SSH Connector Completes The Jigsaw

We have released SSH Connector for midPoint. This may not sound like much, but in fact it is a great news. This small step is a culmination of an effort that took several years to complete. The connector jigsaw is complete now.

SSH Connector allows to execute provisioning scripts by using the wide-spread SSH protocol. Therefore this is all about the provisioning scripts. Provisioning scripts are small pieces of code that supplement provisioning activities. They create and delete home directories, mailboxes, they supplement provisioning operations by executing steps that are not available in APIs and so on. Provisioning scripts are not always necessary. But when they are, they usually save the day.

The traditional approach to execute provisioning scripts was to integrate the end code into the connector. Our Active Directory connector had had an ability to invoke PowerShell scripts for years. Unfortunately, that has never actually worked very well. Firstly, the only practical way how to execute scripts on Windows at that time was Win-RM service. To be politically correct, the Win-RM leaves much to be desired, its design is not very elegant, which made the connector somehow problematic and unreliable. Then the world turned on its head – Microsoft declared that it loves Linux and there suddenly was an SSH server for Windows.

This was an opportunity to get rid of Win-RM and solve many problems at once. However, integrating SSH into Active Directory connector makes very little sense. SSH is not specific to Active Directory or Windows. Quite the opposite. LDAP connector would like to have SSH capability as well and it can be useful for almost all the other connectors. It makes no sense to integrate the same SSH scripting code into all the connectors. We needed something else, something new.

MidPoint has a capability to combine several connectors in one resource for quite some time. This capability was used to create semi-manual resources. We have extended that capability in midPoint 4.1. Any connectors can be combined in a single resource, as long as the combined functionality makes sense. We have used that opportunity to isolate the Win-RM functionality from AD/LDAP connector into a separate PowerShell connector. However, the last piece of the jigsaw was still missing.

That last piece was added last year, when the SSH Connector 1.0 was released. The SSH connector can be added to Active Directory connector to execute provisioning scripts on Windows server. This was kind of experiment, however it has quickly proven its value during last few months. The testing results show that this is more reliable than the Win-RM method. After that we have not hesitated a single second and marked the Win-RM PowerShell connector as deprecated.

The SSH Connector brings a whole new set of opportunities, as the SSH Connector can be added to any existing ConnId connector. LDAP connector can now create home directories on file servers. Database connectors may archive the data before deleting database records. And so on. The possibilities are countless.

The SSH Connector is still quite simple. Some features still need to be implemented, such as public key authentication. We will be more than happy to accept contributions. However, the connector works quite well. Even in its first versions it is still much more useful than the things that we have had before.

Leave a Reply

Your email address will not be published.