RBAC aware user provisioning
Perl script developed to make Role Based Access Control easy to use and provision.
Today only supported on Solaris 8, 9 and 10. Might also work on Solaris 11, need testing.
The toolkit needs a main repository. Currently supported on Solaris 10 Trusted Extensions, as labels are used to determine where to provision the user. This requirement is about to be removed, as some non TX customers are interested in the solution.
A harvest script runs on the master server and collects information from /etc/passwd, /etc/shadow, /etc/user_attr, /etc/security/prof_attr, /etc/security/auth_attr and /etc/security/exec_attr. It will also collect public ssh keys from all users.
Passwors will not be harvested for users, but only configure ssh keys. Passwords for roles will be harvested and configured on target.
The final action for the harvest script is to stream a tar file to each target server, and leave on file in the home directory for a transfer user.
PS : The transfer user does not need to be privileged, as no action is performed until the target executes the make_user.pl script, which imports the changes. Typically every hour.
Today only supported on Solaris 8, 9 and 10. Might also work on Solaris 11, need testing.
The toolkit needs a main repository. Currently supported on Solaris 10 Trusted Extensions, as labels are used to determine where to provision the user. This requirement is about to be removed, as some non TX customers are interested in the solution.
A harvest script runs on the master server and collects information from /etc/passwd, /etc/shadow, /etc/user_attr, /etc/security/prof_attr, /etc/security/auth_attr and /etc/security/exec_attr. It will also collect public ssh keys from all users.
Passwors will not be harvested for users, but only configure ssh keys. Passwords for roles will be harvested and configured on target.
The final action for the harvest script is to stream a tar file to each target server, and leave on file in the home directory for a transfer user.
PS : The transfer user does not need to be privileged, as no action is performed until the target executes the make_user.pl script, which imports the changes. Typically every hour.
