IdentityConnectorShell

About

The shell connector allows the manipulation of coach shell accounts by running remote ssh commands on coach. SSH keys are setup to allow idm-prod to ssh to coach.

Definitions

• Account Exists
  • Grep /etc/password for the user's uid, if a result is not an empty string then the account exists
• Enable Account
  • passwd is unlocked, chage is 'unaged'
• Disable Account
  • passwd is locked, chage expire is set to 0
• Status
  • active: User has an account and the password hash does not begin with ! (indicates password is unlocked)
  • inactive: User does not have an account or the password hash begins with ! (indicates password is locked)

Enable Account

Arguments: uid, data - full_name, password(optional), uid_number(optional)

The full_name argument is required in data even if the user already has an account. If the account already exists the full_name data is ignored.

Tests if the users account exists, and if it is active. If no account exists it is created. If the account is not active it is set to active.

Disable Account

Arguments: uid

If the account does not exist nothing is done and the connector reports success. If the account exists the password is locked (passwd -l) and the account is set to expired using chage.

Account Information

Arguments: None

If the account exists a dictionary of 'user', 'password', 'uid', 'gid','gecos','home', 'shell' and 'status' is returned. If the account does not exist only the status systems.NO_ACCOUNT is returned.

Update Account

Partially implemented pending further discussion. UID must remain read-only, a list of valid attributes should be added to prevent erroneous data from being written to shell account.

Arguments: uid, data - gecos, shell, password

The shell connector allows the gecos, shell and password to be changed for the user. Other attributes will be added as needed.