=mycorp,dc=com” for a typical firstname.lastname@example.org user account
|Group Domain (string)||The alternative domain setting to use when searching for groups. The Default value is the same as Domain|
|Verify SSL (bool)||Require strict SSL certificate verification. The default value is false.|
Disable this option if the hostname of the system is different than the one listed on the SSL certificate, an IP is used for the connection instead of the DNS hostname, or if a self-signed certificate is used by the LDAP server.
|User ID Field (string)||Domain fieldname to use for user-matching. The default value is “uid” (user ID). Another field commonly-used is “cn” (common name)|
|Group ID Field (string)||The domain fieldname to use when searching for a group name. The default value is “cn” (common name).|
|BIND User Domain (string)||The full domain setting for a pre-authenticated bind to the server.|
For an unauthenticated bind set this field to just a name (example: “truecommand-bind”). This is sometimes used for logging purposes on the LDAP, but otherwise is not validated.
|Bind Password (string)||The password to use for the bind user.|
For an unauthenticated bind, leave this field blank while setting the BIND User Domain to a non-empty value.
TrueCommand supports two common methods of validating LDAP user credentials:
The Direct Bind method uses the Domain and User ID Field to create a static domain string which is then used to authenticate the user.
- Domain: “dc=mycorp,dc=com”
- User ID Field: “uid”
When user “bobby.singer” attempts to login, TrueCommand will establish an SSL-secure connection to the LDAP server and then attempt to bind with the static domain “uid=bobby.singer,dc=mycorp,dc=com” and the user-provided password. If successful, then the user authentication has been verified and Bobby Singer is allowed access to TrueCommand.
The Indirect Bind authentication method is much more dynamic and searches for the proper user domain settings rather than making assumptions about the format. With TrueCommand, Indirect Bind configures a “bind user” (typically a read-only, minimal-permissions user account) with a known domain/password to perform the initial bind to the LDAP server. Once logged in, TrueCommand searches for the user domain currently requesting to login. It then attempts a second bind with the user domain and provided password.
- Domain: “dc=mycorp,dc=com”
- User ID Field: “uid”
- BIND User Domain: “uid=binduser,cn=read-only-bind,dc=mycorp,dc=com”
- BIND Password: “pre-shared-key”
When “bobby.singer” attempts to login, TrueCommand will establish an SSL-secure connection to the LDAP server. TrueCommand will use the BIND User Domain and BIND Password settings to perform an initial bind using pre-known settings from your LDAP provider. Once bound, TrueCommand will search for the user matching “uid=bobby.singer”, but only within the subdomains that include the “domain” setting (“dc=mycorp,dc=com” in this example). If TrueCommand finds a user, it will use the full user domain string from the search result to initialize a second bind along with the user-provided password. If successful, TrueCommand verifies the user authentication and Bobby Singer is allowed access to TrueCommand.
WARNING: AD/LDAP authentication requires SSL connections.
If the LDAP server uses an SSL certificate generated by a custom certificate authority (CA), then one of two things must occur before TrueCommand can use the LDAP server:
- (Option 1) Users must register the custom certificate authority with TrueCommand via the Certificates tab in Administrator Settings.
- (Option 2) Users can disable the Verify SSL option to accept whatever SSL certificate the server provides. Users may need to choose Option 2 if the LDAP server hostname is different than the one listed on the certificate, or if the server uses a self-signed SSL certificate.
Enabling Allow LDAP user creation means TrueCommand creates user accounts when someone logs in to the User Interface with their LDAP credentials. JOIN TEAM automatically adds LDAP users to specific TrueCommand teams.
You can assign users to existing Teams by selecting a team from the drop-down to add the user to that team. You can assign users to multiple teams. TrueCommand applies team permissions to any user added to a team, but setting a specific permission for the user can override a related team permission. For more indepth information regarding teams, see the Teams Documentation.
To limit the access that non-administrative accounts have to the connected systems, configure the System Access and/or System Groups sections. This requires that system connections and/or system groups have already been configured in TrueCommand.
Click ADD SYSTEM and select a system from the drop-down to give the user access to that system. To restrict the user to only viewing details about the system, set the read permission. To remove a user’s access to a particular system, click minus on the desired system.
When system groups are available, an ADD GROUP button appears. Click ADD GROUP and select a group from the drop-down to give the user access to all the systems in that group. To assign user’s type of access to the group, choose read or read/write permissions. To remove a user’s access to a particular system group, click - (minus) on the desired group.