Provisioning to Unix in 5 steps

Do you need to manage different linux machines? Are you struggling with that? Are you losing track of which user can access which Linux machine? Are users upset with different logins for different linux machines? If you answer positively at least one question, I’ll try to alleviate your everyday suffering with this blog. If your answers were no for each question, don’t leave yet! Maybe I’ll show you that there still exists simpler solution how to do it!

I am not a writer but a developer. So, don’t expect fiction or some sci-fi. I’m just going to show you how to configure unix connector in midPoint and which different scenarios you can handle with it. Prepare yourself for technical instruction rather than a long novel.

Which different scenarios can be covered?

1. User management – create, update, delete user, enable/disable user, enable/disable user password
2. Password management – set password, change password, enforce password policy, enable/disable password
3. Public keys management – provision different public keys to the ~/.ssh/authorized_keys
4. Group management – create, update, delete group
5. Managing sudoers files for users and groups – give permissions either for group or user which will be transformed to the sudoers file: “Sudoers file controls who can run what command as what user on what machine and can also control special things such as whether you need a password for particular commands”
6. Group membership management – add/remove user to/from group

Isn’t this sufficient for you? Will you need to cover other scenario? Let me know, maybe I can extend the connector to support also your scenarios.

What will I need to start using it?

You will need midPoint, unix-connector and a little bit of technical skills. Let’s see it in more detail:

1. Download and install midPoint. You can find instruction here. Don’t forget to set $midPoint.home, I will refer to it later.
2. Build and install unix-connector
   • Clone git repo (e.g. to ~/unix-connector): git clone https://github.com/Evolveum/ConnIdUNIXBundle.git
   • cd ~/unix-connector
   • Build connector: mvn clean package -DskipTests=true -P it
   • cp ~/unix-connector/target/org.connid.bundles.unix-1.0.jar  $midpoint.home/icf-connectors
   • mkdir midpoint.home/icf-connectors/lib
   • cp ~/unix-connector/target/dependencies/jsch-0.1.53.jar  $midpoint.home/icf-connectors/lib
   • restart your application server, e.g. systemctl restart tomcat
3. Create technical user for midPoint, which will be used to connect to the linux machine and do the job for you
   • ssh on your linux machine (with sudo rights)
   • sudo useradd -m midpoint
   • sudo passwd midpoint
   • sudo vi /etc/sudoers.d/midpoint, set the correct permissions (you can find them here) for midpoint user and save
4. Configure unix resource in midPoint.
   • Download sample from here
   • You will probably need to change hostname, username and password. Save your changes.
   • In deployed midPoint navigate to: Configuration → Import Object → choose file and press Import Object button
5. Check if the unix-connector was configured properly
   • Resource → List Resources → click on the icon to test connection

Running advanced scenarios (3 and 5 from previously mentioned scenarios)

1. Download configuration for advanced scenarios (e.g. to ~/unix-management)
2. Set up extension schema
   • cp ~/unix-management/extension-unix.xsd  $midpoint.home/schema/
3. Restart your application server
4. To be able to run advanced scenarios you will need to reimport previous resource definition to support extension attributes.
   • Configuration → Import Objects → choose file (~/unix-management/resource-unix-advanced.xml) and press Import Object button. Be sure that you checked Keep oid and Overwrite option
5. Import Metarole definition – after assigning this meta role to the midpoint role, it will provide group creation on the target linux machine
   • Configuration → Import Objects → choose file (~/unix-management/role-assignment-inducement-metarole.xml) and press Import Object button

And finally, how-to for some use cases

1. Create group on the target linux machine
   • Create new role in midPoint (Roles → New Role). Fill in:
     ‘Name’ – has to be unique, e.g Group midpoint-admins on Unix,
     ‘Group Name’ – is used for naming the group on target system
     ‘Unix Permissions’ – is used for creating sudoers file for this group
   • Assign previously imported metarole to the role:
     Go to the Assignments tab, click on the gear wheel and choose Assign Role
   • Select meta role and confirm it by pressing Assign button (in popup dialog)
   • Press Save button
2. Create user on the target system, add him/her to the unix group and set the public key
   • Create new user in midPoint (Users → New User). Fill in:
     ‘Name’ – login name
     ‘Public Key’ – copy&paste public key as a plain text
     Fill others attributes you want to provision
   • Assign previously created role to this user (‘Group midpoint-admins on Unix’)
   • Go to the Assignments tab, click on the gear wheel and choose Assign Role
   • Select role (‘Group midpoint-admins on Unix’) and confirm it by pressing Assign button
   • Press Save button

And that’s it. Was it hard? I suppose it wasn’t. At the end, these are linux distributions I tested – CentOS, Ubuntu and Debian. Your feedback and testing with another linux distribution is more than welcome!