SUSE Manager/LDAPUserSync

From MicroFocusInternationalWiki
Jump to: navigation, search

SUSE Manager Main Page

Automatically create Users in SUSE Manager which are members of a LDAP group

We added a tool (sw-ldap-user-sync) to the spacewalk-utils package which can query a LDAP server for users be member of a specific group. These users are created as normal Users in SUSE Manager. Additional roles can be specified later using the WebUI or the API.

If a user is removed from the LDAP group he will be removed from SUSE Manager as well.

A working PAM authentication for SUSE Manager is required because the new created accounts will be setup to use PAM.


Configuration

sw-ldap-user-sync has a configuration file /etc/rhn/sw-ldap-user-sync.conf . The format it YAML.

 directory:
   user: uid=xyz,dc=example,dc=com
   password: xxx
   url: ldaps://ldap.example.com:636
   group: cn=admin,ou=groups,dc=example,dc=com
   users: ou=people,dc=example,dc=com
 spacewalk:
   url: http://localhost/rpc/api
   user: spacewalk
   password: xxx
  • directory
    • user: User DN used for authentication at the LDAP server
    • password: the password to authenticat at the LDAP server
    • url: the URL to connect at the LDAP server
    • group: the Group DN with member attributes to user DNs which should be setup in SUSE Manager
    • users: subtree DN where the users are created in the LDAP server.
  • spacewalk:
    • url: The SUSE Manager API URL
    • user: the username of a spacewalk admin who should create the users
    • password: the SUSE Manager users password

The LDAP groups need to have the object class groupOfNames and the attribute member. The LDAP user objects need to have the object class posixAccount and the attributes givenName, sn, mail, uid.