openam - create a user with ssoadm - openam

I have new goal. Be able to create users of openam with ssoadm.
I have read the documentation of Openam
https://wikis.forgerock.org/confluence/display/openam/ssoadm-identity#ssoadm-identity-create-identity
However, I don't know how to create a user and then assign it a password. For now I just can create users by openam web, but is not desirable, I want to automatize.
Somebody know how can I create a normal user with ssoadm?
./ssoadm create-identity ?
./ssoadm create-agent ?
UPDATE: I have continued with my investigation :) I think I'm closer than before
$ ./ssoadm create-identity -u amadmin -f /tmp/pwd.txt -e / -i Test -t User
Minimum password length is 8.
But where is the parameter for password?
Thanks!

To create a new user in the configured data stores you could execute the following ssoadm command:
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -a givenName=Hello sn=World userPassword=changeit
Here you can see that I've defined the password as the userPassword attribute, which is data store dependent really. For my local OpenDJ this is perfectly legal, but if you are using a database or something else, then you'll have to adjust the command accordingly.
If you don't want to provide the attributes on the command line, then you could put all the values into a properties file, for example:
$ echo "givenName=Hello
sn=World
userPassword=changeit" > hello.txt
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -D hello.txt
But I must say that using OpenAM for identity management is not recommended, you should use your data store's own tools to manage identities (i.e. use an LDAP client within your app, or just simply use the ldap* CLI tools). You may find that OpenAM doesn't handle all the different identity management related tasks as normally people would expect, so to prevent surprises use something else for identity management.

Related

Ansible equivalent of "passwd -l"

I'm trying to lock a user account that I just created with Ansible (it should not be possible to log into this account). I know you can do this using the shell module by running "passwd -l".
Is there a way to do this via the user module, or something similar?
I think that's not possible.
Maybe the following is an option?
- user:
name: someone
shell: /sbin/nologin
I think this is even more secure than using passwd -l as the latter would only disable the password. The user would still be able to login by ssh key authentication.
You can use attribute 'password_lock'
password_lock: yes
^^ This is the equivalent of 'usermod -L'

how to import passwords only and update on ldap server?

I want to update passwords [user's already existing in ldap] of the user by importing data from /etc/passwd & /etc/shadow
How to achieve this ?
I will give the overview of my setup.
nodes user id & password managed by management node [xcat], ldap not used for this purpose.
We have imported the user's from management node to ldap server by following the below given steps:-
Copied /etc/passwd, /etc/group & /etc/shadow from management node.
getent passwd > /tmp/passwd.out getent shadow > /tmp/shadow.out
cd /usr/share/migrationtools/ ./migrate_passwd.pl /tmp/passwd.out > /tmp/passwd.ldif
ldapadd -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Now we want to update the passwords frequently and keep the ldap server sync with out management node. please give me idea how to achive this.
I tried the same way i imported users into ldap but it gives me an error.
[root#iitmserver2 migrationtools]# ldapmodify -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Enter LDAP Password:
ldapmodify: modify operation type is missing at line 2, entry "uid=pharthiphan,ou=People,dc=aadityaldap,dc=com"

Perforce: run script as particular user and workspace

I have a powershell script that does various things, including running p4 commands such as syncing, creating a changelist and checking files into it, create a label etc. My script works fine when I run it on my development environment as my user.
Now I would like to run the script on another machine, against a specific workspace, and a specific Perforce user. Is there some set of commands I can add to the beginning of my script so that I can set the perforce user and use a specific workspace for the remainder of the script? If yes, I'd like to know 2 ways of doing this, one with the password in plain text (for testing and verifying), and one without it (for production use).
Releated: I think part of my problem is that I don't fully understand how the session user is determined. On the other machine, if I try to run any p4 command, I get the message: "Perforce password (P4PASSWD) is invalid or unset." I got that message even if I try:
p4 login abc
"abc" can be anything and I get the same message. I must be wrong in thinking that the "login" command can be used to login as a particular user. I was expecting it to prompt me for abc's password, rather than telling me I need to set a password before I can login as someone else.
But if I type in this:
p4 login
I am prompted to enter in a password. But for what user would that be? My Windows account user? What if I don't have a perforce user with the same name as my windows account user?
This is the doc page you need:
http://www.perforce.com/perforce/doc.current/manuals/cmdref/envars.html
In general, this should do the trick (with the current version of the command line client that supports "p4 set" on all platforms):
p4 set P4USER=username
p4 set P4CLIENT=clientname
p4 login
The "p4 login USERNAME" syntax is used when you've already logged in as a super user to get a login ticket for a different user (with no password prompt). Like all other commands, "p4 login" uses your P4USER to determine who you're running the command as.
To Auto login via powershell, login -a means allow login from any ip...
$USER = "My.User"
$PASS = "P455w0rd"
Out-File -FilePath C:\p4pass.txt -InputObject $PASS -Encoding ASCII -Width 50
cmd /c "p4 -u $USER login -a < `"C:\p4pass.txt`" " 2>&1
To specify the user, workspace and server:port append the below before the perforce command... e.g:
p4 -u ${USER} -c ${WORKSPACE} -p ${perforce:1666} login -a
p4 -u ${USER} -c ${WORKSPACE} -p ${perforce:1666} sync -f -q //...#head
To specify a ticket, get the ticket from the command:
p4 tickets
and specify it with an upper case -P, e.g:
p4 -u username -P 5E8ED75FB5086BE82D9BCD5561D32AEE sync...

How to add user with out using useradd or similar command?

How to add user on linux bash script with out using useradd or similar command.
Also copy the startup script which located in /etc/skel/, and change password for the user which you have been added.
user1=$1
read -p "Enter your home name" home_name
read -p "Enter your login shell" loginshell
echo "$user1:x:500:500:$user1:/home/$home_name:$loginshell" >> /etc/passwd
echo "$user1:x:500:" >> /etc/group
mkdir /home/$home_name
chmod 744 /home/$home_name
cp -pr /etc/skel/.bashrc /home/$home_name
echo "$user1: " >> /etc/shadow
echo "`passwd` $user1"
The error i have got it after execute this script
passwd: Authentication token manipulation error
Please could you advice me if there any mistakes?
You should explain why you want to do that. In my opnion, it is a bad idea. In particular, because it does not handle well all the various kind of systems (for instance, some Linux system use LDAP for user authentification, etc).
And I believe that your line echo "$user1: " >> /etc/shadow is wrong. Look (with sudo) at the content of the /etc/shadow file, and you'll understand that entries inside are more than just a username followed by a colon.
But really, you should use useradd or adduser to do that. You are risking to break your system entirely.
You should replace
echo "`passwd` $user1"
with
passwd $user1
for entering the first password.
But besides this problem you add all new users with the same user-id and group-id. So there are technically no new users but one user with several "aliases". You have to replace the 500 when writing /etc/passwd and /etc/group to fix that.
Another big problem is, that the user's new home directory and the startup script do not belong to him but to root. You may add a chown -R $user1:$user1 /home/$homename somewhere.
you should also have something like echo "$user1: " >> /etc/gshadow for the group that you are creating. Same as what you have done for the user and the shadow file.

How do I clone an OpenLDAP database

I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:
I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.
What files would I need to copy over? I believe the setup is pretty standard.
The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).
From man slapcat (from OpenLDAP 2.3) :
The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.
(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)
Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.
I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.
For example, dump database from a master server under dc=master,dc=com and load it in a backup server
$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.
Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.
ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.
Export your DB with slapcat:
slapcat > ldif
Import the DB with slapadd (make sure the LDAP server is stopped):
slapadd -l ldif
Some appointments:
Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):
include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.
I prefer copy the database through the protocol:
first of all be sure you have the same schemas on both servers.
dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif
and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif
in one line:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a
By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files
(Not enough reputation to write a comment...)
Ldapsearch opens a connection to the LDAP server.
Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")
Thanks, Vish. Worked like a charm! I edited the command:
ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif
ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif
Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).

Resources