[midPoint] Blog: SSH Connector Completes The Jigsaw

Thu Feb 25 15:43:24 CET 2021

Dear midPoint community,

We have released SSH Connector 
<https://wiki.evolveum.com/display/midPoint/SSH+Connector> for midPoint. 
This may not sound like much, but in fact it is a great news. This small 
step is a culmination of an effort that took several years to complete. 
The connector jigsaw is complete now.

SSH Connector allows to execute provisioning scripts by using the 
wide-spread SSH protocol. Therefore this is all about the provisioning 
scripts. Provisioning scripts are small pieces of code that supplement 
provisioning activities. They create and delete home directories, 
mailboxes, they supplement provisioning operations by executing steps 
that are not available in APIs and so on. Provisioning scripts are not 
always necessary. But when they are, they usually save the day.

The traditional approach to execute provisioning scripts was to 
integrate the end code into the connector. Our Active Directory 
connector had had an ability to invoke PowerShell scripts for years. 
Unfortunately, that has never actually worked very well. Firstly, the 
only practical way how to execute scripts on Windows at that time was 
Win-RM service. To be politically correct, the Win-RM leaves much to be 
desired, its design is not very elegant, which made the connector 
somehow problematic and unreliable. Then the world turned on its head – 
Microsoft declared that it loves Linux and there suddenly was an SSH 
server for Windows.

This was an opportunity to get rid of Win-RM and solve many problems at 
once. However, integrating SSH into Active Directory connector makes 
very little sense. SSH is not specific to Active Directory or Windows. 
Quite the opposite. LDAP connector would like to have SSH capability as 
well and it can be useful for almost all the other connectors. It makes 
no sense to integrate the same SSH scripting code into all the 
connectors. We needed something else, something new.

MidPoint has a capability to combine several connectors in one resource 
for quite some time. This capability was used to create semi-manual 
resources 
<https://wiki.evolveum.com/display/midPoint/Manual+Resource+Configuration#ManualResourceConfiguration-Semi-ManualResources>. 
We have extended that capability in midPoint 4.1. Any connectors can be 
combined in a single resource, as long as the combined functionality 
makes sense. We have used that opportunity to isolate the Win-RM 
functionality from AD/LDAP connector into a separate PowerShell 
connector. However, the last piece of the jigsaw was still missing.

That last piece was added last year, when the SSH Connector 1.0 
<https://wiki.evolveum.com/display/midPoint/SSH+Connector> was released. 
The SSH connector can be added to Active Directory connector to execute 
provisioning scripts on Windows server. This was kind of experiment, 
however it has quickly proven its value during last few months. The 
testing results show that this is more reliable than the Win-RM method. 
After that we have not hesitated a single second and marked the Win-RM 
PowerShell connector as deprecated.

The SSH Connector brings a whole new set of opportunities, as the SSH 
Connector can be added to any existing ConnId connector. LDAP connector 
can now create home directories on file servers. Database connectors may 
archive the data before deleting database records. And so on. The 
possibilities are countless.

The SSH Connector is still quite simple. Some features still need to be 
implemented, such as public key authentication. We will be more than 
happy to accept contributions 
<https://github.com/Evolveum/connector-ssh>. However, the connector 
works quite well. Even in its first versions it is still much more 
useful than the things that we have had before.

(Reposted from Evolveum blog 
<https://evolveum.com/ssh-connector-completes-the-jigsaw/>)

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210225/c4b6f14d/attachment.htm>