Kerberos Connector - OpenIdentityPlatform/OpenICF GitHub Wiki
The Kerberos connector enables you to manage Kerberos user principals from OpenIDM. The connector is provided a number of Groovy scripts to interact with a Kerberos admin server. Users of the Kerberos connector are not expected to edit the bundled Groovy scripts. The bundled scripts use the kadmin utility to communicate with the Kerberos server.
The Kerberos connector enables you to perform the following operations on Kerberos user principals.
- List the existing principals
- Display the details of a principal
- Add a user principal
- Change the password of a user principal and unlock the principal • Delete a user principal
Kerberos Connector Schema
The Kerberos connector can only be used to manage the Kerberos principal object type (which maps to the OpenICF ACCOUNT object).
The following attributes are supported in the schema:
- principal - (maps to NAME and UID)
- PASSWORD - updatable, required when an object is created
- LOCK_OUT - updatable only; unlock an account by setting this attribute to false
- policy - the password policy used by the principal
- expirationDate - the date that the user principal expires
- passwordExpiration - the date that the password expires
- maximumTicketLife - the maximum ticket life for the principal. At the end of the ticket lifetime, the ticket can no longer be used. However, if the renewable lifetime (maximumRenewableLife) is longer than the ticket lifetime, the ticket holder can present the ticket to the KDC and request a new ticket.
- maximumRenewableLife - the period during which the ticket can be renewed. A renewed ticket usually has a new ticket lifetime, dating from the time that it was renewed, that is constrained by the renewable ticket lifetime.
In addition, the following read-only attributes are supported:
- lastPasswordChange
- lastModified
- lastSuccessfulAuthentication
- lastFailedAuthentication
- failedPasswordAttempts
Configuring the Kerberos Connector
OpenIDM provides a sample connector configuration [samples/kerberos/conf/provisioner.openicf-kerberos.json] (https://github.com/OpenIdentityPlatform/OpenIDM/blob/master/openidm-zip/src/main/resources/samples/provisioners/provisioner.openicf-kerberos.json). You can copy the sample connector configuration to your project's conf/ directory, and adjust it to match your Kerberos environment.
Set the authentication properties, as described in Scripted SSH Connector. In addition, set at least the following properties:
customConfiguration
Specify the details of the user principal and the default realm here. The sample provisioner file has the following custom configuration:
"customConfiguration" : "kadmin { cmd = '/usr/sbin/kadmin.local'; user = '<KADMIN USERNAME>'; default_realm = '<REALM, e.g. EXAMPLE.COM>' }",A complete custom configuration will look something like this:
"customConfiguration" : "kadmin { cmd = '/usr/sbin/kadmin.local'; user = 'openidm/admin'; default_realm = 'EXAMPLE.COM' }",
customSensitiveConfiguration
Set the password for the user principal here. The sample provisioner has the following configuration:
"customSensitiveConfiguration" : "kadmin { password = 'Passw0rd'}"
host
The host name or IP address of the SSH server on which the kadmin command is run.
port
The port number on which the SSH server listens. Default: 22 (the default SSH port)
user
The username of the account that is used to connect to the SSH server.
password
The password of the account that is used to connect to the SSH server.
prompt
A string representing the remote SSH session prompt. This must be the exact prompt string, in the format username@target:, for example root@localhost:~$ . If the prompt includes a trailing space, you must include the space in the value of this property. Consider customizing your Linux prompt with the PS1 and PS2 variables, to set a safe prompt. For information about customizing promtps, see Customizing Bash Prompt.
sudoCommand
A string that shows the full path to the sudo command, for example /usr/bin/sudo.
echoOff
If set to true (the default), the input command echo is disabled. If set to false, every character that is sent to the server is sent back to the client in the expect() call.
terminalType
Sets the terminal type to use for the session. The list of supported types is determined by your Linux/UNIX system. For more information, see the terminfo manual page ($ man terminfo).
Default: vt102
setLocale
If set to true, indicates that the default environment locale should be changed to the value of the locale property.
Default: false
locale
Sets the locale for LC_ALL, LANG and LANGUAGE environment variables, if setLocale is set to true.
Default: en_US.utf8
connectionTimeout
Specifies the connection timeout to the remote server, in milliseconds.
Default: 5000
expectTimeout
Specifies the timeout used by the expect() calls in scripts, in milliseconds.
Default: 5000
authenticationType
Sets the authentication type, either PASSWORD or PUBKEY. For more information, see Scripted SSH Connector.
Default: PASSWORD
throwOperationTimeoutException
If true, the connector throws an exception when the timeout is reached for an operation. Otherwise, the operation fails silently.
Default: true
scriptRoots
The path to the Groovy scripts that will perform the OpenICF operations, relative to your OpenIDM installation directory. For the Kerberos connector, the scripts are bundled up in the connector JAR file, so this path is set to jar:file:connectors/kerberos-connector-1.4.0.0.jar!/script/kerberos/ in the sample connector configuration.
classpath
The directory in which the compiler should look for compiled classes. The default classpath, if not is specified, is install-dir/lib.
reloadScriptOnExecution
By default, scripts are loaded and compiled when a connector instance is created and initialized. Setting reloadScriptOnExecution to true makes the connector load and compile the script every time it is called. Do not set this property to true in a production environment, because it will have a significant impact on performance.
Default: false
ScriptFileName
The script that is used for each OpenICF operation. Do not change these script names in the bundled Kerberos connector.
OpenICF Interfaces Implemented by the Kerberos Connector
The Kerberos Connector implements the following OpenICF interfaces.
Authenticate
Provides simple authentication with two parameters, presumed to be a user name and password.
Create
Creates an object and its uid.
Delete
Deletes an object, referenced by its uid.
Resolve Username
Resolves an object by its username and returns the uid of the object.
Schema
Describes the object types, operations, and options that the connector supports.
Script on Connector
Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics:
- The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
- The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.
- The script has access to any script-arguments passed in by the application.
Script on Resource
Runs a script on the target resource that is managed by this connector.
Search
Searches the target resource for all objects that match the specified object class and filter.
Sync
Polls the target resource for synchronization events, that is, native changes to objects on the target resource.
Test
Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
Update
Updates (modifies or replaces) objects on a target resource.
Kerberos Connector Configuration
Configuration Properties
| Property | Description | Type | Default | Encrypted | Required |
|---|---|---|---|---|---|
| customSensitiveConfiguration | Custom Sensitive Configuration script for Groovy ConfigSlurper | GuardedString | null | Yes | No |
| customConfiguration | Custom Configuration script for Groovy ConfigSlurper | String | null | No |
Operation Script Files Properties
| Property | Description | Type | Default | Encrypted | Required |
|---|---|---|---|---|---|
| createScriptFileName | The name of the file used to perform the CREATE operation. | String | null | Create | |
| customizerScriptFileName | The script used to customize some function of the connector. Read the documentation for more details. | String | null | No | |
| authenticateScriptFileName | The name of the file used to perform the AUTHENTICATE operation. | String | null | Authenticate | |
| scriptOnResourceScriptFileName | The name of the file used to perform the RUNSCRIPTONRESOURCE operation. | String | null | Script On Resource | |
| deleteScriptFileName | The name of the file used to perform the DELETE operation. | String | null | Delete | |
| resolveUsernameScriptFileName | The name of the file used to perform the RESOLVE_USERNAME operation. | String | null | Resolve Username | |
| searchScriptFileName | The name of the file used to perform the SEARCH operation. | String | null | Get Search | |
| updateScriptFileName | The name of the file used to perform the UPDATE operation. | String | null | Update | |
| schemaScriptFileName | The name of the file used to perform the SCHEMA operation. | String | null | Schema | |
| testScriptFileName | The name of the file used to perform the TEST operation. | String | null | Test | |
| syncScriptFileName | The name of the file used to perform the SYNC operation. | String | null | Sync |
Groovy Engine configuration Properties
| Property | Description | Type | Default | Encrypted | Required |
|---|---|---|---|---|---|
| targetDirectory | Directory into which to write classes | File | null | No | |
| warningLevel | Warning Level of the compiler | int | 1 | No | |
| scriptExtensions | Description is not available | String[] | ['groovy'] | No | |
| minimumRecompilationInterval | Sets the minimum of time after a script can be recompiled. | int | 100 | No | |
| scriptBaseClass | Base class name for scripts (must derive from Script) | String | null | No | |
| scriptRoots | The root folder to load the scripts from. If the value is null or empty the classpath value is used. | String[] | null | Yes | |
| tolerance | The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. | int | 10 | No | |
| debug | If true, debugging code should be activated | boolean | false | No | |
| classpath | Classpath for use during compilation. | String[] | [] | No | |
| disabledGlobalASTTransformations | Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/ org.codehaus.groovy.transform.ASTTransformation files. By default, none is disabled. | String[] | null | No | |
| verbose | If true, the compiler should produce action information | boolean | false | No | |
| sourceEncoding | Encoding for source files | String | UTF-8 | No | |
| recompileGroovySource | If set to true recompilation is enabled | boolean | false | No |
Basic Configuration Properties Properties
| Property | Description | Type | Default | Encrypted | Required |
|---|---|---|---|---|---|
| host | The hostname to connect to | String | null | Yes | |
| port | TCP port to use (defaults to 22) | int | 22 | Yes | |
| user | The user name used to login to remote server | String | null | Yes | |
| password | The password used to login to remote server | GuardedString | null | Yes | No |
| passphrase | The passphrase used to read the private key when using Public Key authentication | GuardedString | null | Yes | No |
| privateKey | The base 64 encoded value (PEM) of the private key used for Public Key authentication | String[] | [] | Yes | No |
| authenticationType | Defines which authentication type should be use: PASSWORD or PUBKEY (defaults to PASSWORD) | String | PASSWORD | Yes | |
| prompt | A string representing the remote SSH session prompt (defaults to root@localhost:# ) | String | root@localhost:# | Yes | |
| sudoCommand | A string representing the sudo command (defaults to /usr/bin/sudo) | String | /usr/bin/sudo | Yes | |
| echoOff | Disable the input command echo (default to true) | boolean | true | Yes | |
| terminalType | Defines the terminal type to use for the session (default to vt102) | String | vt102 | Yes | |
| locale | Define the locale for LC_ALL, LANG and LANGUAGE environment variables to use if setLocale=true | String | en_US.utf8 | Yes | |
| setLocale | Defines if the default environment locale should be changed with the value provided for locale (defaults to false) | boolean | false | Yes | |
| connectionTimeout | Defines the connection timeout to the remote server in milliseconds (default to 5000) | int | 5000 | Yes | |
| expectTimeout | Defines the timeout used by the expect() calls in the scripts in milliseconds (default to 5000) | int | 5000 | Yes | |
| throwOperationTimeoutException | Defines if an OperationTimeoutException should be thrown if any call to expect times out (defaults to true) | boolean | true | Yes |