Hi João,
Il 19/05/2017 12:37, João Graça ha scritto:
Hello Marco,
Thanks for your reply.
Following you reply, I created an AnyType object "ROOTCERT" with an
AnyTypeClass "ROOTCERT" and a plain schema "rootCert" of type binary
"application/x-x509-ca-cert", in order to upload the root certs that i
need (uploaded ok, no problem here).
I was looking to create the same thing with different names for the
intermediate certs, but before I tried to follow the guidance in you
reply, but i don't really know how to...
I don't know how to proceed with the scripts and the connectors. I saw
that i should create a powershell script to map the functions
"create", "update", "delete", "search", "test"... but I don't know
where to start.
There are some old posts [1] where you can find infos about cmd
connector and powershell scripts.
So here goes some questions :)
How do I pass arguments to the powershell scripts(like the certs)?
To pass arguments to the powershell scripts you must configure the
mapping (provisioning rules) in the resource. Syncope sets the mapped
fields in your windows machine as environment variables, this will allow
you to access the values of the propagated fields.
Where should i indicate to the connector that it should run in the
machine X (windows server for example)?
The connector contains only the scripts path. In powershell you have to
use your code to specify the destination where to store the certificates.
Should i create a connector for each machine that i want the cert on,
or I must solve this with the powershell script (run it only on the
windows server and from there, somehow, spread the certs across the
client machines)?
There are two options:
1. Create one connector with N resources, one for each server to be
enhanced.
2. Create one connector with one resource and use an additional info
(you can pass it by the mapping) to specify in which server to propagate.
It dependson the number of servers you need to manage.
And about the mapping of the SubjectKeyIdentifier to the plainschema
that i created, can you provide some guidance how to accomplish that?
can I ask you to explain better your requirements?
I have the tools to get the info from the smartcard... So I don't know
if it's possible "edit" the web page, or add a type to syncope like
binary and the button instead of open the dialog to choose the file,
it would run a java applet to get the info and fill the textbox...
You can override the behavior of the binary field in the console or
extend Syncope with a new feature by adding an Extensions [2].
[1] http://blog.tirasa.net/tags/powershell/index.html
[2] https://syncope.apache.org/docs/reference-guide.html#extensions
Regards
M
Best,
João Graça
On 18/05/2017 16:20, Marco Di Sabatino Di Diodoro wrote:
Il 18/05/2017 16:33, João Graça ha scritto:
Hello,
I have the following scenario that I need to study and implement if
possible:
- Active Directory Server where users will be created (actually
already there)
- Syncope Server to manage users
- Eventually other databases where the users need to be
synchronized with the help of syncope
- Somehow propagate certificates(root and intermediate certs) to
the AD server and machines to allow later login in the windows
machines with smartcards
So far, I managed to connect syncope with the AD and
create/update/delete users and groups.
I also was able to map a plainschema that i created to the
/altSecutiryIndentities/ property on the user in the active
directory, providing there a string like "X509:<SKI>'here goes the
subject key identifier of the user's cert'
With this configuration i can login with the user smartcard in the
windows client machine, to this login work i had to install the root
and intermediate certs in the active directory server and the
clients machines, but here comes the question...
Is there a way to maintain and propagate to server and clients those
certs (root and intermediate) with syncope?
Syncope provides binary fields to store files.
You can use the CMD connector[1][2] (Powershell scripts) to manage
the certs in Active Directory.
And if possible to automate the process of gathering the
SubjectKeyIdentifier of the user certificate to the plainschema that
i created that maps to the /altSecutiryIndentities/.
yes
Regards
M
[1] https://connid.atlassian.net/wiki/display/BASE/CMD
[2] https://github.com/Tirasa/ConnIdCMDBundle
Best,
João Graça
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/