[midPoint] Questions to UNIX Connector
Patrik Sidler
patrik.sidler at itconcepts.ch
Mon Oct 28 08:49:25 CET 2024
Hi Jean Michel,
Thank you for your reply. I will try this.
Regards,
Patrik
-----Ursprüngliche Nachricht-----
Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Jean Michel via midPoint
Gesendet: Freitag, 18. Oktober 2024 20:34
An: midpoint at lists.evolveum.com
Cc: Jean Michel <jean.michel at ebz.tec.br>
Betreff: Re: [midPoint] Questions to UNIX Connector
Hello Patrik,
Answering your questions:
> midPoint will store the public SSH Key for every Identity and when a new Unix Account is created for an Identity, midpoint must deploy the SSH Key to the Users home directory.
> Is it possible to deploy the SSH keys to every Unix Account that I create?
Do you mean provisioning ~/.ssh/authorized_keys, or also
~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub?
For the ~/.ssh/authorized_keys, it can be provisioned with the publicKey presented already in the Unix account schema.
For the private and public key par, I guess the SSH connector could be used to complement the Unix connector, but maybe the Unix connector could be improved to support this too, provisioning key pair and also setting ssh private key password.
> The SSH key must be updated on all connected systems whenever it changes.
Set it on publicKey account as strong and it should sync. But the read method is not getting it back so maybe there is some improvement needed here, specially because it is not uncommon to have more than one public key provisioned to authorized_keys.
> Is the Unix Connector still maintained?
I am working on a fork that contains some improvements:
- "jsch" library updated to the latest version
- Now it's possible to read long outputs from the commands. Specially if your server is integrated with a Vault or LDAP to provisioning accounts on the server. We've implemented in a production environment with more than 8000 accounts, it takes too long to reconcile, but it works.
- Our fork on Github: https://github.com/eBZtec/ConnIdUNIXBundle
We are about to create another enhancement that is the midpoint unix account itself connecting with a ssh key, and then contribute back to the original one.
> Do I have to create a connector for every single system?
A resource must be created to every unix host.
If you have some question, please let me know.
--
Jean Michel S. A. dos Santos
+55 (51) 4042-8153 / +55 (51) 3984-2645
https://www.ebz.tec.br/
Em 18/10/2024 07:00, midpoint-request at lists.evolveum.com escreveu:
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Questions to UNIX Connector (Patrik Sidler)
> 2. Re: Self Credentials Page - Old Password - Keycloak AND reset
> password for LDAP only (gui config) (Markus Calmius)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 17 Oct 2024 11:49:32 +0000
> From: Patrik Sidler <patrik.sidler at itconcepts.ch>
> To: midPoint Mailinglist <midpoint at lists.evolveum.com>
> Subject: [midPoint] Questions to UNIX Connector
> Message-ID:
>
> <GVAP278MB0231277D9C65D2100B9A062EEF472 at GVAP278MB0231.CHEP278.PROD.OUT
> LOOK.COM>
>
> Content-Type: text/plain; charset="utf-8"
>
> Dear Community,
>
> I have some questions regarding the UNIX Connector.
> We have to connect a huge amount of Unix Systems to Create, Update and Delete User Accounts.
> midPoint will store the public SSH Key for every Identity and when a new Unix Account is created for an Identity, midpoint must deploy the SSH Key to the Users home directory.
> The SSH key must be updated on all connected systems whenever it changes.
>
> Is the Unix Connector still maintained?
> Do I have to create a connector for every single system?
> Is it possible to deploy the SSH keys to every Unix Account that I create?
>
> Thank you all in advance for your help.
>
> Regards
> Patrik
>
>
>
>
>
> -------------- next part -------------- An HTML attachment was
> scrubbed...
> URL:
> <https://lists.evolveum.com/pipermail/midpoint/attachments/20241017/93
> 938832/attachment-0001.htm>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 18 Oct 2024 08:41:36 +0000
> From: Markus Calmius <markus.calmius at proton.ch>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Self Credentials Page - Old Password -
> Keycloak AND reset password for LDAP only (gui config)
> Message-ID:
>
> <brnn4oMcISM-IG08Be7YZgpqZlz_oWZWiia1QxBguAz_paPDSA7EsQSuJZ3h_vGzqYN3X
> CqS2Lmhvuy8S_P_mM2vH1jVkPH28WldP-5jyP0=@proton.ch>
>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> thanks to João Paulo Ribeiro for the question regarding Keycloak and old password.
> That helped me moving forward with my question(s).
>
> I'm running 4.8(.0) and, it looks like the password hint cannot be removed until 4.8.1, is that correct?
>
> So, I only have one issue left to solve:
> How to specify that only specific resources are available for password resets.
>
>
>
> Markus Calmius
> Proton AG
>
>
> On Wednesday, 16 October 2024 at 12:00, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:
>
>> Send midPoint mailing list submissions to midpoint at lists.evolveum.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>> or, via email, send a message with subject or body 'help' to
>> midpoint-request at lists.evolveum.com
>>
>> You can reach the person managing the list at
>> midpoint-owner at lists.evolveum.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of midPoint digest..."
>>
>>
>> Today's Topics:
>>
>> 1. reset password for LDAP only (gui config) (Markus Calmius) 2. Self
>> Credentials Page - Old Password - Keycloak (João Paulo Ribeiro)
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Tue, 15 Oct 2024 14:17:25 +0000
>> From: Markus Calmius markus.calmius at proton.ch
>>
>> To: midPoint General Discussion midpoint at lists.evolveum.com
>>
>> Subject: [midPoint] reset password for LDAP only (gui config)
>> Message-ID:
>> yLBnWn-8W3-LXa9a7Jsb8hcHT1aQTeJdMrtvx7QIG7rufdi--KTb-ZatTAi4Pnys6wFeE
>> PwTRDz18YILzq-gBZiCr0F28IkEDlxKQyX6USM=@proton.ch
>>
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi,
>>
>> we use OIDC/Keycloak to login to midPoint and many other webapps using passkeys/passwordless authentication.
>> Some systems or non webapps that do not support OIDC/SAML usually support LDAP though.
>>
>> I would like to configure the Credentials-page to only show the LDAP-resource.
>> Any tips on how to do that?
>>
>> Thanks in Advance,
>>
>> Markus
>> -------------- next part -------------- An HTML attachment was
>> scrubbed...
>> URL:
>> https://lists.evolveum.com/pipermail/midpoint/attachments/20241015/87
>> 07b398/attachment-0001.htm
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Tue, 15 Oct 2024 15:28:25 -0300
>> From: João Paulo Ribeiro joparibeiro at gmail.com
>>
>> To: midpoint at lists.evolveum.com
>> Subject: [midPoint] Self Credentials Page - Old Password - Keycloak
>> Message-ID:
>> CAMP=YZwk8VL3hfM891jyk5+9NaubGYVyi1k0pCF_gPAYJ+SxfA at mail.gmail.com
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hello!
>>
>> I have a midPoint 4.8.4 + Keycloak scenario. I would like to know if
>> there is any configuration I can do so that while an end user is
>> changing his/her own password (in credentials self-service page),
>> midpoint would prompt for the old OIDC password instead of the old
>> password from the midPoint respository. I am using AD as user federation in Keycloak.
>>
>> I've set storageType=none in the security policy, but when I try to
>> change the own password by entering the old AD password in "Old
>> Password" field, midPoint says that the old password is incorrect.I
>> think it is looking for the old password in the repository, in
>> m_object.fullobject, but obviously, there is no password defined there, due to storageType=none.
>>
>> I could simply remove the "Old Password" field from the self-service
>> credentials UI (using passwordChangeSecurity=none in the security
>> policy), but for security reasons I think it's important that the end
>> user to provide the old password.
>>
>> Thanks in advance.
>> -------------- next part -------------- An HTML attachment was
>> scrubbed...
>> URL:
>> https://lists.evolveum.com/pipermail/midpoint/attachments/20241015/00
>> 6af5a9/attachment-0001.htm
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> ------------------------------
>>
>> End of midPoint Digest, Vol 150, Issue 6
>> ****************************************
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 150, Issue 7
> ****************************************
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list