Author: ryannewington

ConfigurationFiles/Kerberos/kerberos.xml

@@ -0,0 +1,143 @@
+<?xml version="1.0" encoding="utf-8"?>
+<sshma:Lithnet.SshMA xmlns:sshma="http://lithnet.local/Lithnet.SshMA.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+  <ma-capabilities>
+    <delta-import>true</delta-import>
+    <object-update-mode>AttributeUpdate</object-update-mode>
+    <delete-add-as-replace>false</delete-add-as-replace>
+    <object-rename-allowed>true</object-rename-allowed>
+  </ma-capabilities>
+
+  <schema>
+    <schema-attributes>
+      <schema-attribute name="accountName" multivalued="false" type ="string" operation="ImportExport"/>
+      <schema-attribute name="expiryDate" multivalued="false" type="string" operation="ExportOnly"/>
+      <schema-attribute name="accountDisabled" multivalued="false" type="boolean" operation="ExportOnly"/>
+    </schema-attributes>
+
+    <schema-objects>
+      <schema-object object-class="user">
+        <dn-format>{accountName}</dn-format>
+        <attributes>
+          <attribute>accountName</attribute>
+          <attribute>expiryDate</attribute>
+          <attribute>accountDisabled</attribute>
+        </attributes>
+      </schema-object>
+    </schema-objects>
+  </schema>
+
+  <global-operations>
+    <global-operation xsi:type="sshma:global-operation-ImportFullStart">
+      <commands>
+        <command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q list_principals > /home/svc-fim/deltas/lastrun.sshma</command>
+      </commands>
+    </global-operation>
+    <global-operation xsi:type="sshma:global-operation-ImportDeltaEnd">
+      <commands>
+        <command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q list_principals > /home/svc-fim/deltas/lastrun.sshma</command>
+      </commands>
+    </global-operation>
+      <!--
+      <global-operation xsi:type="sshma:global-operation-ImportFullEnd"/>
+    <global-operation xsi:type="sshma:global-operation-ImportDeltaStart"/>
+    <global-operation xsi:type="sshma:global-operation-ExportStart"/>
+    <global-operation xsi:type="sshma:global-operation-ExportEnd"/>
+    <global-operation xsi:type="sshma:global-operation-PasswordStart"/>
+    <global-operation xsi:type="sshma:global-operation-PasswordEnd"/>-->
+  </global-operations>
+
+  <object-operations object-class="user">
+    <object-operation xsi:type="sshma:object-operation-ImportFull">
+      <commands>
+        <command result-has-objects="true" success-codes="0">cat /home/svc-fim/deltas/lastrun.sshma</command>
+      </commands>
+      <import-mapping>
+        <object-extract><![CDATA[^(?<accountName>.*?)@.*$]]></object-extract>
+        <object-filters>
+          <object-filter attribute="accountName" operator="Equals">svc-fim</object-filter>
+          <!--<object-filter attribute="accountName" operator="NotEquals">rnew0001</object-filter>
+          <object-filter attribute="accountName" operator="NotEquals">testuser1</object-filter>-->
+          <object-filter attribute="accountName" operator="NotContains">rnew</object-filter>
+        </object-filters>
+      </import-mapping>
+    </object-operation>
+
+    <object-operation xsi:type="sshma:object-operation-ImportDelta">
+      <commands>
+        <command result-has-objects="true" success-codes="0">/home/svc-fim/dev/fim_kerberos_delta/delta_maker.py</command>
+      </commands>
+      <import-mapping>
+        <object-extract><![CDATA[^(?<changeType>.*?):(?<accountName>.*?)@.*$]]></object-extract>
+        <object-filters>
+          <object-filter attribute="accountName" operator="Equals">svc-fim</object-filter>
+        </object-filters>
+        <modification-type-mappings capture-group-name="changeType" unexpected-modification-type-action="ignore">
+          <modification-type-add>add</modification-type-add>
+          <modification-type-replace>replace</modification-type-replace>
+          <modification-type-delete>delete</modification-type-delete>
+        </modification-type-mappings>
+      </import-mapping>
+    </object-operation>
+
+    <object-operation xsi:type="sshma:object-operation-ExportAdd">
+      <commands>
+        <command rule-id="AccountDisabledIsTrue">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal [-expire {expiryDate} ]-randkey -allow_tix {dn}"</command>
+        <command rule-id="AccountDisabledIsFalse">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal [-expire {expiryDate} ]-randkey +allow_tix {dn}"</command>
+        <command rule-id="AccountDisabledIsNotPresent">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal [-expire {expiryDate} ]-randkey {dn}"</command>
+      </commands>
+    </object-operation>
+
+    <object-operation xsi:type="sshma:object-operation-ExportModify">
+      <commands>
+        <command rule-id="AccountDisabledIsTrue">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "modify_principal -allow_tix {dn}"</command>
+        <command rule-id="AccountDisabledIsFalse">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "modify_principal +allow_tix {dn}"</command>
+        <command rule-id="ExpiryDateHasChanged">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "modify_principal -expire \"{expiryDate}\" {dn}"</command>
+        <command rule-id="AccountNameHasChanged">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "delete_principal -force {dn}"</command>
+        <command rule-id="AccountNameHasChanged">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal -randkey {accountName}"</command>
+      </commands>
+    </object-operation>
+
+    <object-operation xsi:type="sshma:object-operation-ExportDelete">
+      <commands>
+        <command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q "delete_principal -force {dn}"</command>
+      </commands>
+    </object-operation>
+
+    <object-operation xsi:type="sshma:object-operation-PasswordSet">
+      <commands>
+        <async-command>
+          <!--
+          <send-when expect="$ " timeout="5">echo /usr/kerberos/sbin/kadmin -p svc-fim -k</send-when>
+          <send-when expect="$ " timeout="5">echo cpw {dn}</send-when>
+          <send-when expect="$ " timeout="5">echo {newpassword}</send-when>
+          <send-when expect="$ " timeout="5">echo {newpassword}</send-when>
+          <success-when expect="$ " timeout="5"/>
+          -->
+          <send-when expect="$ " timeout="5">/usr/kerberos/sbin/kadmin -p svc-fim -k</send-when>
+          <send-when expect="kadmin:  " timeout="5">cpw {dn}</send-when>
+          <send-when expect="Enter password for principal &quot;{dn}&quot;: " timeout="5">{newpassword}</send-when>
+          <send-when expect="Re-enter password for principal &quot;{dn}&quot;: " timeout="5">{newpassword}</send-when>
+          <success-when expect="Password for &quot;{dn}@CC.MONASH.EDU.AU&quot; changed." timeout="5"/>
+        </async-command>
+        <!--<command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q "cpw -pw {newpassword} {dn}"</command>-->
+      </commands>
+    </object-operation>
+  </object-operations>
+
+  <rules>
+    <rule-group xsi:type="sshma:rule-group" id="AccountDisabledIsTrue" operator="And">
+      <rule-ref rule-id="AccountDisabledIsPresent"/>
+      <rule xsi:type="sshma:rule-SingleValuedAttributeValueRule" id="AccountIsDisabled" attribute="accountDisabled" operator="Equals" value="true"/>
+    </rule-group>
+    <rule-group xsi:type="sshma:rule-group" id="AccountDisabledIsFalse" operator="And">
+      <rule-ref rule-id="AccountDisabledIsPresent"/>
+      <rule xsi:type="sshma:rule-SingleValuedAttributeValueRule" id="AccountIsEnabled" attribute="accountDisabled" operator="Equals" value="false"/>
+    </rule-group>
+    <rule xsi:type="sshma:rule-AttributePresenceRule" id="AccountDisabledIsPresent" attribute="accountDisabled" operator="IsPresent"/>
+    <rule xsi:type="sshma:rule-AttributePresenceRule" id="AccountDisabledIsNotPresent" attribute="accountDisabled" operator="NotPresent"/>
+    <rule xsi:type="sshma:rule-AttributeChangeRule" id="AccountNameHasChanged" attribute="accountName" triggers="Update"/>
+    <rule xsi:type="sshma:rule-AttributeChangeRule" id="ExpiryDateHasChanged" attribute="expiryDate" triggers="Add,Update"/>
+  </rules>
+
+</sshma:Lithnet.SshMA>