0 0 Share PDF

How to disable LDAP accounts and provision local UCP accounts

Issue

This article describes how to disable the LDAP authentication backend in UCP and set up local accounts that may be used to log into UCP in lieu of LDAP.

Prerequisites

  • UCP 2.2.x or 3.0.x
  • LDAP enabled for users in UCP Admin Settings

Resolution

Note: The first user created in UCP will always be a local admin account - use this account to log into UCP to make this change. To reset your local admin account, follow the Recovering the admin password article.

  1. To disable LDAP, log into UCP as an administrator and navigate to Admin Settings in the menu at the upper left.

  2. Navigate to Authentication & Authorization.

  3. Set LDAP Enabled? to No.

  4. Click Save.

  5. Existing users and groups will not be removed, but users will no longer be able to log in with their LDAP passwords. Since these users have no password hash stored in UCP to validate identity, you can create a local password for your users using the Docker API:

    Send a POST to the ChangePassword endpoint (POST /accounts/{username}/changePassword) with the following payload: {"newPassword": "somethingMoreRandomThanThis"}

    Example:

    # First, obtain a UCP authorization token by curling the /auth/login endpoint
    UCP_URL="https://ucp.example.org"
    ADMIN="admin"
    PASSWORD="orca1234"
    BEARER_TOKEN=$(curl -sSkL -d '{"username":"'${ADMIN}'","password":"'${PASSWORD}'"}' ${UCP_URL}/auth/login | jq -r .auth_token)
    
    # then, send the bearer token as a header and the new password as the payload
    curl -kLsS \
      -H 'accept: application/json' \
      -H "Authorization: Bearer ${BEARER_TOKEN}" \
      -X POST "${UCP_URL}/accounts/btables/changePassword" \
      -d "{  \"newPassword\": \"bobbytables\",}"
    
  6. If the password was changed successfully, UCP will respond with a 200 OK and a JSON response containing the user's name.

  7. This may be extended to iterate over sets of users from UCP. As an example, you may want to reset all non-admin user accounts in the event of a security incident:

    UCP_URL="https://ucp.aws.antiskub.net"
    ADMIN="admin"
    PASSWORD="orca1234"
    LIMIT=1000
    BEARER_TOKEN=$(curl -sSkL -d '{"username":"'${ADMIN}'","password":"'${PASSWORD}'"}' ${UCP_URL}/auth/login | jq -r .auth_token)
    CURLOPTS=(-kLsS -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" -H  "content-type: application/json")
    
    
    curl "${CURLOPTS[@]}" \
      -X GET "${UCP_URL}/accounts/?filter=non-admins&order=name&limit=${LIMIT}" \
      | jq -r '.accounts[].id' \
      | while read userid;
        do curl "${CURLOPTS[@]}" \
          -X POST "${UCP_URL}/accounts/$userid/changePassword" \
          -d "{  \"newPassword\": \"reallyreallysecret\"}";
      done
    

Further Reading