[midPoint] Questions about Unix Resources

Fri Apr 22 09:06:12 CEST 2016

Hi Shawn,

yes, you are absolutely true. You need to specify resource for each linux machine you have. We have planned to implement resource templates feature https://jira.evolveum.com/browse/MID-1653. In that case you will have one template for group of machines. But because our development is mostly driven by customers/subscribers is hasn't been implemented yet. I can understand that in environment with 1000's resources it can be an inconvenience. 

In the 3.3.1 released version and also at master there was implemented feature which allows you to specify filter for a resource in a role instead of static oid. It looks lie this:

<inducement id="1">
      <construction>
         <resourceRef type="c:ResourceType">
            <filter>
               <!-- you can use different filters, but the filter must result to one resource-->
               <q:inOid>
                  <expression>
                     <script>
                        <code>
                                ...expression code
                            </code>
                     </script>
                  </expression>
               </q:inOid>
            </filter>
         </resourceRef>
        .......
        .......
      </construction>
   </inducement>

So maybe in current situation this can help a bit. Although you will still have to specify resource for each machine, you will need only one role to specify. 

But for both these features (resource templates, role templates) there is a limitation that the schema for the resources should be the same.  

Best Regards,
Katka

----- Original Message -----
From: "Shawn McKinney" <smckinney at symas.com>
To: midpoint at lists.evolveum.com
Sent: Friday, April 22, 2016 3:27:13 AM
Subject: [midPoint]  Questions about Unix Resources

Hi,

I have been doing some testing lately with the unix resources as described in this document:
https://evolveum.com/blog/provisioning-to-unix-in-5-steps/

And so far it seems to work well.  

My question is about the mapping between midpoint and the linux machine.  It seems that there is a one-to-one correspondence between a linux machine on the network and the unix resource.  That is to say for every new linux machine that must be managed, there must be a new resource that has been loaded into MP.

Is this true?  I worry that a very large network could get unwieldy, i.e. 100’s if not 1000’s of machines to manage.  Is there a way to establish a unix resource that can be bound to a target IP address at account activation time?  That way we just need one unix resource, but it will require input from the user (at the console), to set the IP address of the target machine before activating and adding a new account to that machine.

I suppose this would open a can of worms because you also would need to map the service account to the resource at activation time too.  Not sure what other problems would arise with a mapping such as this.

Do these questions make sense, or am I looking at this wrong? 

Thanks,

Shawn

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint