[midPoint] Questions to UNIX Connector
Jean Michel
jean.michel at ebz.tec.br
Fri Oct 18 20:34:12 CEST 2024
Hello Patrik,
Answering your questions:
> midPoint will store the public SSH Key for every Identity and when a
new Unix Account is created for an Identity, midpoint must deploy the
SSH Key to the Users home directory.
> Is it possible to deploy the SSH keys to every Unix Account that I
create?
Do you mean provisioning ~/.ssh/authorized_keys, or also
~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub?
For the ~/.ssh/authorized_keys, it can be provisioned with the publicKey
presented already in the Unix account schema.
For the private and public key par, I guess the SSH connector could be
used to complement the Unix connector, but maybe the Unix connector
could be improved to support this too, provisioning key pair and also
setting ssh private key password.
> The SSH key must be updated on all connected systems whenever it changes.
Set it on publicKey account as strong and it should sync. But the read
method is not getting it back so maybe there is some improvement needed
here, specially because it is not uncommon to have more than one public
key provisioned to authorized_keys.
> Is the Unix Connector still maintained?
I am working on a fork that contains some improvements:
- "jsch" library updated to the latest version
- Now it's possible to read long outputs from the commands. Specially if
your server is integrated with a Vault or LDAP to provisioning accounts
on the server. We've implemented in a production environment with more
than 8000 accounts, it takes too long to reconcile, but it works.
- Our fork on Github: https://github.com/eBZtec/ConnIdUNIXBundle
We are about to create another enhancement that is the midpoint unix
account itself connecting with a ssh key, and then contribute back to
the original one.
> Do I have to create a connector for every single system?
A resource must be created to every unix host.
If you have some question, please let me know.
--
Jean Michel S. A. dos Santos
+55 (51) 4042-8153 / +55 (51) 3984-2645
https://www.ebz.tec.br/
Em 18/10/2024 07:00, midpoint-request at lists.evolveum.com escreveu:
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Questions to UNIX Connector (Patrik Sidler)
> 2. Re: Self Credentials Page - Old Password - Keycloak AND reset
> password for LDAP only (gui config) (Markus Calmius)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 17 Oct 2024 11:49:32 +0000
> From: Patrik Sidler <patrik.sidler at itconcepts.ch>
> To: midPoint Mailinglist <midpoint at lists.evolveum.com>
> Subject: [midPoint] Questions to UNIX Connector
> Message-ID:
> <GVAP278MB0231277D9C65D2100B9A062EEF472 at GVAP278MB0231.CHEP278.PROD.OUTLOOK.COM>
>
> Content-Type: text/plain; charset="utf-8"
>
> Dear Community,
>
> I have some questions regarding the UNIX Connector.
> We have to connect a huge amount of Unix Systems to Create, Update and Delete User Accounts.
> midPoint will store the public SSH Key for every Identity and when a new Unix Account is created for an Identity, midpoint must deploy the SSH Key to the Users home directory.
> The SSH key must be updated on all connected systems whenever it changes.
>
> Is the Unix Connector still maintained?
> Do I have to create a connector for every single system?
> Is it possible to deploy the SSH keys to every Unix Account that I create?
>
> Thank you all in advance for your help.
>
> Regards
> Patrik
>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20241017/93938832/attachment-0001.htm>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 18 Oct 2024 08:41:36 +0000
> From: Markus Calmius <markus.calmius at proton.ch>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Self Credentials Page - Old Password -
> Keycloak AND reset password for LDAP only (gui config)
> Message-ID:
> <brnn4oMcISM-IG08Be7YZgpqZlz_oWZWiia1QxBguAz_paPDSA7EsQSuJZ3h_vGzqYN3XCqS2Lmhvuy8S_P_mM2vH1jVkPH28WldP-5jyP0=@proton.ch>
>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> thanks to João Paulo Ribeiro for the question regarding Keycloak and old password.
> That helped me moving forward with my question(s).
>
> I'm running 4.8(.0) and, it looks like the password hint cannot be removed until 4.8.1, is that correct?
>
> So, I only have one issue left to solve:
> How to specify that only specific resources are available for password resets.
>
>
>
> Markus Calmius
> Proton AG
>
>
> On Wednesday, 16 October 2024 at 12:00, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:
>
>> Send midPoint mailing list submissions to
>> midpoint at lists.evolveum.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>> or, via email, send a message with subject or body 'help' to
>> midpoint-request at lists.evolveum.com
>>
>> You can reach the person managing the list at
>> midpoint-owner at lists.evolveum.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of midPoint digest..."
>>
>>
>> Today's Topics:
>>
>> 1. reset password for LDAP only (gui config) (Markus Calmius)
>> 2. Self Credentials Page - Old Password - Keycloak
>> (João Paulo Ribeiro)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Tue, 15 Oct 2024 14:17:25 +0000
>> From: Markus Calmius markus.calmius at proton.ch
>>
>> To: midPoint General Discussion midpoint at lists.evolveum.com
>>
>> Subject: [midPoint] reset password for LDAP only (gui config)
>> Message-ID:
>> yLBnWn-8W3-LXa9a7Jsb8hcHT1aQTeJdMrtvx7QIG7rufdi--KTb-ZatTAi4Pnys6wFeEPwTRDz18YILzq-gBZiCr0F28IkEDlxKQyX6USM=@proton.ch
>>
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi,
>>
>> we use OIDC/Keycloak to login to midPoint and many other webapps using passkeys/passwordless authentication.
>> Some systems or non webapps that do not support OIDC/SAML usually support LDAP though.
>>
>> I would like to configure the Credentials-page to only show the LDAP-resource.
>> Any tips on how to do that?
>>
>> Thanks in Advance,
>>
>> Markus
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20241015/8707b398/attachment-0001.htm
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Tue, 15 Oct 2024 15:28:25 -0300
>> From: João Paulo Ribeiro joparibeiro at gmail.com
>>
>> To: midpoint at lists.evolveum.com
>> Subject: [midPoint] Self Credentials Page - Old Password - Keycloak
>> Message-ID:
>> CAMP=YZwk8VL3hfM891jyk5+9NaubGYVyi1k0pCF_gPAYJ+SxfA at mail.gmail.com
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hello!
>>
>> I have a midPoint 4.8.4 + Keycloak scenario. I would like to know if there
>> is any configuration I can do so that while an end user is changing his/her
>> own password (in credentials self-service page), midpoint would prompt for
>> the old OIDC password instead of the old password from the midPoint
>> respository. I am using AD as user federation in Keycloak.
>>
>> I've set storageType=none in the security policy, but when I try to change
>> the own password by entering the old AD password in "Old Password" field,
>> midPoint says that the old password is incorrect.I think it is looking for
>> the old password in the repository, in m_object.fullobject, but obviously,
>> there is no password defined there, due to storageType=none.
>>
>> I could simply remove the "Old Password" field from the self-service
>> credentials UI (using passwordChangeSecurity=none in the security policy),
>> but for security reasons I think it's important that the end user to
>> provide the old password.
>>
>> Thanks in advance.
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20241015/006af5a9/attachment-0001.htm
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> ------------------------------
>>
>> End of midPoint Digest, Vol 150, Issue 6
>> ****************************************
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 150, Issue 7
> ****************************************
More information about the midPoint
mailing list