[midPoint] Questions about Unix Resources

Ivan Noris ivan.noris at evolveum.com
Sun Apr 24 22:28:36 CEST 2016 

Hi Shawn,

in case you can go this way, you can use the role-meta-unix-group2.xml
from
https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/role-meta-unix-group2.xml
(which we have already discussed earlier):

1. create new role in midpoint. E.g. "machine1-access". The name
attribute of the role should be the required group name. E.g.
"cn=machine1-access,ou=unixgroups,..."
2. assign the metarole role-meta-unix-group2.xml to that new role.
Saving will create the unix group as a projection of the role.
3. assign the new role to your users so that they become members of that
group. (E.g. "cn=machine1-access,ou=unixgroups,...")
4. configure the machines to permit logging of users that are members of
(specific) groups. This should be possible using PAM/SSH configuration,
although I don't have details in my head.

The power of the metarole is that the logic is configured in the
metarole only and you can use midPoint GUI to simply create several
(many) of the roles for creating unix groups just by assigning the
metarole to that roles. You do not duplicate the logic.

NB: the configuration of group attributes is also in the resource schema
handling (such as where the groups will be created or which attribute
(instead of "name") from the role will be used as group CN).

Best regards,
Ivan

On 04/24/2016 03:39 AM, Shawn McKinney wrote:
>> On Apr 22, 2016, at 2:09 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:
>>
>> if you have multiple (many) machines, is there a possibility to use LDAP
>> provisioning and access the machines using PAM? That way you only need
>> to create account in LDAP and put to specific groups - one per machine...
>>
>> ... which is exactly the scenario why one of the metaroles in our
>> scenario has been created and allows to create posixGroup one per
>> machine and then assign to the user ...
> Ivan,
>
> Agreed LDAP provisioning makes more sense when managing many machines.  Thanks
>
> Shawn
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

More information about the midPoint mailing list