From b590848f7dc5152f64d5c08f4c19a3b715c831c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Kooman?= <fkooman@tuxed.net>
Date: Fri, 10 Mar 2023 10:11:43 +0100
Subject: [PATCH] document local database user authentication

---
 DB_AUTH.md       | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
 PORTAL_CONFIG.md |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 DB_AUTH.md

diff --git a/DB_AUTH.md b/DB_AUTH.md
new file mode 100644
index 0000000..a153352
--- /dev/null
+++ b/DB_AUTH.md
@@ -0,0 +1,62 @@
+# Database Authentication
+
+By default the VPN server has database authentication for user accounts. The 
+accounts are stored in the local database.
+
+If you did not set any (other) `authModule` in your 
+`/etc/vpn-user-portal/config.php` file, this is what you have.
+
+To configure other ways of user authentication, look 
+[here](PORTAL_CONFIG.md#authentication).
+
+## Configuration
+
+There is nothing to configure.
+
+## User Management
+
+You can manage the users using the `vpn-user-portal-account` tool.
+
+### Add User
+
+To add the user `foo`, use the following:
+
+```bash
+$ sudo vpn-user-portal-account --add foo
+```
+
+You'll be asked to provide the password (twice). After that, the account will
+be created. It is also possible to specify the password when creating the user:
+
+```bash
+$ sudo vpn-user-portal-account --add foo --password s3cr3t
+```
+
+### List Users
+
+You can list the users:
+
+```bash
+$ sudo vpn-user-portal-account --list
+```
+
+**NOTE**: currently only users that were (ever) logged in will be visible here, 
+see [#125](https://todo.sr.ht/~eduvpn/server/125).
+
+### Delete User
+
+You can delete a user, e.g. to delete the user `foo`:
+
+```bash
+$ sudo vpn-user-portal-account --delete foo
+```
+
+If you do not want to ask for confirmation before deleting the account, you can 
+use the `--force` flag.
+
+### Disable / Enable User
+
+```bash
+$ sudo vpn-user-portal-account --disable foo
+$ sudo vpn-user-portal-account --enable foo
+```
diff --git a/PORTAL_CONFIG.md b/PORTAL_CONFIG.md
index 82ccb4a..c38a3ab 100644
--- a/PORTAL_CONFIG.md
+++ b/PORTAL_CONFIG.md
@@ -49,6 +49,7 @@ SQLite. We documented this [separately](DATABASE.md).
 We support various user authentication mechanisms. We document all of them 
 separately:
 
+* [Local User Database](DB_AUTH.md) (default)
 * [LDAP](LDAP.md)
 * [SAML](SAML.md)
   * [Shibboleth](SHIBBOLETH_SP.md)
-- 
2.38.5