Usuarios y grupos

Usuarios

A system user is required to access many services provided by NethServer (email, shared folders, etc..).

Each user is characterized by a pair of credentials (user and password). A newly created user account remains locked until it has set a password. A blocked user can not use the services of servers that require authentication.

Cuando se crea un usuario, los siguientes campos son obligatorios.

  • Username
  • Name
  • Surname

Optional fields:

  • Company
  • Office
  • Address
  • City
  • Phone

Just after creation, the user is disabled. To enable the user, set a password using the Change password button. When a user is enabled, the user can access to the Server Manager and change his/her own password: Change user password.

Un usuario puede ser agregado a uno o mas grupos de la pagina Usuarios o de la pagina Grupos .

Sometimes you need to block user’s access to service without deleting the account. This behavior can be achieved using the Lock and Unlock buttons.

Nota

Cuando se elimina un usuario, también se eliminarán todos los datos del usuario.

Access to services

After creation a user can be enabled only to some (or all) services. This configuration can be done using the Services tab page.

Grupos

A group of user can be used to assign special permissions to some users or to create email distribution lists.

As for the users, a group can be enabled to some (or all) services.

Truco

For delegating permissions to the Server Manager, use the groups managers or administrators.

Two special groups can be created, the users who belong in one of these groups are granted access to the panels of the Server Manager

  • administrators: Users of this group have the same permissions as the root or admin user.
  • managers: Users of this group are granted access to the Management section.

Cuenta de administrador

The Users page has one default entry: admin. This account allows access to the Server Manager with the same permissions of the root account. It is initially disabled and has no access from the console.

Truco

To enable admin account set its password.

Where applicable, the admin user also is granted special privileges on some specific services, such as joining a workstation in Samba domain.

Gestión de contraseñas

El sistema proporciona la capacidad de establecer restricciones en la contraseña complejidad y expiración.

Password policies can be changed from web interface after installing nethserver-password module.

Complejidad

The password complexity is a set of minimum conditions that password must match to be accepted by the system: You can choose between two different management policies about password complexity:

  • none: no hay control específico sobre la contraseña introducida, pero la longitud mínima es de 7 caracteres
  • strong

La directiva strong requiere que la contraseña cumpla con las siguientes reglas:

  • Longitud mínima de 7 caracteres
  • Contiene al menos 1 número
  • Contiene al menos 1 carácter en mayúscula
  • Contiene al menos 1 carácter minúscula
  • Contiene al menos 1 carácter especial
  • Al menos 5 caracteres diferentes
  • No debe estar presente en los diccionarios de palabras comunes
  • Debe ser diferente del nombre de usuario
  • No se pueden realizar repeticiones de patrones formados por 3 o más caracteres (por ejemplo, la contraseña As1.$ AS1. $ No es válida)

La directiva predeterminada es: dfn:strong.

Advertencia

El cambio de las políticas predeterminadas es contraindicado. El uso de contraseñas débiles a menudo conduce a servidores comprometidos por atacantes externos.

To change the setting to none

config setprop passwordstrength Users none

To change the setting to strong

config setprop passwordstrength Users strong

Check the policy currently in use on the server

config getprop passwordstrength Users

Vencimiento

La Caducidad de contraseña está habilitada de forma predeterminada a 6 meses desde el momento en que se establece la contraseña. El sistema enviará un correo electrónico para informar a los usuarios cuando su contraseña está a punto de expirar.

Nota

The system will refer to the date of the last password change, whichever is the earlier more than 6 months, the server will send an email to indicate that password has expired. In this case you need to change the user password. For example, if the last password change was made in January, and the activation of the deadline in October, the system will assume the password changed in January is expired, and notify the user.

If you wish to bypass the password expiration globally (also allow access for users with expired password)

config setprop passwordstrength PassExpires no
signal-event password-policy-update

To disable password expiration for a single user (replace username with the user)

db accounts setprop <username> PassExpires no
signal event password-policy-update

Below are the commands to view enabled policies.

Maximum number of days for which you can keep the same password (default: 180)

config getprop passwordstrength MaxPassAge

Minimum number of days for which you are forced to keep the same password (default 0)

config getprop passwordstrength MinPassAge

Number of days on which the warning is sent by email (default: 7)

config getprop passwordstrength PassWarning

To change the parameters replace the getprop command with setprop, then add the desired value at end of the line. Finally apply new configurations:

signal-event password-policy-update

For example, to change to 5 «Number of days on which the warning is sent by email»

config setprop passwordstrength PassWarning 5
signal-event password-policy-update

Effects of expired password

After password expiration, the user will be able to read and send mails but can no longer access the shared folders and printers (Samba) or other computer if the machine is part of the domain.

Domain password

If the system is configured as a domain controller, users can change their password using the Windows tools.

In the latter case you can not set passwords shorter than 6 characters regardless of the server policies. Windows performs preliminary checks and sends the password to the server where they are then evaluated with enabled policies.

Notification language

Default language for notifications is English. If you wish to change it, use the following command:

config setprop sysconfig DefaultLanguage <lang>

Example for Italian:

config setprop sysconfig DefaultLanguage it_IT.utf8

Importar usuarios

The system can import a list of users from a CSV file. The file must contain a line per user, each line must have TAB-separated fields and must respect following format:

username    firstName    lastName    email    password

Ejemplo:

mario   Mario   Rossi   mario@example.org       112233

Make sure the mail server is installed, then execute:

/usr/share/doc/nethserver-directory-<ver>/import_users <youfilename>

For example, if the user’s file is /root/users.csv, execute following command:

/usr/share/doc/nethserver-directory-`rpm --query --qf "%{VERSION}" nethserver-directory`/import_users /root/users.csv

The command can be executed multiple times: already existing users will be skipped.

Nota

The command will fail if mail server module is not installed