-
Notifications
You must be signed in to change notification settings - Fork 2
Create the MA configuration file
Ryan Newington edited this page Oct 27, 2016
·
2 revisions
The MA uses an XML-based configuration file to define what the capabilities and behaviour of the MA. The configure file defines the schema for the MA, and what commands to run for what object types and when to run them.
Multiple MAs can be configured by using a different configuration file for each target system.
The MA uses an XSD schema to validate the XML structure, and also provide auto-complete functionality when editing in a XSD-aware editor such as Visual Studio. It is recommended to open the XML file in Visual Studio for editing, and ensure the Lithnet.SSHMA.xsd file is in the same folder as the XML file.
WARNING: The XML file is validated against the schema each time it is loaded by the MA and if the validation fails, the MA will not load. Editing the file without a schema-aware editor is not recommended.
In order to configure the XML file for your target system, you will need to perform the following steps.
- Define the MA capabilities
- Define the MA schema
- Define rules and rule groups
- Define the global operations
- Define the object operations
Sample XML file
<?xml version="1.0" encoding="utf-8"?>
<sshma:Lithnet.SshMA xmlns:sshma="http://lithnet.local/Lithnet.SshMA.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ma-capabilities>
<delta-import>false</delta-import>
<object-update-mode>AttributeUpdate</object-update-mode>
<delete-add-as-replace>false</delete-add-as-replace>
<object-rename-allowed>true</object-rename-allowed>
</ma-capabilities>
<schema>
<schema-attributes>
<schema-attribute name="accountName" multivalued="false" type ="string" operation="ImportExport"/>
<schema-attribute name="uid" multivalued="false" type="integer" operation="ImportExport"/>
<schema-attribute name="gid" multivalued="false" type="integer" operation="ImportExport"/>
<schema-attribute name="comment" multivalued="false" type="string" operation="ImportExport"/>
<schema-attribute name="expiryDate" multivalued="false" type="integer" operation="ImportExport"/>
<schema-attribute name="homeDirectory" multivalued="false" type="string" operation="ImportExport"/>
<schema-attribute name="shell" multivalued="false" type="string" operation="ImportExport"/>
<schema-attribute name="accountDisabled" multivalued="false" type="boolean" operation="ExportOnly"/>
<schema-attribute name="member" multivalued="true" type="reference" operation="ImportExport"/>
</schema-attributes>
<schema-objects>
<schema-object object-class="user">
<dn-format>cn={accountName},ou=users</dn-format>
<attributes>
<attribute>accountName</attribute>
<attribute>uid</attribute>
<attribute>gid</attribute>
<attribute>comment</attribute>
<attribute>homeDirectory</attribute>
<attribute>shell</attribute>
<attribute>accountDisabled</attribute>
</attributes>
</schema-object>
<schema-object object-class="group">
<dn-format>cn={accountName},ou=groups</dn-format>
<attributes>
<attribute>accountName</attribute>
<attribute>gid</attribute>
<attribute>member</attribute>
</attributes>
</schema-object>
</schema-objects>
</schema>
<global-operations>
<!--<operation xsi:type="sshma:global-operation-ImportFullStart"/>
<operation xsi:type="sshma:global-operation-ImportFullEnd"/>
<operation xsi:type="sshma:global-operation-ImportDeltaStart"/>
<operation xsi:type="sshma:global-operation-ImportDeltaEnd"/>-->
<global-operation xsi:type="sshma:global-operation-ExportStart">
<commands>
<command success-codes="0,2">rm /usr/tmp/groups.txt</command>
</commands>
</global-operation>
<!--<operation xsi:type="sshma:global-operation-ExportEnd"/>
<operation xsi:type="sshma:global-operation-PasswordStart"/>
<operation xsi:type="sshma:global-operation-PasswordEnd"/>-->
</global-operations>
<object-operations object-class="user">
<object-operation xsi:type="sshma:object-operation-ImportFull">
<commands>
<command result-has-objects="true" success-codes="0">cat /etc/passwd</command>
</commands>
<import-mapping>
<object-extract><![CDATA[^(?<accountName>.*?):(?<pwd>.*?):(?<uid>.*?):(?<gid>.*?)((:(?<comment>.*?),(?<personId>.*?):)|(:(?<comment>.*?):))(?<homeDirectory>.*?):(?<shell>.*?)$]]></object-extract>
<object-filters>
<!--<object-filter attribute="uid" operator="LessThanOrEq">99</object-filter>
<object-filter attribute="uid" operator="Equals">65534</object-filter>
<object-filter attribute="uid" operator="Equals">60001</object-filter>
<object-filter attribute="uid" operator="Equals">60002</object-filter>-->
<object-filter attribute="accountName" operator="Equals">svc-fim</object-filter>
</object-filters>
</import-mapping>
</object-operation>
<object-operation xsi:type="sshma:object-operation-ImportDelta">
<commands>
<command success-codes="0" result-has-objects="true">cat /etc/passwd</command>
</commands>
<import-mapping>
<object-extract><![CDATA[^(?<changeType>[ard]):(?<accountName>.*?):(?<pwd>.*?):(?<uid>.*?):(?<gid>.*?)((:(?<comment>.*?),(?<personId>.*?):)|(:(?<comment>.*?):))(?<homeDirectory>.*?):(?<shell>.*?)$]]></object-extract>
<object-filters>
<!--<object-filter attribute="uid" operator="LessThanOrEq">99</object-filter>
<object-filter attribute="uid" operator="Equals">65534</object-filter>
<object-filter attribute="uid" operator="Equals">60001</object-filter>
<object-filter attribute="uid" operator="Equals">60002</object-filter>-->
<object-filter attribute="accountName" operator="Equals">svc-fim</object-filter>
</object-filters>
<modification-type-mappings capture-group-name="changeType" unexpected-modification-type-action="ignore">
<modification-type-add>a</modification-type-add>
<modification-type-replace>r</modification-type-replace>
<modification-type-delete>d</modification-type-delete>
</modification-type-mappings>
</import-mapping>
</object-operation>
<object-operation xsi:type="sshma:object-operation-ExportAdd">
<commands>
<command>/usr/local/bin/sudo /usr/sbin/useradd [-c "{comment}" ][-d {homeDirectory} ][-s {shell} ]-u {uid} -g {gid} {dn:$1}</command>
</commands>
</object-operation>
<object-operation xsi:type="sshma:object-operation-ExportModify">
<commands>
<command>/usr/local/bin/sudo /usr/sbin/usermod [-c "{comment}" ][-d {homeDirectory} ][-s {shell} ][-u {uid} ][-g {gid} ][-l {accountName} ]{dn:$1}</command>
</commands>
</object-operation>
<object-operation xsi:type="sshma:object-operation-ExportDelete">
<commands>
<command>/usr/local/bin/sudo /usr/sbin/userdel {dn:$1}</command>
</commands>
</object-operation>
<object-operation xsi:type="sshma:object-operation-PasswordSet">
<commands>
<async-command>
<send-when expect="$ " timeout="5">/usr/local/bin/sudo /usr/bin/passwd {dn:$1}</send-when>
<send-when expect="New Password: " timeout="5">{newpassword}</send-when>
<send-when expect="assword: " timeout="5">{newpassword}</send-when>
<success-when expect="password successfully changed for {dn:$1}" timeout="5"/>
</async-command>
</commands>
</object-operation>
</object-operations>
<object-operations object-class="group">
<object-operation xsi:type="sshma:object-operation-ImportFull">
<commands>
<command result-has-objects="true">cat /etc/group</command>
</commands>
<import-mapping>
<object-extract><![CDATA[^(?<accountName>.+)?:\*?:(?<gid>.+)?:(?<members>.+)?$]]></object-extract>
<multivalue-extracts>
<multivalue-extract capture-group-name="members" attribute="member"><![CDATA[[\w\d- ]+]]></multivalue-extract>
</multivalue-extracts>
<attribute-transformations>
<attribute-transformation attribute="member" regex-find=".+" regex-replace="cn=$&,ou=users"/>
</attribute-transformations>
<object-filters>
<object-filter attribute="gid" operator="LessThan">100</object-filter>
</object-filters>
</import-mapping>
</object-operation>
<object-operation xsi:type="sshma:object-operation-ExportAdd">
<commands>
<command>/usr/local/bin/sudo /usr/sbin/groupadd -g {gid} {dn:$1}</command>
<command xsi:type="sshma:mv-command" for-each="member">echo addmember:{member:$1}</command>
</commands>
</object-operation>
<object-operation xsi:type="sshma:object-operation-ExportModify">
<commands>
<command rule-id="groupGidOrAccountNameHasChanged">/usr/local/bin/sudo /usr/sbin/groupmod [-g {gid} ][-n {accountName} ]{dn:$1}</command>
<command xsi:type="sshma:mv-command" rule-id="groupMemberModified" for-each="member" value-modification="add">echo addmember:{member:$1} {dn:$1}</command>
<command xsi:type="sshma:mv-command" rule-id="groupMemberModified" for-each="member" value-modification="delete">echo deletemember:{member:$1} {dn:$1}</command>
<command rule-id="groupMembersDeleted">echo deleteallmembers {dn:$1}</command>
</commands>
</object-operation>
<object-operation xsi:type="sshma:object-operation-ExportDelete">
<commands>
<command>/usr/local/bin/sudo /usr/sbin/groupdel {dn:$1}</command>
</commands>
</object-operation>
</object-operations>
<rules>
<rule-group id="groupGidOrAccountNameHasChanged" operator="Or">
<rule-ref rule-id="groupAccountNameModified"/>
<rule-ref rule-id="groupGidModified"/>
</rule-group>
<rule xsi:type="sshma:rule-AttributeChangeRule" id="groupMemberModified" attribute="member" triggers="Add,Update"/>
<rule xsi:type="sshma:rule-AttributeChangeRule" id="groupMembersDeleted" attribute="member" triggers="Delete"/>
<rule xsi:type="sshma:rule-AttributeChangeRule" id="groupAccountNameModified" attribute="accountName" triggers="Add,Update"/>
<rule xsi:type="sshma:rule-AttributeChangeRule" id="groupGidModified" attribute="gid" triggers="Add,Update"/>
<rule xsi:type="sshma:rule-AttributePresenceRule" id="AccountNameIsPresent" attribute="accountName" operator="IsPresent"/>
</rules>
</sshma:Lithnet.SshMA>