In part two of this blog, I discussed the command line options to the mkComputerRoles.tcl script. I demonstrated the use of the mkComputerRoles.tcl script along with the ComputerRoles.csv definition file, to create Computer Roles, to create User Groups and to assign the UNIX Login role to the Computer Roles (or Computer Groups) using the User Groups. The script also created the UNIX computer objects in AD and added them to the Computer Groups.

In this blog I will examine the options to add users to the User Groups.

Add users to User Groups from passwd files

The -i {passwdDir|mapFile}> option of the mkComputerRole.tcl script can be used to add AD users to the User Groups. Where passwdDir is a directory containing the UNIX passwd files of the computers listed in the ComputerRoles.csv file. The passwd files must be named “FQDN”.passwd, where “FQDN” is the FQDN of the computer as listed in the ComputerRoles.csv file (e.g., engcen5.centrifyimage.vms.passwd).

The script will append the supplied AD domain name from the command line to each UNIX name in the passwd files, and then search the AD domain for a user with a matching UPN. If a user is found, the user is added to the corresponding User Group for the computer, as defined in the ComputerRoles.csv file.

For example, given the following data (excluding the header) in the ComputerRoles.csv file:

and the following two passwd files in the passwdDir directory:

engcen5.centrifyimage.vms.passwd  engcen6.centrifyimage.vms.passwd

The mkComputerRoles.tcl script is executed with the following options:

mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -j ad,scp -a -i passwdDir -u tetsu

Result of Executing the mkComputerRoles.tcl Script

After executing the mkComputerRoles.tcl script the following objects are created in AD:

• The parent zone Global and the child zone Engineering are created. The Computer Role Engineering Servers is created in the child zone. The Description field is written and an AD group, called a Computer Group (or Computer Role Group) cfyC_Engineering Servers, is created for the Computer Role. For example, as seen in Access Manager:

• An AD group called a User Group (or User Role Group), cfyUC_UNIX Login_Engineering Servers, is created. It is then used to assign the UNIX Login role to the Computer Role (or Computer Group). For example, as seen in Access Manager:

Note: The role assignment is time bound. Meaning, it is only effective on the start date/time and expires

on the end date/time. This is an optional setting in the ComputerRoles.csv file.

• With the use of the “-i passwdDir” option, the users from the passwd files were added to the User Group. For example, as seen in ADUC:

The result is that the users who are member of the User Group, cfyUC_UNIX Login_Engineering Servers, have the right to logon to all the computers that are member of the Computer Role (i.e. Computer Group) cfyC_Engineering Servers. For example:

This method of deriving the user UPN from the UNIX logon name and the AD domain name does not hold true in many situations. Consequently, another method is supported by the mkComputerRoles.tcl script, namely a “map file”.

Add users to User Groups from a Map File

The -i option of the mkComputerRole.tcl script can be used to add AD users to the User Groups. Where MapFile is a CSV formatted file that list the User Groups and the AD accounts that should be added to the User Groups. The format of the file is:

UserGroup[@domain],user[@domain][,user[@domain],…]

Where,

UserGroup is an AD group that is used to assign a role to a Computer Role (as defined in the ComputerRoles.csv file) and user is an AD account that will be added to the User Group. For example, the contents of the file MapFile.csv:

cfyUC_UNIX Login_Engineering Servers,chris.rock,tina.fey@centrifyimage.vms,eddie.murphy

The command to run is:

mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -i MapFile.csv -u tetsu

Note: The “-j” and “-a” options are omitted because they have already been used. However, they could have been used again with no effect.

The resulting membership of the cfyUC_UNIX Login_Engineering Servers group is:

Summary

Using the mkComputerRoles.tcl script with the “-i” option, the User Groups can be populated with the AD accounts corresponding to the UNIX logon name in /etc/passwd files. If necessary, a “map file” can be created that list the AD accounts to be added to each User Group and the mkComputerRoles.tcl script can then add the AD accounts to the specified AD groups.

In the next and final blog in this series I will demonstrate another option to the mkComputerRoles.tcl script the enables the separation of duties model.