Red Hat Training

A Red Hat training course is available for RHEL 8

33.2. 配置 IdM stage用户帐户的自动激活

此流程演示了如何为激活 stage 用户创建脚本。系统在指定的时间间隔自动运行脚本。这样可确保新用户帐户被自动激活,并在创建后很快可用。

重要

该流程假定外部调配系统的所有者已经验证了用户,并且在脚本将它们添加到 IdM 之前,它们不需要在 IdM 端进行额外的验证。

这对于仅在一个 IdM 服务器上启用激活过程足够了。

先决条件

流程

  1. 为激活帐户生成 keytab 文件:

    # ipa-getkeytab -s server.idm.example.com -p "activator" -k /etc/krb5.ipa-activation.keytab

    如果您要在多个 IdM 服务器上启用激活过程,请仅在一个服务器上生成 keytab 文件。然后,将 keytab 文件复制到其他服务器上。

  2. 创建一个包含以下内容的 /usr/local/sbin/ipa-activate-all 脚本来激活所有用户:

    #!/bin/bash
    
    kinit -k -i activator
    
    ipa stageuser-find --all --raw | grep "  uid:" | cut -d ":" -f 2 | while read uid; do ipa stageuser-activate ${uid}; done
  3. 编辑 ipa-activate-all 脚本的权限和所有权来使其可执行:

    # chmod 755 /usr/local/sbin/ipa-activate-all
    # chown root:root /usr/local/sbin/ipa-activate-all
  4. 创建一个 systemd 单元文件 /etc/systemd/system/ipa-activate-all.service,内容如下:

    [Unit]
    Description=Scan IdM every minute for any stage users that must be activated
    
    [Service]
    Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ipa-activation.keytab
    Environment=KRB5CCNAME=FILE:/tmp/krb5cc_ipa-activate-all
    ExecStart=/usr/local/sbin/ipa-activate-all
  5. 创建一个 systemd 计时器 /etc/systemd/system/ipa-activate-all.timer,内容如下:

    [Unit]
    Description=Scan IdM every minute for any stage users that must be activated
    
    [Timer]
    OnBootSec=15min
    OnUnitActiveSec=1min
    
    [Install]
    WantedBy=multi-user.target
  6. 重新载入新配置:

    # systemctl daemon-reload
  7. 启用 ipa-activate-all.timer:

    # systemctl enable ipa-activate-all.timer
  8. 启动 ipa-activate-all.timer:

    # systemctl start ipa-activate-all.timer
  9. (可选)验证 ipa-activate-all.timer 守护进程是否正在运行:

    # systemctl status ipa-activate-all.timer
    ● ipa-activate-all.timer - Scan IdM every minute for any stage users that must be activated
       Loaded: loaded (/etc/systemd/system/ipa-activate-all.timer; enabled; vendor preset: disabled)
       Active: active (waiting) since Wed 2020-06-10 16:34:55 CEST; 15s ago
      Trigger: Wed 2020-06-10 16:35:55 CEST; 44s left
    
    Jun 10 16:34:55 server.idm.example.com systemd[1]: Started Scan IdM every minute for any stage users that must be activated.