11 April,19 at 11:50 AM
In part two of this blog, I discussed the command line options to the mkComputerRoles.tcl script. I demonstrated the use of the mkComputerRoles.tcl script along with the ComputerRoles.csv definition file, to create Computer Roles, to create User Groups and to assign the UNIX Login role to the Computer Roles (or Computer Groups) using the User Groups. The script also created the UNIX computer objects in AD and added them to the Computer Groups.
In this blog I will examine the options to add users to the User Groups.
Add users to User Groups from passwd files
The -i {passwdDir|mapFile}> option of the mkComputerRole.tcl script can be used to add AD users to the User Groups. Where passwdDir is a directory containing the UNIX passwd files of the computers listed in the ComputerRoles.csv file. The passwd files must be named “FQDN”.passwd, where “FQDN” is the FQDN of the computer as listed in the ComputerRoles.csv file (e.g., engcen5.centrifyimage.vms.passwd).
The script will append the supplied AD domain name from the command line to each UNIX name in the passwd files, and then search the AD domain for a user with a matching UPN. If a user is found, the user is added to the corresponding User Group for the computer, as defined in the ComputerRoles.csv file.
For example, given the following data (excluding the header) in the ComputerRoles.csv file:
and the following two passwd files in the passwdDir directory:
engcen5.centrifyimage.vms.passwd engcen6.centrifyimage.vms.passwd
The mkComputerRoles.tcl script is executed with the following options:
mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -j ad,scp -a -i passwdDir -u tetsu
Result of Executing the mkComputerRoles.tcl Script
After executing the mkComputerRoles.tcl script the following objects are created in AD:
Note: The role assignment is time bound. Meaning, it is only effective on the start date/time and expires
on the end date/time. This is an optional setting in the ComputerRoles.csv file.
The result is that the users who are member of the User Group, cfyUC_UNIX Login_Engineering Servers, have the right to logon to all the computers that are member of the Computer Role (i.e. Computer Group) cfyC_Engineering Servers. For example:
This method of deriving the user UPN from the UNIX logon name and the AD domain name does not hold true in many situations. Consequently, another method is supported by the mkComputerRoles.tcl script, namely a “map file”.
Add users to User Groups from a Map File
The -i option of the mkComputerRole.tcl script can be used to add AD users to the User Groups. Where MapFile is a CSV formatted file that list the User Groups and the AD accounts that should be added to the User Groups. The format of the file is:
UserGroup[@domain],user[@domain][,user[@domain],…]
Where,
UserGroup is an AD group that is used to assign a role to a Computer Role (as defined in the ComputerRoles.csv file) and user is an AD account that will be added to the User Group. For example, the contents of the file MapFile.csv:
cfyUC_UNIX Login_Engineering Servers,chris.rock,tina.fey@centrifyimage.vms,eddie.murphy
The command to run is:
mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -i MapFile.csv -u tetsu
Note: The “-j” and “-a” options are omitted because they have already been used. However, they could have been used again with no effect.
The resulting membership of the cfyUC_UNIX Login_Engineering Servers group is:
Summary
Using the mkComputerRoles.tcl script with the “-i” option, the User Groups can be populated with the AD accounts corresponding to the UNIX logon name in /etc/passwd files. If necessary, a “map file” can be created that list the AD accounts to be added to each User Group and the mkComputerRoles.tcl script can then add the AD accounts to the specified AD groups.
In the next and final blog in this series I will demonstrate another option to the mkComputerRoles.tcl script the enables the separation of duties model.