[midPoint] Unix Connector is not able to run SUDO commands
Marianna De Biasio
marianna.debiasio at innovery.net
Thu Oct 28 12:22:52 CEST 2021
Hi,
we're trying to administrate Red Hat Enterprise Linux 8.4 servers using the Unix Connector and we're experiencing the following issue.
The configuration of the resource was implemented according to the samples available in midPoint repository: user (midpoint_users) with his password are configured, the option "Host user is root user?" is set to false and the sudo password is setted (obviously all the other attributes are correctly configured, too).
Using this configuration, the connection is successful but once I click into the "Account" tab, midPoint doesn't list accounts with the following fatal error:
Couldn't list objectsErrorError communicating with the connector ConnectorInstanceIcfImpl(connector:00335ff5-fd22-46b5-8e09-ff3d21a39f49(ConnId org.connid.bundles.unix.UnixConnector v1.1-SNAPSHOT)): Operation timed out: org.identityconnectors.framework.common.exceptions.OperationTimeoutException(java.util.concurrent.TimeoutException)->java.util.concurrent.TimeoutException(null).
Logging into the target server and reading the "secure" file (auth.log) I see the following behavior:
When midPoint tests connection toward the target server, in the log file results "Accepted password for midpoint_user from ipaddress port 1234 ssh2", "pam_unix(sshd:session): session opened for user midpoint_user by (uid=0)";
When midPoint tries to list objects in Account section, in the log file results "pam_unix(sudo:auth): conversation failed", "pam_unix(sudo:auth): auth could not identify password for [midpoint_user ]"
It's like midPoint couldn't run SUDO command or something else.
In fact, we have tried to set the option "Host user is root user?" to true (with the same user of the previously attempts) and midPoint can list accounts, but is not able to read permissions and especially it can't create users on target server.
N.B.: the user that we are using for this resource configuration has already all the necessary permissions for read and create users; directly from the server terminal the midpoint_user is able to do SUDO, read accounts, permissions and create users.
We have tried a lot of different configurations but nothing seems to work.
Thank you in advance,
Marianna
[cid:image001.png at 01D7CBF6.868140D0]
MARIANNA DE BIASIO
TEAM LEADER & IAM ENGINEER
MAIL: MARIANNA.DEBIASIO at INNOVERY.NET<mailto:JOHN.DOHE at INNOVERY.NET>
PHONE: +39 06 51963439
WWW.INNOVERY.NET<http://www.innovery.net/>
STRADA QUATTRO SNC, PAL A6
CENTRO DIREZIONALE MILANOFIORI | 20057 ASSAGO (MI)
[cid:image002.png at 01D7CBF6.868140D0]
This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorized. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks. Respect the environment. Do not print this mail if it is not necessary.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211028/da797b01/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 13151 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211028/da797b01/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 9330 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211028/da797b01/attachment-0003.png>
More information about the midPoint
mailing list