Default

About

You can use the default driver to create local users. This enables a local store of users on the OP5 Monitor server.

Caveat

Do not remove Default

We highly recommended that you always keep this driver configured with an admin account as a fallback, even if your system is primarily using LDAP. If anything goes wrong, you can use '/usr/bin/op5-manage-users' to change the Administrator password and get into the setup.

Local Users page

When the Default driver is enabled, a configuration interface named Local Users appears in the OP5 Configuration.

On the Local Users page, each user has a real name. From here you can create a password, and control group memberships. Groups needs to be created in advance: see our page about Authorization in Authorization.

This driver stores the users in the configuration file '/etc/op5/auth_users.yml'.

Command-line -- op5-manage-users

All local user passwords are stored in '/etc/op5/auth_users.yml', listed inside the user blocks such as the example below. The string that begins with "$1$VGn0" is a hash of the password "monitor":

monitor:
username: "monitor"
realname: "Monitor Admin"
password: "$1$VGn0CdSG$AMJjvHoF8M2nSy8SiPrW70"
groups:
- "admins"
password_algo: "crypt"
modules:
- "Default"

The monitor command that changes the local users, including their passwords, is '/usr/bin/op5-manage-users' . Running this without any arguments prints its syntax help:

monitor:
This is a small helper for adding/changing/deleting users in op5 Monitor.

Create/edit user:
/usr/bin/op5-manage-users --update --username=<username> (--password=<password>) \
--module=<module1> [--module=<modulen>] [--realname=<realname> --group=<group1> [--group=<groupn>]]

--username User's username
--password Password is only required if an authentication module that requires passwords is chosen
--module Authentication module that should be used for this user
--realname Full name of user
--group User's group memberships

Delete user:
/usr/bin/op5-manage-users --remove --username=<username>

Here is an syntax example for creating a new Monitor user, 'gord':

monitor:
/usr/bin/op5-manage-users --update --username=gord --realname="Wheat King" --modules=Default --password=100thMeridian --group=admins

Here is the resulting content in 'auth_users.yml':

monitor:
gord:
username: "gord"
realname: "Wheat King"
password: "$1$s4gwhkvu$2ZB0.yHVSkcxWUtxtuLYX0"
password_algo: "crypt"
modules:
- "Default"
groups:
- "admins"

Command line caveats

  • 'op5-manage-users' does not append; it only overwrites every entry for the user. For example, attempting to change only the group of the user created earlier:
  • monitor:
        op5-manage-users --update --username=gord --group=limited_edit 

    ...leads to this being the entire entry for the user. The password and all other entries have been removed:

    monitor:
    gord:
      username: "gord"
      groups:
        - "limited_edit" 
  • Changing the variable order in the command will move the user's real name to the bottom of the file entry. For example, this will run successfully:
  • monitor:
    op5-manage-users --update --username=jfriday --realname="Sgt. Joe Friday" --group=admins --password=Badge714 --modules=Default

    The resulting entry in 'auth_users.yml' can be difficult for a user to parse:

    monitor:
    jfriday:
      username: "jfriday"
      password: "$1$DTVh5ZeF$Tm1WeJDyH2AaY3FQ21Li4."
      password_algo: "crypt"
      modules:
        - "Default"
      groups:
        - "admins"
      realname: "Sgt. Joe Friday"