Red Hat Training

A Red Hat training course is available for RHEL 8

33.2. 配置 IdM 阶段用户帐户的自动激活

此流程演示了如何创建用于激活阶段用户的脚本。系统在指定的时间间隔内自动运行 脚本。这样可确保新用户帐户自动激活并在创建后不久可用。

重要

该程序假定外部调配系统的所有者已经验证了用户,并且他们不需要在 IdM 侧进行额外验证,然后脚本将它们添加到 IdM。

仅在一个 IdM 服务器中启用激活过程就足够了。

先决条件

流程

  1. 为激活帐户生成 keytab 文件:

    # ipa-getkeytab -s server.idm.example.com -p "activator" -k /etc/krb5.ipa-activation.keytab

    如果您要在多个 IdM 服务器中启用激活过程,则仅在一个服务器上生成 keytab 文件。然后,将 keytab 文件复制到其他服务器。

  2. 创建一个脚本 /usr/local/sbin/ipa-activate-all,包含以下内容以激活所有用户:

    #!/bin/bash
    
    kinit -k -i activator
    
    ipa stageuser-find --all --raw | grep "  uid:" | cut -d ":" -f 2 | while read uid; do ipa stageuser-activate ${uid}; done
  3. 编辑 ipa-activate-all 脚本的权限和所有权,使其可执行:

    # chmod 755 /usr/local/sbin/ipa-activate-all
    # chown root:root /usr/local/sbin/ipa-activate-all
  4. 创建一个 systemd 单元文件 /etc/systemd/system/ipa-activate-all.service,内容如下:

    [Unit]
    Description=Scan IdM every minute for any stage users that must be activated
    
    [Service]
    Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ipa-activation.keytab
    Environment=KRB5CCNAME=FILE:/tmp/krb5cc_ipa-activate-all
    ExecStart=/usr/local/sbin/ipa-activate-all
  5. 创建一个 systemd 计时器 /etc/systemd/system/ipa-activate-all.timer,内容如下:

    [Unit]
    Description=Scan IdM every minute for any stage users that must be activated
    
    [Timer]
    OnBootSec=15min
    OnUnitActiveSec=1min
    
    [Install]
    WantedBy=multi-user.target
  6. 重新载入新配置:

    # systemctl daemon-reload
  7. 启用 ipa-activate-all.timer:

    # systemctl enable ipa-activate-all.timer
  8. 启动 ipa-activate-all.timer:

    # systemctl start ipa-activate-all.timer
  9. (可选)验证 ipa-activate-all.timer 守护进程正在运行:

    # systemctl status ipa-activate-all.timer
    ● ipa-activate-all.timer - Scan IdM every minute for any stage users that must be activated
       Loaded: loaded (/etc/systemd/system/ipa-activate-all.timer; enabled; vendor preset: disabled)
       Active: active (waiting) since Wed 2020-06-10 16:34:55 CEST; 15s ago
      Trigger: Wed 2020-06-10 16:35:55 CEST; 44s left
    
    Jun 10 16:34:55 server.idm.example.com systemd[1]: Started Scan IdM every minute for any stage users that must be activated.