Provisioning to Unix in 5 steps

Do you need to manage different linux machines? Are you struggling with that? Are you losing track of which user can access which Linux machine? Are users upset with different logins for different linux machines? If you answer positively at least one question, I’ll try to alleviate your everyday suffering with this blog. If your answers were no for each question, don’t leave yet! Maybe I’ll show you that there still exists simpler solution how to do it!

I am not a writer but a developer. So, don’t expect fiction or some sci-fi. I’m just going to show you how to configure unix connector in midPoint and which different scenarios you can handle with it. Prepare yourself for technical instruction rather than a long novel.

Which different scenarios can be covered?

  1. User management – create, update, delete user, enable/disable user, enable/disable user password
  2. Password management – set password, change password, enforce password policy, enable/disable password
  3. Public keys management – provision different public keys to the ~/.ssh/authorized_keys
  4. Group management – create, update, delete group
  5. Managing sudoers files for users and groups – give permissions either for group or user which will be transformed to the sudoers file: “Sudoers file controls who can run what command as what user on what machine and can also control special things such as whether you need a password for particular commands”
  6. Group membership management – add/remove user to/from group

Isn’t this sufficient for you? Will you need to cover other scenario? Let me know, maybe I can extend the connector to support also your scenarios.

What will I need to start using it?

You will need midPoint, unix-connector and a little bit of technical skills. Let’s see it in more detail:

  1. Download and install midPoint. You can find instruction here. Don’t forget to set $midPoint.home, I will refer to it later.
  2. Build and install unix-connector
    • Clone git repo (e.g. to ~/unix-connector): git clone https://github.com/Evolveum/ConnIdUNIXBundle.git
    • cd ~/unix-connector
    • Build connector: mvn clean package -DskipTests=true -P it
    • cp ~/unix-connector/target/org.connid.bundles.unix-1.0.jar  $midpoint.home/icf-connectors
    • mkdir midpoint.home/icf-connectors/lib
    • cp ~/unix-connector/target/dependencies/jsch-0.1.53.jar  $midpoint.home/icf-connectors/lib
    • restart your application server, e.g. systemctl restart tomcat
  3. Create technical user for midPoint, which will be used to connect to the linux machine and do the job for you
    • ssh on your linux machine (with sudo rights)
    • sudo useradd -m midpoint
    • sudo passwd midpoint
    • sudo vi /etc/sudoers.d/midpoint, set the correct permissions (you can find them here) for midpoint user and save
  4. Configure unix resource in midPoint.
    • Download sample from here
    • You will probably need to change hostname, username and password. Save your changes.
    • In deployed midPoint navigate to: Configuration → Import Object → choose file and press Import Object button
  5. Check if the unix-connector was configured properly
    • Resource → List Resources → click on the icon to test connection

Running advanced scenarios (3 and 5 from previously mentioned scenarios)

  1. Download configuration for advanced scenarios (e.g. to ~/unix-management)
  2. Set up extension schema
    • cp ~/unix-management/extension-unix.xsd  $midpoint.home/schema/
  3. Restart your application server
  4. To be able to run advanced scenarios you will need to reimport previous resource definition to support extension attributes.
    • Configuration → Import Objects → choose file (~/unix-management/resource-unix-advanced.xml) and press Import Object button. Be sure that you checked Keep oid and Overwrite option
  5. Import Metarole definition – after assigning this meta role to the midpoint role, it will provide group creation on the target linux machine
    • Configuration → Import Objects → choose file (~/unix-management/role-assignment-inducement-metarole.xml) and press Import Object button

And finally, how-to for some use cases

  1. Create group on the target linux machine
    • Create new role in midPoint (Roles → New Role). Fill in:
      ‘Name’ – has to be unique, e.g Group midpoint-admins on Unix,
      ‘Group Name’ – is used for naming the group on target system
      ‘Unix Permissions’ – is used for creating sudoers file for this group
    • Assign previously imported metarole to the role:
      Go to the Assignments tab, click on the gear wheel and choose Assign Role
    • Select meta role and confirm it by pressing Assign button (in popup dialog)
    • Press Save button
  2. Create user on the target system, add him/her to the unix group and set the public key
    • Create new user in midPoint (Users → New User). Fill in:
      ‘Name’ – login name
      ‘Public Key’ – copy&paste public key as a plain text
      Fill others attributes you want to provision
    • Assign previously created role to this user (‘Group midpoint-admins on Unix’)
    • Go to the Assignments tab, click on the gear wheel and choose Assign Role
    • Select role (‘Group midpoint-admins on Unix’) and confirm it by pressing Assign button
    • Press Save button

And that’s it. Was it hard? I suppose it wasn’t. At the end, these are linux distributions I tested – CentOS, Ubuntu and Debian. Your feedback and testing with another linux distribution is more than welcome!

21 thoughts on “Provisioning to Unix in 5 steps

  • Compiling the connector returns error:

    [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.3:compile (default-compile) on project org.connid.bundles.unix: Compilation failure
    [ERROR] /opt/unix-connector/ConnIdUNIXBundle/src/main/java/org/connid/bundles/unix/UnixConnection.java:[33,45] cannot find symbol
    [ERROR] symbol: class ReadShellOutputThread2
    [ERROR] location: package org.connid.bundles.unix.sshmanagement

    No solution googled for now…

  • I did the following steps
    Download configuration for advanced scenarios (e.g. to ~/unix-management)
    Set up extension schema

    cp ~/unix-management/extension-unix.xsd $midpoint.home/schema/

    Restart your application server
    After that I not able connect midpoint web interface.
    It is getting the requested information not found.
    Could you please help me

    • Hi P T Ashraf,

      could you provide detailed information, e.g. stack trace for the error you are getting, please?

  • I am getting the following error over web
    HTTP Status 404 – /midpoint/

    type Status report

    message /midpoint/

    description The requested resource is not available.
    When I delete extension-unix.xsd from midpoint.home/schema folder and restart application server ,web interface working fine.

    • Please, try to check catalina.out and idm.log files (by default located in TOMCAT_HOME/logs) if there isn’t some error. It can help me with diagnostic.

    • Hi, see my comment above. I need to know if there is some error if the log. Without this it is hard to guess where the problem is.

  • Can you please update this tutorial to actual version? I’m trying to configure resource and got message on “Schema handling” step: Inserted objectClass value: ‘AccountObjectClass’ is not valid. Please provide valid objectClass value.

  • Hello
    I followed the instructions of the installation of the wiki of midpoint on ubuntu step by step but I receive a error that I can not solve :

    Type Status report
    Message /midpoint /
    Description The requested resource (/midpoint) is not available.
    Apache Tomcat / 8.5.12

    Can you help me please

  • Great connector and instructions, thank you!!

    can anyone help if it is possible to configure UID and GUID ussing the connector or midpoint.
    the idea is create an homogeneous UID over all servers using the connid connector, has anyone done this ?

  • Hi,
    I dont understand to part with:
    ‘Public Key’ – copy&paste public key as a plain text

    1) can you help me where to get this key?

    2) every account have to be manualy updated with this key to get it into target system?

    Marian

  • Hi Katarina,

    we are implementing provisioning for Unix within MP. Everything seems to be working fine with following steps:
    1. user created in MP – ok
    2. user added assignment – unix role – ok
    3. user gets Projections – unix resorce – ok
    4. user provisioned in unix – ok
    – so far so good and no problems
    – when we create Server Task for unix resource reconciliation – task runs ok for the first and lets say second time.
    – after few minutes we run the task again and the task never finishes without errors since
    Error getting object OID=50797d69-93b2-46bd-9bb0-2f7509c75bde: java.lang.NullPointerException: null
    – the OID above belongs to the unix group.

    any suggestions what we might be doing wrong please. i might be able to send log file for more info if needed.

    thanks a lot

    Peter

  • this works fine with 10 servers after that with 100 + servers one user setup can take up to 3 hours, that simple don’t work, any ideas or any limits.
    thank you for any feedback.

  • can you please explain how to do more than one server, if i have several departments and i want to create groups for such departments how do i add the servers, do i upload one metarole for each server ?

  • when creating groups Midpoint is not creating the right permits on files, perhaps an issue with connid module?
    anyone can help me with this.
    getting

    sudo: /etc/sudoers.d/%devuser_group is mode 0644, should be 0440

  • Hi there!

    We are really sorry, but Katarina is very busy at the moment as she is helping our active subscribers. We recommend you to ask your questions in our mailing list (http://lists.evolveum.com/) or activate a subscription. With active subscription you could have an option to ask questions to deal with your problems. Thank you for your understanding.

Leave a Reply

Your email address will not be published.