VMware Cloud Community
TimR26
Enthusiast
Enthusiast
‎07-12-2016 10:53 AM
Jump to solution

vRA7 RHEL 6.6 Blueprint / LDAP integration

Hello,

I'm building a RHEL 6.6 server and integrating it with my LDAP server. I created a bash script to automatically run after the OS is deployed which will define specific LDAP groups and add them to /etc/sudoers and /etc/ssh/sshd_config. This is great to automatically grant groups of users access, but what if I want to automatically grant an individual user instead. Specifically what if I want to grant the user that logged into vRA and requested the RHEL server? I would like to know if its possible to identify the LDAP account of the user who logged into vRA and requested the RHEL server, and somehow pipe that into the bash script so when the script runs, it calls that info and adds the individual user. Is the bash script even the way to do this or is there another mechanism that can achieve this?

The idea is to limit access to root/ssh to the individual that deployed it.

1 Solution

Accepted Solutions
GrantOrchardVMw
Commander
Commander
‎07-12-2016 05:44 PM
Jump to solution

Assuming it's the same identity source as you are using for vRA, then you could pipe through the "requestedBy" custom property into Orchestrator and inject that as an argument to your script. I'm assuming that you are using the "run a script in guest OS" workflow here, and not using the guest agent.

Grant http://grantorchard.com

View solution in original post

3 Replies
GrantOrchardVMw
Commander
Commander
‎07-12-2016 05:44 PM
Jump to solution

Assuming it's the same identity source as you are using for vRA, then you could pipe through the "requestedBy" custom property into Orchestrator and inject that as an argument to your script. I'm assuming that you are using the "run a script in guest OS" workflow here, and not using the guest agent.

Grant http://grantorchard.com
rcporto
Leadership
Leadership
‎07-12-2016 05:46 PM
Jump to solution

I have did something similar on the past where where I created a script the create a local user (on Linux not integrated with LDAP) with the same name of the virtual machine requester and add that user to the sudoers. The following blog post shows something similar, but to a Windows virtual machine, but I believe that you can use the {Owner} as the value you need, see: Add requester to Administrator Group of Windows VM in vCAC 6 – VMtoCloud.com

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto
TimR26
Enthusiast
Enthusiast
‎07-14-2016 05:27 AM
Jump to solution

We will be using the same identity source in this case. Lets take this a step further...if I built a windows AD forest:

ad forrest.png

users.AD.com is the identity source for vRA, dev.AD.com is the domain I'm integrating the RHEL box to. I'm not an expert but assuming there is a trust relationship (and in a forest I believe there is) I should be able to achieve the same goal?

0 Kudos