7.3. Registering user accesses

The eurephiadm commands which will be used for this, are the users and the certs commands. There are two ways how to do this. Let's first have a look at the help screen for those two eurephiadm commands.

user@host:~ $ eurephiadm users --help
eurephia::Users -- Administer user accounts

Available modes:
     -l | --list         List all user accounts
     -s | --show         Show user account details
     -a | --activate     Activate a user account
     -d | --deactivate   Deactivate a user account
     -A | --add          Add a new user account
     -D | --delete       Delete a user account
     -p | --password     Change password on a users account
     -h | --help <mode>  Further help for these modes

user@host:~ $ eurephiadm certs --add --help
The add mode will register a new certificate.

     -d | --depth         Certificate depth, required.
     -D | --digest        SHA1 fingerprint/digest of the new certificate
     -C | --common-name   Common name (CN) field of the certificate
     -O | --organisation  Organisation (O) field of the certificate
     -E | --email         e-mail address (emailAddress) of the certificate

Usually the certificate depth value needs to be 0, if you are registering user
account certificates. CA certificates usually have a value bigger than 0.

If you have the certificate file available, you can use the following
options to retrieve the needed information directly from a certificate file.

     -f | --certfile     File name of the certificate file.
     -p | --pkcs12       If the file is in PKCS#12 format.

The default format is PEM format, unless --pkcs12 is given.  These two options
cannot be used together with -D, -C, -O or -E.  But the certificate depth must
be given to indicate the certificate depth.
user@host:~ $

7.3.1. Method A: Doing it all in one operation

To do everything at once, you only need to use the users command. When doing it this way, three things happens:

User account is registered,
New certificate is registered, and
a link between user account and certificate is established.

Lets have a closer look at the eurephiadm command we will use.

user@host:~ $ eurephiadm users --help --add
eurephia::Users -- Administer user accounts

The add user mode registers a new user account.
Both of the following arguments are required:

     -u | --username     User name to use for the new account (required)
     -P | --password     Assign a new password via the command line.

To register this new account against a certificate
you can use the following arguments.  These arguments cannot be used together.

     -C | --certid       Use already registered certificate, identified by certid.
     -D | --digest       Use already registered certificate, identified by digest.
     -c | --certfile     Use the given certificate file and register it along with
                         the account.
     -2 | --pkcs12       Certificate file is using the PKCS#12 format.

user@host:~ $

Note

If you want to register a completely new user account and a completely new certificate, you will need to have access to the certificate file. If you will be using an already registered certificate, you only need a certificate ID (certid).

7.3.1.1. Register a new user account and a new certificate

To add a new user account and a new certificate and to link them together in one operation, we need to use one of the following command lines. This first example will need a certificate file in PEM/DER format.

user@host:~ $ eurephiadm users --add --username norma.jones --certfile NormaJones.pem
Password for user: ......
Verify password for user: ......
eurephia::Users: User registered successfully (user id 2)
eurephia::Certificates: Certificate registered successfully (certid 2)
user@host:~ $

For PKCS#12 certificates, it is the same arguments. You just need to add --pkcs12. If there is a password on the certificate file it will ask you for that password after the user passwords.

7.3.1.2. Register a new user account with an already registered certificate

In this scenario, we already have the certificate registered and we would just like to link the new account to the already registered certificate. First let's have a look on available certificates:

user@host:~ $ eurephiadm certs --list
  ID (D) Common name                                              Organisation
         e-mail                                                     Registered
         Certificate SHA1 digest                                     
 ------------------------------------------------------------------------------
   1 (1) ACME test server. CA certificate                            ACME corp
         ca@acmecorp.com                                   2009-02-19 22:01:32
         39:4F:27:7B:71:7F:1D:BC:B6:1D:65:55:13:0D:E0:CF:5D:38:2E:23 
         
   2 (0) Norma Jones                                             Example Corp.
         norma.jones@example.com                           2009-02-19 22:21:07
         C0:5D:7B:2D:4A:98:3F:00:01:02:F0:2F:54:80:3B:5A:FA:53:9B:34 
 ------------------------------------------------------------------------------
user@host:~ $

We see here that certificate ID (certid) 2 is assigned to the common name 'Norma Jones'. Let's give Norma's colleague access when using her certificate as well.

user@host:~ $ eurephiadm users --add --username jane.doe --certid 2
Password for user: 
Verify password for user: 
eurephia::Users: User registered successfully (user id 3)
user@host:~ $