Skip to content


There are two main account systems in use. For consistency, a single person should have the same username in both systems.

LDAP accounts

An LDAP account is used to log in to most web-based services. An LDAP account belongs to one or more groups which then in turn lets you access various services.

Keycloak is used as a web-based single sign-on and account management system. To change your password or manage your two-factor credentials use

To request an account, or access to any additional groups, or if you need a password reset, contact an administrator.

Administrator documentation for this service is available at /services/ldap/ and /services/keycloak/.

Unix accounts

User accounts on all the servers are provisioned via Puppet. An account belongs to one or more groups, and then has access to all servers that enable at least one of those groups.

Access to email addresses and access to Gitolite (excluding service accounts) is currently also based on Unix accounts.

To request an account, or access to any additional groups, or to change your authorized SSH keys, contact an administrator.

A limited number of dotfiles can be provisioned for each user to all servers by placing them in modules/accounts/files/home/<username> in the public Puppet repository.

Individual service accounts

In addition some individual services have their own account systems.

Keycloak admin

The Keycloak management interface uses a separate account system.


Miniflux is not yet using LDAP SSO, but will be soon.


The UniFi controller application does not seem to support SSO so it has its own accounts, unfortunately.