Linux
The Linux connector enables provisioning/de-provisioning of users on a Linux server.
Configure Linux OS
Create Linux user for password authentication
Create the user in Linux
$ useradd linuxuser -m -G sudo$ passwd linuxuser$ sudo sh -c "echo 'linuxuser ALL=(ALL) ALL' >> /etc/sudoers"
Install openssh-server if needed
sudo apt install openssh-server
Configure /etc/ssh/sshd_config
PasswordAuthentication yes
Restart ssh
$ sudo systemctl restart ssh
Create linux user for certificate authentication
$ useradd linuxusercert -m -G sudo$ passwd linuxusercert$ su linuxuser$ cd /home/linuxusercert/$ mkdir .ssh$ cd .ssh$ ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/home/linuxusercert/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/linuxusercert/.ssh/id_rsa.Your public key has been saved in /home/linuxusercert/.ssh/id_rsa.pub.The key fingerprint is:SHA256:e9UfDRqIIvwImE1kWIbeQjfcqendHw2MyO+cuTDAYJ0 linuxusercert@gnenny-MS-7C37The key's randomart image is:+---[RSA 2048]----+| =B . . ||oO.=.o . . ||=o=EB o + . . . ||.oo= * o o + ..|| ooo + S o o ...|| ... o o o ..|| oo = o .|| o= o || .. |+----[SHA256]-----+$ sudo sh -c "echo 'linuxusercert ALL=NOPASSWD: ALL' >> /etc/sudoers"$ ssh-copy-id linuxusercert@localhost
OpenIAM
1 Connector settings
configure additional fields (Left menu → Connector Configuration) :
2 Managed system settings
| Field name | Value | Description |
|---|---|---|
| Host URL | localhost | (url to Linux server) (use for ssh connect) |
| Port | 22 | (Linux server port) (use for ssh connect) |
| Password Policy | Default Pswd Policy | Set password policy (example “Default Pswd Policy“) |
| Login Id | linuxuser | User name for login by ssh wqith require rights |
| Password | passwd00 | For password authentication |
| Connection String | /data/openiam/conf/linux-connector-rabbitmq/certs/id_rsa | (path to private key) (for cert authentication) (Check file permissions) |
| Add Object Rule | add_script.sh type login password groupsadd groupsdel | The called bash script with necessary parameters |
| Modify Object Rule | modify_script.sh type login oldlogin groupsadd groupsdel | The called bash script with necessary parameters |
| Delete Object Rule | delete_script.sh type login | The called bash script with necessary parameters |
| Search Object Rule | LOGIN=login, GROUPS=groups, GECOS=name:roomNumber:homePhone:workPhone |
Example
Object Rules : bash scripts with attributes, which will be run on server. Default scripts:
First parameter - type : “user” / “group”
add_script.sh type login password groupsadd groupsdel
#!/bin/bashif [ $1 = "user" ]; thenuseradd -N $2printf "$3\n$3" | passwd $2if [ ! -z $5 ]; thenIFS=',' ;for i in $5; dogpasswd -d $2 $i;donefiif [ ! -z $4 ]; thenIFS=',' ;for i in $4; dogpasswd -a $2 $i;donefiecho $2fiif [ $1 = "group" ]; thengroupadd -f $2fi
modify_script.sh type login oldlogin groupsadd groupsdel
#!/bin/bashif [ $1 = "user" ]; thenusermod -l $2 $3if [ ! -z $5 ]; thenIFS=',' ;for i in $5; dogpasswd -d $2 $i;donefiif [ ! -z $4 ]; thenIFS=',' ;for i in $4; dogpasswd -a $1 $i;donefiecho $1fiif [ $1 = "group" ]; thengroupmod --new-name $2 $3fi
delete_script.sh type login :
#!/bin/bashif [ $1 = "user" ]; thenuserdel $2echo $2fiif [ $1 = "group" ]; thengroupdel -f $2fi
3. User policy map
For v.4.2.1 was added new field for provision ssh keys :
default groovy for this field :
package org.openiamimport org.openiam.api.connector.groovy.AbstractIPolicyMapGroovyimport org.openiam.api.connector.model.ConnectorAttributeimport org.openiam.api.connector.model.StringOperationalConnectorValueimport org.openiam.base.AttributeOperationEnumimport org.openiam.idm.provisioning.diff.model.user.ProvisionUserObjectDiffimport org.openiam.idm.searchbeans.UserSshKeySearchBeanimport org.openiam.idm.srvc.user.dto.UserSshKeyimport org.openiam.mq.constants.api.user.UserServiceAPIimport org.openiam.base.response.list.UserSshKeyListResponseimport org.openiam.base.request.UserSshKeySearchRequestimport org.springframework.beans.factory.annotation.Autowiredimport org.openiam.mq.constants.queue.user.UserServiceQueue;import org.openiam.mq.constants.api.OpenIAMAPIclass UserSshKeyGroovy extends AbstractIPolicyMapGroovy<ProvisionUserObjectDiff> {@Autowiredprotected UserServiceQueue userServiceQueue@Overrideboolean isPerform(ProvisionUserObjectDiff diffObject) {return true}@Overridevoid perform(ConnectorAttribute attribute, ProvisionUserObjectDiff diffObject) {UserSshKeySearchBean sb = new UserSshKeySearchBean(diffObject.getValue().getId(), null, null);final UserSshKeyListResponse response = rabbitMQSender.sendAndReceive(userServiceQueue, (OpenIAMAPI)UserServiceAPI.GET_USER_SSH_KEYS,new UserSshKeySearchRequest(sb, 0, Integer.MAX_VALUE), UserSshKeyListResponse.class);if (response.isSuccess()) {List<UserSshKey> keyList = response.getList()Date curDate = new Date()for (UserSshKey key : keyList) {if (key.getExpirationDate().after(curDate)) {attribute.addValue(new StringOperationalConnectorValue(mapper.mapToStringQuietly(key), AttributeOperationEnum.ADD))} else {key.setPkValue(null)key.setPubValue(null)attribute.addValue(new StringOperationalConnectorValue(mapper.mapToStringQuietly(key), AttributeOperationEnum.DELETE))}}}}@Overridevoid getActualValue(final ConnectorAttribute attribute, final ProvisionUserObjectDiff diffObject) {}}
4. Synchronization settings :
Required fields on Managed system page :
Example sync configuration page :
Provision to target systems?
- if unchecked - you need add login to user in transformation script.
Example :
if (isNewUser) {pUser.id = nulldef attrVal = columnMap.get("login")if (attrVal) {// PRE-POPULATE THE USER LOGIN. IN SOME CASES THE COMPANY WANTS TO KEEP THE LOGIN THAT THEY HAVE// THIS SHOWS HOW WE CAN DO THATLogin linuxLogin = new Login()linuxLogin.operation = AttributeOperationEnum.ADDlinuxLogin.login = attrVal.valuelinuxLogin.managedSysId = "105"pUser.principalList.add(linuxLogin)/* primary identity */Login lg = new Login()lg.operation = AttributeOperationEnum.ADDlg.login = attrVal.valuelg.managedSysId = "0"pUser.principalList.add(lg)}}
SQL Query / Directory Filter used for filter required users by login. There are two ways for filter :
1. Field value = '*' - select all records from linux
2.1. For 4.1.x versions.
Field value = 'any_string' - select users whith login, which contain 'any_string' anywhere (at the : begin , middle or end).
2.2. For 4.2.x versions.
Field value = ' login=any_string ' - select users whith login, which exact = 'any_string' Field value = ' login=any_string% ' - select users whith login, which contain 'any_string' anywhere
###ATTENTION !!!!!!!!
ADD provision role / group / resource to sync object in Transformation script. If don’t do it, on second sync process for such object will send DELETE comand on connector.
5. Reconciliation
Required fields on Managed system page :
Example reconciliation configuration page :
6. Linux ssh commands used in connector
Example ssh requests :
sudo -S sh add_script.sh user "jFvlmjYZ30sC854Sk" "" "" ""sudo -S sh modify_script.sh user "CPpLMGQDkP33R2gFj" "jFvlmjYZ30sC854Sk" "" ""sudo -S sh delete_script.sh user "CPpLMGQDkP33R2gFj"
For reset pasword we use :
sudo -S passwd <login>
after that we send
sudoPasswordnewPasswordnewPassword
So need to check, that linux set password working as :
$ sudo -S passwd Test.Linux001[sudo] password for gnenny:Enter new UNIX password:Retype new UNIX password:passwd: password updated successfullygnenny@gnenny-MS-7C37:~$
7. SSH Key manager
1. Configure Policy Map for provision ssh keys to linux system.
Add new field to policy map : ssh_keys - with defalt groovy script - /provision/linux/ssh_keys.groovy
2. Open SSH Key manager page and add ssh key.
Selfsevice → Sellf Service Center → SSH Keys
Click "Add SSH Key" button :
- select or copy/past public key.
- type public key file name which will be used for create key on linux system.
- select expiration date for key.
- Public key is mandatory for save "SSH key" record.
- Private key is not mandatory. Will use in future version for : "SSH key/certificate can be obtained dynamically obtained from a company CA."
3. On provision user, key will be checked
- Key will be added to system if "expiration date" will not be less than current date
- Key will be deleted from linux system, if "expiration date" will be less than current date