# User management The Snow Owl Terminology Server employs two distinct methods for user management. The primary authentication and authorization service is the LDAP Directory Server, while a secondary option is a file-based database strictly utilized for administrative purposes. The following methods can be applied when granting or revoking user access. ## LDAP-based identity provider {% hint style="info" %} This is only applicable to the default deployment setup where a co-located OpenLDAP server is used alongside the Terminology Server. {% endhint %} There are several ways to access and manage an OpenLDAP server, hereby we will only describe one of them, through the [Apache Directory Studio](https://directory.apache.org/studio/). Apache Directory Studio is an open-source, free application. It is available for different platforms (Windows, macOS, and Linux). Before accessing the LDAP database there is one technical prerequisite to satisfy. The OpenLDAP server has to be accessible from the machine Apache Directory Studio is installed. The best and most secure way to achieve that is to set up an SSH tunnel. Follow [this link](https://linuxize.com/post/how-to-setup-ssh-tunneling/#set-up-ssh-tunneling-in-windows) to an article that describes how to configure an SSH tunnel using [PuTTY ](https://www.chiark.greenend.org.uk/~sgtatham/putty/)and Windows. The OpenLDAP server uses port 389 for communication. This is the port that needs to be tunneled through the SSH connection. Here is what the final configuration looks like in PuTTY:

Once the SSH tunnel works, it's time to set up our connection in Apache DS. Go to *File -> New -> LDAP Connection* and set the following:

Hit the "Check Network Parameter" button to verify the network connection. Go to the next page of the wizard and provide your credentials. The default Bind DN and Bind password can be found in the Terminology Server release package under `./snow-owl/docker/.env`.

Provide credentials for the LDAP connection

Hit the "Check Authentication" button to verify your credentials. Hit Finish to complete the setup procedure. All users and groups should be browseable now through the LDAP Browser view:

### Grant user access To grant access to a new user an LDAP entry has to be created. Go to the LDAP Browse view and right-click on the organization node, then *New -> New Entry*:

It is the easiest to use an existing entry as a template:

Leave everything as is on the *Object Classes* page, then hit *Next.* Fill in the new user's credentials:

On the final page, double-click on the *userPassword* row and provide the user's password:

Hit *Finish* to add the user to the database. Now we need to assign a role for the user. Before going forward, get ahold of the user's DN using the LDAP Browser view:

Select the desired role group in the Browser view and add a new attribute:

Select the attribute type `uniqueMember` and hit *Finish*:

Paste the user's DN as the value of the attribute and hit *Enter* to make your changes permanent:

### Revoke user access To revoke access the user has to be deleted from the list of users:

And also has to be removed from the role group:

### Change credentials To change either the first or last name, or the password of a user, just edit any of the attributes in the user editor:

## File-based identity provider There is a configuration file `./snow-owl/docker/configs/snowowl/users` that contains the list of users with their credentials encrypted. This method of authentication should be used for testing or internal purposes only, users added here will have elevated privileges. {% hint style="warning" %} To apply any changes made to the `users` file the Terminology Server has to be restarted afterward. {% endhint %} ### Grant user access To grant access the `users` file has to be amended with the new user and its credentials. There are several ways to encrypt a password but here is one that is easy and available on most of the Linux variants. The package called `htpasswd` has to be installed: ```bash htpasswd -nBC 10 my-new-username | head -n1 | sed 's/$2y/$2a/g' >> ./snow-owl/docker/configs/snowowl/users ``` It will prompt for the password and will amend the file with the new user at the end. ### Revoke user access Simply remove the user's line from the file and restart the service. ### Change credentials Remove the user's line from the file and regenerate the credentials according to the [Grant user access](#grant-user-access-1) section. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.b2ihealthcare.com/snow-owl/setup-and-administration/user-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.