Kerberos connector
The Kerberos connector is an implementation of the SSH connector, and is based on Java Secure Channel (JSch) and the Java implementation of the Expect library (Expect4j).
The Kerberos connector lets you manage Kerberos user principals from IDM. The connector bundles a number of Groovy scripts, to interact with a Kerberos admin server. You should not edit the bundled Groovy scripts. The scripts use the kadmin
utility to communicate with the Kerberos server.
The Kerberos connector lets you perform the following operations on Kerberos user principals:
-
List the existing principals.
-
Display the details of a principal.
-
Add a user principal.
-
Change the password of a user principal and unlock the principal.
-
Delete a user principal.
Kerberos connector schema
The Kerberos connector can only be used to manage the Kerberos principal
object type (which maps to the ICF __ACCOUNT__
object). The following attributes are supported in the schema:
-
principal
- (maps to__NAME__
and__UID__
) -
__PASSWORD__
- updatable, required when an object is created -
__LOCK_OUT__
- updatable only; unlock an account by setting this attribute tofalse
-
policy
- the password policy used by the principal -
expirationDate
- the date that the user principal expires -
passwordExpiration
- the date that the password expires -
maximumTicketLife
- the maximum ticket life for the principal. At the end of the ticket lifetime, the ticket can no longer be used. However, if the renewable lifetime (maximumRenewableLife
) is longer than the ticket lifetime, the ticket holder can present the ticket to the KDC and request a new ticket. -
maximumRenewableLife
- the period during which the ticket can be renewed. A renewed ticket usually has a new ticket lifetime, dating from the time that it was renewed, that is constrained by the renewable ticket lifetime.
In addition, the following read-only attributes are supported:
-
lastPasswordChange
-
lastModified
-
lastSuccessfulAuthentication
-
lastFailedAuthentication
-
failedPasswordAttempts
Install the Kerberos connector
If you are looking for the Advanced Identity Cloud application for this connector, refer to: |
You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.
Connector | IDM | RCS |
---|---|---|
Yes |
Yes |
Download the connector .jar file from Backstage.
-
If you are running the connector locally, place it in the
/path/to/openidm/connectors
directory, for example:mv ~/Downloads/kerberos-connector-1.5.20.23.jar /path/to/openidm/connectors/
-
If you are using a remote connector server (RCS), place it in the
/path/to/openicf/connectors
directory on the RCS.
Configure the Kerberos connector
Create a connector configuration using the IDM admin UI:
-
From the navigation bar, click Configure > Connectors.
-
On the Connectors page, click New Connector.
-
On the New Connector page, type a Connector Name.
-
From the Connector Type drop-down list, select Kerberos Connector - 1.5.20.23.
-
Complete the Base Connector Details.
For a list of all configuration properties, refer to Kerberos Connector Configuration -
Click Save.
When your connector is configured correctly, the connector displays as Active in the admin UI.
Refer to this procedure to create a connector configuration over REST.
Alternatively, configure the connector with a configuration file. A sample connector configuration (provisioner.openicf-kerberos.json
) is provided in the /path/to/openidm/samples/sync-with-kerberos/conf/
directory with IDM. Copy the sample connector configuration to your project’s conf/
directory, and adjust it to match your Kerberos environment.
-
Set the authentication properties, as described in Configure Authentication to the SSH Server. In addition, set at least the following properties:
customConfiguration
-
Specify the details of the user principal and the default realm here. The sample connector configuration is as follows:
"customConfiguration" : "kadmin { cmd = '/usr/sbin/kadmin.local'; user = '<KADMIN USERNAME>'; default_realm = '<REALM, e.g. EXAMPLE.COM>' }"
A complete custom configuration will look something like this:
"customConfiguration" : "kadmin { cmd = '/usr/sbin/kadmin.local'; user = 'openidm/admin'; default_realm = 'EXAMPLE.COM' }"
customSensitiveConfiguration
-
Set the password for the user principal here. The sample connector configuration is as follows:
"customSensitiveConfiguration" : "kadmin {password = '<KADMIN PASSWORD>'}"
Change this to reflect your user principal password, for example:
"customSensitiveConfiguration" : "kadmin {password = 'Passw0rd'}"
Basic Kerberos Connector Configuration
This list describes the basic Kerberos connector configuration properties. For a complete list, refer to Configuration Properties:
host
-
The host name or IP address of the SSH server on which the
kadmin
command is run. port
-
The port number on which the SSH server listens.
Default:
22
(the default SSH port) user
-
The username of the account that is used to connect to the SSH server.
This is not the same as your Kerberos user principal. This account must be able to
ssh
into the server on which Kerberos is running, with the password provided in the next parameter.If you use the
root
user, thesudo
command in the Test script will never get the'pass::'
prompt. Instead of using theroot
user, create a regular user and add that user to the group that hassudo
privileges. Alternatively, modify the Test script so that it does not usesudo
. password
-
The password of the account that is used to connect to the SSH server.
prompt
-
A string representing the remote SSH session prompt. This must be the exact prompt string, in the format
username@target:
, for exampleroot@localhost:~$
.If the prompt includes a trailing space, you must include the space in the value of this property.
Consider customizing your Linux prompt with the
PS1
andPS2
variables, to set a safe prompt. For information about customizing prompts, refer to this article. sudoCommand
-
A string that shows the full path to the
sudo
command; for example/usr/bin/sudo
. echoOff
-
If set to
true
(the default), the input command echo is disabled. If set tofalse
, every character that is sent to the server is sent back to the client in theexpect()
call. terminalType
-
Sets the terminal type to use for the session. The list of supported types is determined by your Linux/UNIX system. For more information, refer to the
terminfo
manual page (man terminfo
).Default:
vt102
setLocale
-
If set to
true
, indicates that the default environment locale should be changed to the value of thelocale
property.Default:
false
locale
-
Sets the locale for LC_ALL, LANG, and LANGUAGE environment variables, if
setLocale
is set totrue
.Default:
en_US.utf8
connectionTimeout
-
Specifies the connection timeout to the remote server, in milliseconds.
Default:
5000
expectTimeout
-
Specifies the timeout used by the
expect()
calls in scripts, in milliseconds.Default:
5000
authenticationType
-
Sets the authentication type, either
PASSWORD
orPUBKEY
. For more information, refer to connector-reference:ssh.adoc#ssh-authentication.Default:
PASSWORD
throwOperationTimeoutException
-
If
true
, the connector throws an exception when the timeout is reached for an operation. Otherwise, the operation fails silently.Default:
true
scriptRoots
-
The path to the Groovy scripts that perform the ICF operations, relative to your installation directory. For the Kerberos connector, the scripts are bundled in the connector .jar file, so the sample connector configuration uses the path
jar:file:connectors/kerberos-connector-1.5.20.23.jar!/scripts/kerberos/
. classpath
-
The directory in which the compiler should look for compiled classes. The default classpath, if not is specified, is
install-dir/lib
. ScriptFileName
-
The script that is used for each ICF operation. Do not change these script names in the bundled Kerberos connector.
Kerberos remote connector
If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the Kerberos connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM.
You can download the Kerberos connector from here.
Refer to Remote connectors for configuring the Kerberos remote connector.
OpenICF Interfaces Implemented by the Kerberos Connector
The Kerberos Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:
- Authenticate
-
Provides simple authentication with two parameters, presumed to be a user name and password.
- Create
-
Creates an object and its
uid
. - Delete
-
Deletes an object, referenced by its
uid
. - Resolve Username
-
Resolves an object by its username and returns the
uid
of the object. - Schema
-
Describes the object types, operations, and options that the connector supports.
- Script on Connector
-
Enables an application to run a script in the context of the connector.
Any script that runs on the connector has the following characteristics:
-
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
-
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. -
The script has access to any script arguments passed in by the application.
-
- Script on Resource
-
Runs a script on the target resource that is managed by this connector.
- Search
-
Searches the target resource for all objects that match the specified object class and filter.
- Sync
-
Polls the target resource for synchronization events, that is, native changes to objects on the target resource.
- Test
-
Tests the connector configuration.
Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
-
Updates (modifies or replaces) objects on a target resource.
Kerberos Connector Configuration
The Kerberos Connector has the following configurable properties:
Basic Configuration Properties
Property | Type | Default | Encrypted(1) | Required(2) |
---|---|---|---|---|
|
|
|
|
Yes |
The hostname to connect to. |
||||
|
|
|
|
Yes |
TCP port to use. |
||||
|
|
|
|
Yes |
The user name used to login to remote server. |
||||
|
|
|
Yes |
No |
The password used to login to remote server. |
||||
|
|
|
Yes |
No |
The passphrase used to read the private key when using Public Key authentication. |
||||
|
|
|
Yes |
No |
The base 64 encoded value (PEM) of the private key used for Public Key authentication. |
||||
|
|
|
|
Yes |
Defines which authentication type should be use: PASSWORD or PUBKEY. |
||||
|
|
`root@localhost:# ` |
|
Yes |
A string representing the remote SSH session prompt. |
||||
|
|
|
|
Yes |
A string representing the sudo command. |
||||
|
|
|
|
Yes |
Disable the input command echo. |
||||
|
|
|
|
Yes |
Defines the terminal type to use for the session. |
||||
|
|
|
|
Yes |
Define the locale for LC_ALL, LANG and LANGUAGE environment variables to use if setLocale=true. |
||||
|
|
|
|
Yes |
Defines if the default environment locale should be changed with the value provided for locale. |
||||
|
|
|
|
Yes |
Defines the connection timeout to the remote server in milliseconds. |
||||
|
|
|
|
Yes |
Defines the timeout used by the expect() calls in the scripts in milliseconds. |
||||
|
|
|
|
Yes |
Defines if an OperationTimeoutException should be thrown if any call to expect times out. |
||||
|
|
|
|
No |
Defines the "prompt ready" timeout for the promptReady() command in milliseconds. |
(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.
(2) A list of operations in this column indicates that the property is required for those operations.
Groovy Engine configuration
Property | Type | Default | Encrypted(1) | Required(2) |
---|---|---|---|---|
|
|
|
|
Yes |
The root folder to load the scripts from. If the value is null or empty the classpath value is used. |
||||
|
|
|
|
No |
Classpath for use during compilation. |
||||
|
|
|
|
No |
If true, debugging code should be activated. |
||||
|
|
|
|
No |
Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none is disabled. |
||||
|
|
|
|
No |
Sets the minimum of time after a script can be recompiled. |
||||
|
|
|
|
No |
If set to true recompilation is enabled. |
||||
|
|
|
|
No |
Base class name for scripts (must derive from Script). |
||||
|
|
|
|
No |
Gets the extensions used to find groovy files. |
||||
|
|
|
|
No |
Encoding for source files. |
||||
|
|
|
|
No |
Directory into which to write classes. |
||||
|
|
|
|
No |
The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. |
||||
|
|
|
|
No |
If true, the compiler should produce action information. |
||||
|
|
|
|
No |
Warning Level of the compiler. |
||||
|
|
|
|
No |
Custom Configuration script for Groovy ConfigSlurper. |
||||
|
|
|
Yes |
No |
Custom Sensitive Configuration script for Groovy ConfigSlurper. |
(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.
(2) A list of operations in this column indicates that the property is required for those operations.
Operation Script Files
Property | Type | Default | Encrypted(1) | Required(2) |
---|---|---|---|---|
|
|
|
|
|
The name of the file used to perform the AUTHENTICATE operation. |
||||
|
|
|
|
|
The name of the file used to perform the CREATE operation. |
||||
|
|
|
|
No |
The script used to customize some function of the connector. Read the documentation for more details. |
||||
|
|
|
|
|
The name of the file used to perform the DELETE operation. |
||||
|
|
|
|
|
The name of the file used to perform the RESOLVE_USERNAME operation. |
||||
|
|
|
|
|
The name of the file used to perform the SCHEMA operation. |
||||
|
|
|
|
|
The name of the file used to perform the RUNSCRIPTONRESOURCE operation. |
||||
|
|
|
|
|
The name of the file used to perform the SEARCH operation. |
||||
|
|
|
|
|
The name of the file used to perform the SYNC operation. |
||||
|
|
|
|
|
The name of the file used to perform the TEST operation. |
||||
|
|
|
|
|
The name of the file used to perform the UPDATE operation. |
(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.
(2) A list of operations in this column indicates that the property is required for those operations.