Sysadmin Documentation/User Creation

Jump to: navigation, search

In order to avoid manually creating user accounts, we have built a custom self-service user-creation script. In order to create an account, a user must provide and verify their

  • Caltech presence
  • full name
  • external email address

and also choose their uid.

These are the only pieces of information needed to create a user account, so when those are obtained, the account can be created automatically.

The user facing component is a python web service. Since root is required to create the users, but it is not safe to run the web service as root, there is separate daemon running as root to create the user folders. Communication with the daemon is done with the python multiprocessing library.

Python Web component

The web frontend is a python WSGI web app written in flask. This is run under the same apache webserver that hosts the rest of the UGCS main sites (gold). For security, this is is restricted to access from caltech ips only.

The user is required to enter their access.caltech credentials, and we bind to the caltech directory ldap as them to verify their identity. With this connection, we also download the user's real full name.

In order to prevent multi-accounting, each user has their access.caltech username stored in a sqlite3 database as a unique key. The account creation process is aborted if the user has already created an account.

The user entered email and desired username are sanitized and validated to protect against any attacks. The user's ldap objects are then created directly by this service. If the desired username is already taken, this gets caught by ldap and we're good. If this is successful, we send a request

root daemon

The user creation daemon is set to run as root on zinc, where the files are. The root daemon receives the username, and validates it just to be double sure. It then creates the appropriate files for the user.

email verification

The account creator flow does not actually include email verification. Instead, the account creator does not set a password, requiring the user to complete an email challenge using selfservicepassword to set their initial password.