Linux

The Linux connector enables provisioning/de-provisioning of users on a Linux server.

Configure Linux OS

Create Linux user for password authentication

Create the user in Linux

$ useradd linuxuser -m -G sudo
$ passwd linuxuser
$ sudo sh -c "echo 'linuxuser ALL=(ALL) ALL' >> /etc/sudoers"

Install openssh-server if needed

sudo apt install openssh-server

Configure /etc/ssh/sshd_config

PasswordAuthentication yes

Restart ssh

$ sudo systemctl restart ssh

Create linux user for certificate authentication

$ useradd linuxusercert -m -G sudo
$ passwd linuxusercert
$ su linuxuser
$ cd /home/linuxusercert/
$ mkdir .ssh
$ cd .ssh
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/linuxusercert/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/linuxusercert/.ssh/id_rsa.
Your public key has been saved in /home/linuxusercert/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:e9UfDRqIIvwImE1kWIbeQjfcqendHw2MyO+cuTDAYJ0 linuxusercert@gnenny-MS-7C37
The key's randomart image is:
+---[RSA 2048]----+
| =B . . |
|oO.=.o . . |
|=o=EB o + . . . |
|.oo= * o o + ..|
| ooo + S o o ...|
| ... o o o ..|
| oo = o .|
| o= o |
| .. |
+----[SHA256]-----+
$ sudo sh -c "echo 'linuxusercert ALL=NOPASSWD: ALL' >> /etc/sudoers"
$ ssh-copy-id linuxusercert@localhost

OpenIAM

1 Connector settings

alt text

configure additional fields (Left menu → Connector Configuration) :

alt text

2 Managed system settings

Field nameValueDescription
Host URLlocalhost(url to Linux server) (use for ssh connect)
Port22(Linux server port) (use for ssh connect)
Password PolicyDefault Pswd PolicySet password policy (example “Default Pswd Policy“)
Login IdlinuxuserUser name for login by ssh wqith require rights
Passwordpasswd00For password authentication
Connection String/data/openiam/conf/linux-connector-rabbitmq/certs/id_rsa(path to private key) (for cert authentication) (Check file permissions)
Add Object Ruleadd_script.sh type login password groupsadd groupsdelThe called bash script with necessary parameters
Modify Object Rulemodify_script.sh type login oldlogin groupsadd groupsdelThe called bash script with necessary parameters
Delete Object Ruledelete_script.sh type loginThe called bash script with necessary parameters
Search Object RuleLOGIN=login, GROUPS=groups, GECOS=name:roomNumber:homePhone:workPhone

Example

alt text

Object Rules : bash scripts with attributes, which will be run on server. Default scripts:

First parameter - type : “user” / “group”

add_script.sh type login password groupsadd groupsdel

#!/bin/bash
if [ $1 = "user" ]; then
useradd -N $2
printf "$3\n$3" | passwd $2
if [ ! -z $5 ]; then
IFS=',' ;
for i in $5; do
gpasswd -d $2 $i;
done
fi
if [ ! -z $4 ]; then
IFS=',' ;
for i in $4; do
gpasswd -a $2 $i;
done
fi
echo $2
fi
if [ $1 = "group" ]; then
groupadd -f $2
fi

modify_script.sh type login oldlogin groupsadd groupsdel

#!/bin/bash
if [ $1 = "user" ]; then
usermod -l $2 $3
if [ ! -z $5 ]; then
IFS=',' ;
for i in $5; do
gpasswd -d $2 $i;
done
fi
if [ ! -z $4 ]; then
IFS=',' ;
for i in $4; do
gpasswd -a $1 $i;
done
fi
echo $1
fi
if [ $1 = "group" ]; then
groupmod --new-name $2 $3
fi

delete_script.sh type login :

#!/bin/bash
if [ $1 = "user" ]; then
userdel $2
echo $2
fi
if [ $1 = "group" ]; then
groupdel -f $2
fi

3. User policy map

alt text

alt text

4. Reconciliation

alt text

Linux ssh commands used in connector

Example ssh requests :

sudo -S sh add_script.sh user "jFvlmjYZ30sC854Sk" "" "" ""
sudo -S sh modify_script.sh user "CPpLMGQDkP33R2gFj" "jFvlmjYZ30sC854Sk" "" ""
sudo -S sh delete_script.sh user "CPpLMGQDkP33R2gFj"