Get StartedUser Onboarding Guide

This guide is designed for admins to onboard users from different functions.

General Requirements

This applies to all access requests.

It is critical that the requestee follow the access request guide documented gitlab here, if the gitlab expired, plese use the goole slides here. The user must need access to the system for their job role and a proper access request ticket must be filed and the ticket must contain certificates of training for the user.

Labelbox Users

Note that Labelbox is configured to use an ECDi Active Directory instance that we have brought specifically for Labelbox. User’s must be added in order to authenticate to Labelbox.

Prerequisites

  1. iconv must be installed on your system. Use brew for MacOS if needed.
  2. base64 must be installed on your system. Use brew for MacOS if needed.
  3. ldapmodify must be installed on your system. Use brew for MacOS if needed.

How to Add User

  1. Create a text file and name it with .ldif extension.

  2. First, we need to generate the password for the user in proper format. To do this, create a password using a password generator such as this site. The password should be 12 characters, contain upper and lower case characters with at least one numeric.

  3. Run the following command to convert the password to the proper format. Note the password replaces the text <INPUT PASSWORD FROM STEP 2>. This password will be pasted in as a part of step 4 below. The output is entered as the value for unicodePwd below.

    echo -n \""<INPUT PASSWORD FROM STEP 2>"\" | iconv --to utf-16le | base64

  4. Paste the following into the text file. Note, anywhere you <>, replace the text including the brackets with the information that is specific for the user being added. For example, If you see replace the text, including brackets with the users unix id. Leave everything else as is. Ensure there are NO trailing spaces after any line. Save the file.

# Add user
dn: CN=<UNIX ID>,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ldap-temp,DC=ecd-ai,DC=com
cn: <UNIX ID>
sn: <LAST NAME>
instanceType: 4 
userAccountControl: 514
accountExpires: 0
givenName: < FIRST NAME>
displayName: <FIRST NAME> <LAST NAME>
samAccountName: <UNIX ID>
userPrincipalName: <UNIX ID>@ldap-temp.ecdi-ai.com
distinguishedName: CN=<UNIX ID>,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com
mail: <UNIX ID>@gene.com
name: <UNIX ID>

#Add password for user
dn: CN=<UNIX ID>,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: <ENTER PASSWORD OUTPUT FROM #3>

#Enable the account, make the account a normal account and set password to not expire
dn: CN=<UNIX ID>,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com
changetype: modify
replace: userAccountControl
userAccountControl: 66048
  1. Create a ssh port forward to the temporary Active Directory service by running the following command:
ssh -i <YOUR SSH KEY FILE> -AL localhost:8636:ldap-temp1.ecd-ai.com:636 <YOUR UNIX ID>@10.158.21.207
  1. Once you are connected, run the following command and note the expected output. In this example, I added a test user named Thomas Fou. Make sure to update the -f flag to point to the file created above. You will be prompted for the administrator password for Simple AD. Log into Lastpass, under the ecdi-ace-infra group, look for the entry titled AWS SimpleAD Admin User (gred-ace-prod)and copy the password.
ldapmodify -v -x -H ldaps://127.0.0.1:8636  -D "cn=Administrator,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com" -W -f <FILE NAME FROM #1>

Enter LDAP Password: 
add objectClass:
	top
	person
	organizationalPerson
	user
add objectCategory:
	CN=Person,CN=Schema,CN=Configuration,DC=ldap-temp,DC=ecd-ai,DC=com
add cn:
	fout
add sn:
	Fou
add instanceType:
	4
add userAccountControl:
	514
add accountExpires:
	0
add givenName:
	Thomas
add displayName:
	Thomas Fou
add samAccountName:
	fout
add userPrincipalName:
	fout@ldap-temp.ecdi-ai.com
add distinguishedName:
	CN=fout,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com
add mail:
	fout@gene.com
add name:
	fout
adding new entry "CN=fout,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com"
modify complete

replace unicodePwd:
	"
modifying entry "CN=fout,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com"
modify complete

replace userAccountControl:
	66048
modifying entry "CN=fout,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com"
modify complete
  1. Wait at least 5 minutes, then test the user account and try to log into Labelbox. I have always had issues with Labelbox’s implementation of LDAP hence, expect that this will not work as is most times. If it does not work after trying a few times, try changing the users password. Follow step 2 and 3 from above and create a new ldif file and copy paste from below. Again, ensure there are no trailing spaces after any line. Save the file.
dn: CN=<UNIX ID>,CN=Users,DC=ldap-temp,DC=ecd-ai,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: <ENTER PASSWORD OUTPUT FROM #3>

  1. Follow step 5 and 6 from above. For step 6, change the filename for the ldapmodify command to point to the filename from step 7 above.

  2. Wait 5 minutes again, then try to log into Labelbox using the new password. If this still does not work, then follow the steps outlined in the Labelbox LDAP troubleshooting section.

Spell Users

Note that there are multiple Spell Orgs. We only manage the ECD AI Org. All other Orgs are managed by their own admins for access.

  1. Log into the RADA tool using your unix id
  2. Click on the Groups tab at the top. Under “Group Name” enter GLOORG_ecd-ai-spell-users and click search. Note that all RADA group to permission mapping can be found here.
  3. In the search results, make sure to click on the entry with the group name which has the category as Organization.
  4. Click the “Add Users” tab. On the right side, under “name/user id” enter the unix id of the user whose access needs to be added. If multiple users need to be added to the system, enter one unix id per line. Click search at the bottom
  5. The search results will populate below the search button. Check each users unix id and full name to confirm the correct user is being selected. Check the box next to each users name and click the add button to your left.
  6. Have the user wait 15 minutes, then try to access Spell using their unix id and password.
OverviewUser Access Request