Forum Discussion

Satoshino's avatar
Satoshino
Icon for Cirrus rankCirrus
Nov 16, 2023

Create users Local User DB by CLI

Hello folks,

im looking for create users inside the localdb in APM module by CLI.

i verified that doesn't exitst a command for this purpose and i tried also to add user directly in the db table auth_user, but seems like that the appliance does'nt digest this configuration despite i can see new users added to the table:

MYSQL_PW=`perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw`

MYSQL_PW="$(/usr/bin/perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)"

INSERT INTO auth_user (uid, uname, instance, password, user_groups, login_failures, lockout_start, tt1) VALUES ('14365', 'username', '/Common/instance', 'password', '', '0', '0', '1700135315');

 

--------------------+
| uid   | uname     | instance                      | password                               | user_groups | login_failures | passwd_expire | lockout_start | ttl        | dynamic_user | deleted | suspended | locked_out | change_passwd | last_modified       |
+-------+-----------+-------------------------------+----------------------------------------+-------------+----------------+---------------+---------------+------------+--------------+---------+-----------+------------+---------------+---------------------+
| 14365 | username | /Common/instance          | password                               | 0|           0|          0|          0|       0|            0 |       0 |         0 |          0 |             0 |

 

Do you know how i can create users by CLI/API?

best regards

application delivery
security
  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    Nov 16, 2023

    Create the AAA localdb instance first.

    Then create a user:

     

     

    Then use mysql client to see what was created:

    [admin@west:ModuleNotLicensed::Active:Standalone] ~ # echo $MYSQL_PW
    OPRDwipY5G
    [admin@west:ModuleNotLicensed::Active:Standalone] ~ # mysql -p
    Enter password:
    Welcome to the MariaDB monitor. Commands end with ; or \g.
    Your MariaDB connection id is 20011
    Server version: 5.5.53-MariaDB MySQL Community Server (GPL)

    Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    MariaDB [(none)]> show databases;
    +--------------------------------------------------+
    | Database |
    +--------------------------------------------------+
    | information_schema |
    | APMOAuth462bbe3b0c958855218bbb824dcd87e5605fd1e6 |
    | APMOAuthe68c35d65693688c184d29379e2226b69c08777b |
    | AVR |
    | cnf |
    | f5authdb |
    | logdb |
    | mysql |
    | performance_schema |
    | test |
    +--------------------------------------------------+
    10 rows in set (0.00 sec)

    MariaDB [(none)]> use f5authdb;
    Reading table information for completion of table and column names
    You can turn off this feature to get a quicker startup with -A

    Database changed
    MariaDB [f5authdb]> show tables;
    +--------------------+
    | Tables_in_f5authdb |
    +--------------------+
    | auth_user |
    | auth_user_data |
    | auth_user_details |
    | mdm_device |
    | mdm_status |
    +--------------------+
    5 rows in set (0.00 sec)

    MariaDB [f5authdb]> select * from auth_user;
    +-------+-------+-------------------------------+----------------------------------------+-------------+----------------+---------------+---------------+------------+--------------+---------+-----------+------------+---------------+---------------------+
    | uid | uname | instance | password | user_groups | login_failures | passwd_expire | lockout_start | ttl | dynamic_user | deleted | suspended | locked_out | change_passwd | last_modified |
    +-------+-------+-------------------------------+----------------------------------------+-------------+----------------+---------------+---------------+------------+--------------+---------+-----------+------------+---------------+---------------------+
    | 16460 | fred | /Common/mylocaluserdbinstance | {SSHA}5cnywrcbZ3wKbn6gi//HMj4zv7ipxPya | | 0 | NULL | 0 | 1700160452 | 0 | 0 | 0 | 0 | 0 | 2023-11-16 10:50:57 |
    +-------+-------+-------------------------------+----------------------------------------+-------------+----------------+---------------+---------------+------------+--------------+---------+-----------+------------+---------------+---------------------+
    1 row in set (0.00 sec)

    MariaDB [f5authdb]>

     

    Now you should be able to manipulate that user and create more users in the same pattern. Please understand that direct DB manipulation like this isn't strictly supported, but it should work as long as you're careful. Be sure to make frequent database backups and test often.

    I would also suggest to NOT use local DB at all if you have a large user database and using an external auth server instead. Setting up an open source LADP server such as OpenLDAP has never been easier now that we have industry standard automation such as Docker Compose:

    https://hub.docker.com/r/bitnami/openldap/