[midPoint] Technical/Service Accounts
Rainer Herbst
rainer.herbst at aip.de
Thu Nov 21 05:32:03 CET 2019
Hi Arnošt,
thank you for your detailed answer!
I will give the archtype feature a try. MidPoint 4.0 comes with an archetype
"System user" that seems to fit. I have created a collection and view for
these users and can now tell them from "normal" users; password and unique
attribut values should be no problem.
Only the synchronisation with the responsible user is open. At least I would
try to link the users objects together. Is there any recomended way to do
that in MidPoint?
TIA!
Rainer
On Fri, 8 Nov 2019 14:41:40 +0100
Arnošt Starosta - AMI Praha a.s. <arnost.starosta at ami.cz> wrote:
> Hi Rainer,
>
> I want to bind these technical
>> accounts to a person, that is responsible for that account. One
>>person can
>> be responsible for more than one technical account.
>
>
> It's been done many times, however I don't know of any native
>construct
> that supports this. Creating a service/role object per account and
> assigning these to user objects works.
>
> You might link multiple resource accounts to single user/focus
>object, but
> the functionality is only literally half implemented sofar, only
>inbound
> mappings work. Modeling with personas or shadow intents is imho
>limited to
> a fixed set of occurrences, no 1..n, just 1..fixed-k.
>
>
>> Further, I want to be
>> able to disable the accounts depending of the state of the
>>responsible
>> user.
>>
>
> You will need model hooks to synchronize the state - check the
>delta for
> specific attribute change (administrative or effective status in
>your case)
> and update all service accounts. As something may go wrong during
>the
> updates, you will need a periodic task checking and repairing state
> consistency. It's clumsy, but it works. If anybody knows any other
> solution, please share.
>
>
>> The service accounts should be synchronized between several
>>ressources,
>> i.e.
>> LDAP and the mail system.
>>
>
> No problem for service or role as focus having resource accounts.
>
>
>> These accounts need also passwords etc.
>
>
> This may have improved during recent 4.0 updates, but generating
>passwords
> for non-user focus objects in schemaHandling/credentials was not
>supported,
> you had to do it by custom hook again. Please check the current
>state with
> role/service objects yourself.
>
>
>> and some attributes should be
>> checked for uniqueness for all accounts, i.e. mail addresses.
>>
>
> Should be ok, when generating attribute values, you can use
> midpoint.isUniquePropertyValue to checks whatever attribute and
>entity you
> like.
>
> Good luck
> arnost
>
>
>> I have read about the Service Account Management in MidPoint:
>> https://wiki.evolveum.com/display/midPoint/Service+Account+Management
>> But I am not sure will this do the task, e.g. is it possible to
>>check for
>> the email address uniqueness betwenn normal user`s accounts and
>>service
>> accounts.
>>
>> What would you advice?
>> - Import these accounts into user objects?
>> - Link the technical accounts to existing users?
>> - Or extend the service schema with POSIX attributes like numerical
>>UID
>> and
>> email adresses?
>> - Is there an easy way to enforce uniqueness to attributes in
>>different
>> object types?
>>
>> Heap of questions... ;-)
>>
>> TIA!
>>
>>
>> Rainer Herbst
>> Leiter IT-Service
>> Phone: +49 331 7499-257
>> e-mail: rainer.herbst at aip.de
>> https://www.aip.de
>>
>>
>> -----------------------------------------------------------------------------------------------
>> Leibniz-Institut für Astrophysik Potsdam (AIP)
>> An der Sternwarte 16, 14482 Potsdam
>>
>> Vorstand: Prof. Dr. Matthias Steinmetz, Matthias Winker
>> Stiftung bürgerlichen Rechts
>> Stiftungsverzeichnis Brandenburg: 26 742-00/7026
>>
>> -----------------------------------------------------------------------------------------------
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> --
>
> *Arnošt Starosta*
> solution architect
>
> gsm: [+420] 603 794 932
> e‑mail: arnost.starosta at ami.cz
>
> *AMI Praha a.s.*
> Pláničkova 11, 162 00 Praha 6
>
> tel.: [+420] 274 783 239 | web: www.ami.cz
>
> [image: AMI Praha a.s.]
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>výhradně
> písemnou formu.
>
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>obsahovat
> důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>neoprávněně,
> informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
> všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního
>postihu.
Rainer Herbst
Leiter IT-Service
Phone: +49 331 7499-257
e-mail: rainer.herbst at aip.de
https://www.aip.de
-----------------------------------------------------------------------------------------------
Leibniz-Institut für Astrophysik Potsdam (AIP)
An der Sternwarte 16, 14482 Potsdam
Vorstand: Prof. Dr. Matthias Steinmetz, Matthias Winker
Stiftung bürgerlichen Rechts
Stiftungsverzeichnis Brandenburg: 26 742-00/7026
-----------------------------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191121/0c6dbf5a/attachment.bin>
More information about the midPoint
mailing list