Log in Subscribe

User Management

This guide will walk you through how to add, remove, and manage users, as well as how to grant them access to specific applications within your HomeVault server. This is something you will need in scenarios such as giving access to Immich or Nextcloud for additional users on your household or team.

Definitions

User Account Types

It's important to differentiate between 2 types of user accounts:

  • System accounts: These are accounts that exist at the Operating System level. For example, the account that was created during installation of Linux. The different applications of HomeVault run as one or more of these accounts.
  • HomeVault accounts: These are accounts that exist within HomeVault's identity service (LDAP). The Server Deployment script creates one of these accounts for you to sign into the applications' websites hosted on your server.

There are 2 HomeVault accounts that are created during deployment and which should not be modified (otherwise things could stop working):

  • authelia: This account is used by Authelia to authenticate users and apply group-based access control.
  • pam: This account is used by the PAM (Pluggable Authentication Module) in Linux to make certain accounts visible to the OS.

Identity Management Service

User accounts in HomeVault are managed using LLDAP (Lightweight LDAP). The web interface for LLDAP is available at https://lldap.yourdomain.com (replacing yourdomain.com with your actual domain name)

Through LLDAP's web interface you can perform most user management operations, such as adding or removing users, or granting them access to individual applications on the server.

Group-Based Access Control

HomeVault uses Group-based access control (GBAC) to grant or restrict access to applications and resources, based on user group membership, rather than individual user accounts. This simplifies management by associating permissions with groups, which users then inherit.

Similar to user management, group membership in HomeVault is managed through LLDAP. HomeVault creates the following groups in LLDAP during Server Deployment. Some groups are meant for internal use only. You should be aware of the following groups:

Group Purpose
immich_user Grants users access to Immich
nextcloud_user Grants users access to Nextcloud
server_admin For administrator users, grants access to admin sites
lldap_admin Allows managing users and groups information in LLDAP

User Management

[!tip] Remember that LLDAP is a private application on your server. This means you will only be able to access it from a device that is currently connected to your Tailnet network.

Adding a New User

Follow these steps to add a new user through the LLDAP web interface:

  1. Log in to LLDAP: Navigate to https://lldap.yourdomain.com and log in with your HomeVault credentials.
  2. Access User Management: From the dashboard, click on the "Users" section in the left sidebar.
  3. Create a New User: Click the "Add User" or "+" button (typically located in the top-right corner).
  4. Fill in User Details:
    • User name: Enter a unique username (this will be used for login)
    • Mail: Enter the user's email address (required for password recovery)
    • Display Name: Enter the user's full name
    • First Name and Last Name: These are optional
    • Password: Set an initial password or generate a random one
  5. Save the User: Click "Save" or "Create User" to add the user to the system.

Adding a User to Groups

  1. From the "Users" section, select the user you want to modify.
  2. Navigate to the "Groups" tab or section for that user.
  3. Click "Add to Group" or a similar option.
  4. Select the appropriate groups from the list.
  5. Save your changes.

Removing a User

  1. Navigate to the "Users" section in LLDAP.
  2. Find and select the user you want to remove.
  3. Click the "Delete" or trash can icon.
  4. Confirm the deletion when prompted.

Password Recovery

Authelia is an authentication and authorization service. It's used in HomeVault to let users sign into the applications hosted in the server. Through Authelia, users can change and recover their password (in case they forget it).

To do this, users can:

  1. Navigate to https://authelia.yourdomain.com (replace with your actual domain name)
  2. Click on "Forgot Password"
  3. Authelia will prompt for the username or email address.
  4. A password reset link will be sent to the user's registered email address.
  5. The user should follow the link and instructions to set a new password.
[!info] For the password recovery to work, the user must have a valid email address registered in LLDAP.