Hello,
I'm building a RHEL 6.6 server and integrating it with my LDAP server. I created a bash script to automatically run after the OS is deployed which will define specific LDAP groups and add them to /etc/sudoers and /etc/ssh/sshd_config. This is great to automatically grant groups of users access, but what if I want to automatically grant an individual user instead. Specifically what if I want to grant the user that logged into vRA and requested the RHEL server? I would like to know if its possible to identify the LDAP account of the user who logged into vRA and requested the RHEL server, and somehow pipe that into the bash script so when the script runs, it calls that info and adds the individual user. Is the bash script even the way to do this or is there another mechanism that can achieve this?
The idea is to limit access to root/ssh to the individual that deployed it.
Assuming it's the same identity source as you are using for vRA, then you could pipe through the "requestedBy" custom property into Orchestrator and inject that as an argument to your script. I'm assuming that you are using the "run a script in guest OS" workflow here, and not using the guest agent.
Assuming it's the same identity source as you are using for vRA, then you could pipe through the "requestedBy" custom property into Orchestrator and inject that as an argument to your script. I'm assuming that you are using the "run a script in guest OS" workflow here, and not using the guest agent.
I have did something similar on the past where where I created a script the create a local user (on Linux not integrated with LDAP) with the same name of the virtual machine requester and add that user to the sudoers. The following blog post shows something similar, but to a Windows virtual machine, but I believe that you can use the {Owner} as the value you need, see: Add requester to Administrator Group of Windows VM in vCAC 6 – VMtoCloud.com
We will be using the same identity source in this case. Lets take this a step further...if I built a windows AD forest:
users.AD.com is the identity source for vRA, dev.AD.com is the domain I'm integrating the RHEL box to. I'm not an expert but assuming there is a trust relationship (and in a forest I believe there is) I should be able to achieve the same goal?