Skip to main content

MIT Kerberos Connector

This connector supports both Identity and Provisioning.

The functionalities of this connector enable you as an Identity administrator to configure MIT Kerberos as a connected system and then make Identity users part of the MIT Kerberos system. This enables the user or Identity administrator to reset MIT Kerberos account passwords. This also enables you to enable and disable user accounts.

The connector enables the integration of MIT Kerberos into Identity. With Identity, users can reset their password when they forget their password or want to change their password.

Note: MIT Kerberos is not available on Windows; so if the Identity Server is running on Windows, a GIG must be installed on the UNIX/Linux platform hosting the MIT Kerberos Server.

Functionalities

Identity Integration

Product Feature

Supported

Authenticate (Test Connection)

Yes

Validate User

Yes

Enable/Disable User

Yes

Reset Password

Yes

Expire Password Immediately

Yes

Expire Password by Date

No

Provisioning Integration

Data Format

Export

Create

Modify

Delete

Trigger

Profiles

Yes

Yes

Yes

Yes

No

Prerequisites

Ensure that these prerequisites are satisfied:

  • MIT Kerberos is installed, configured, and running
  • An administrator account that can be used to establish a connection and has authority to manage accounts on the connected system.
  • An enabled port that is not blocked by a firewall.
  • In the kadmin.acl file, the administrator user set up for the identity administration should at least have these rights:

    • -changepw: c
    • modify: m
    • -inquire: i

Minimum privileges are: mci.

A privilege is set in the .acl file in the format: user/instance privileges.

A lower case letter specifies allowing a privilege, an uppercase letter specifies disallowing a privilege.

Creating and Managing the Connected System from Admin UI

Connected system can be managed from both Admin UI and Workflow and Connectivity studio. The step by step explanation to create is provided in the following sub sections. Clicking on the connected system from the listing page(admin UI)/selecting the desired system and clicking on View button(Studio) will take you to a detail page where you can can manage the connected system.

Create from Admin UI

  1. Log in to Identity Administration and click the Systems tab.

  2. On the Connected System View page, click the Add button and select the Flat File connected system from the Type drop-down list. The Connected System Details page displays the default values:


  3. Enter the desired information:

    Definition 

    Supported Connectors
    Displays whether the connected system is Identity only, Provisioning only, or both.
    Type
    Select the connected system type.

    Locale
    Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system.
    Name
    The name for this connected system. Note: The name cannot be modified later.
    Display Name
    The display name of the new connected system.
    Description
    The description of the connected system.

    Associated With 


    Select how the connector associated with this system will run:

    • Server (default) - Runs locally on the Provisioning/Identity Server.
    • Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
    • See Using the Global Identity Gateway with Connected Systems for additional information.
    Password Reset By  Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users:
    • OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
    • Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
    • External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.

    Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
    Provisioning Option
    Select the provisioning option:
    • Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
    • Administrative - The connected system cannot be used as an object in a workflow.
    Enable HPAM Support 
    Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.
    Connection Information 

    Path kadmin

    The path to the kadmin binary (e.g., /usr/sbin/kadmin), which is used by the connector.

    Service Account Name

    The name of the administrator account on the KAdminD Server.

    Service Account Password

    The administrator password on the KAdminD Server.

    Host[:port]

    The address of the KAdminD Server in the form address[:port]. Note: This is required only if there are remote Kerberos Servers that are to be managed from the UNIX/Linux platform where the GIG or Identity Server is installed and where the kadmin binaries reside.
    Password Expirations Support 

    Expiration Options For Admin/OBO User Password Reset

    Specify the password expiration: None, Immediate, or Immediate with Date. Note: If Immediate with Date is selected, Immediate is also available.

    The Detect button creates a connection to the connected system using current configuration settings. The connector then attempts to determine correct values for the settings, which are auto-detected, and then these settings are updated with detected values.

    System Owner

    Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process.

  4. Click the Test Connection button to test the Connection Information:

    • If successful, one or both of these messages may display:

    Message: Connection from Provisioning to the connected system was established successfully.
    Message: Connection from Identity to the connected system was established successfully.

    • If unsuccessful, one or both of these messages may display:

    Error: Failed to establish connection from Provisioning to the connected system.
    Error: Failed to establish connection from Identity to the connected system.

    Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs.

  5. (Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:


    1. Select the owners and then click the Select button. The system owner displays under the System Owner section:


      Note: More than one user can be assigned as an owner.

    2. To add additional system owners, click the Add button.

  6. On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:


    1. Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 6.
    2. Click the Add Association button to associate the selected object categories to the connected system.

  7. Click the Back button to return to the Connected System View page. The new connected system displays in the list.

 See Copying, Modifying, and Deleting Connected Systems for additional information.

Using the Connected System for Identity

Perform these procedures to configure the connector:

  • Connector Details for Identity
  • Identity Password Management

Connector Details for Identity

This table lists values to enter when associating the Identity user with an existing user in the connected system:


Field

System Attribute

Example Value

Account ID

principal

BLANE


Identity Password Management

See the Identity Suite Administration Guide for details on password management.

Password View

Clicking the Password View button on the Modify Profile User Details page displays the User Password Management page. This page enables you to manage user account passwords on the Identity Server and various connected systems:


Note: Identity interrogates the status of the user accounts on all systems. This could take some time if the user has accounts on numerous systems. Status messages display the progress. For example, if the user has accounts on IdentityServer and three connected systems (Test System 01, Test System 02, and Test System 03), status messages similar to these display:

Checking user status on IdentityServer:                   Completed
Checking user status on Test System 01:                 Completed
Checking user status on Test System 02:                 Please wait ....
Checking user status on Test System 03:                 Please wait ....

See the User Management chapter in the Identity Suite Administration Guide for a description of the User Password Management page.

Add Password Management Users

Clicking the Add button on the User Password Management page displays the Add Password Management Users page:


This page enables you to add a user account on a connected system to be associated with an Identity profile to group user accounts on the Identity Server and various connected systems to share the same password.

See the User Management chapter in the Identity Suite Administration Guide for a description of the Add Password Management Users page.

Creating the Connected System in the Studio

  1. Log in to the Workflow and Connectivity Studio and click Connectivity _ Add Systems on the menu bar. The Add Connected Systems window displays.

  2. Select the MIT Kerberos connected system from the Type drop-down list. The default values display:


  3. Enter the desired information:

    Definition 
    Type Select the connected system type.
    Name  The name for this connected system. Note: The name cannot be modified later.
    Display Name  The display name of the new connected system.
    Description  The description of the connected system.
    Supported Connectors  Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here.
    Associated With  Select how the connector associated with this system will run:
    • Server (default) - Runs locally on the Provisioning/Identity Server.
    • Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
    Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users:
    • OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
    • Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
    • External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.

    Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.

    Provisioning Option 

    		  Select the provisioning option:
    • Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
    • Administrative - The connected system cannot be used as an object in a workflow.
    Enable HPAM Support 
    Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.
    Connection Information 

    Path to kadmin

    The path to the kadmin binary (e.g., /usr/sbin/kadmin), which is used by the connector.

    Service Account Name

    The name of the administrator account on the KAdminD Server.

    Service Account Password

    The administrator password on the KAdminD Server.
    Definition

    Host[:port]

    The address of the KAdminD Server in the form address[:port]. Note: This is required only if there are remote Kerberos Servers that are to be managed from the UNIX/Linux platform where the GIG or Identity Server is installed and where the kadmin binaries reside.
    Password Expiration Support

    Expiration Options

    For Admin/OBO User Password Reset Specify the password expiration: None or Immediate,

  4. Click the Test Connection button to test the Connection Information:

    • If successful, this message displays:

    Message: Connection from Studio to the connected system was established successfully.

    • If unsuccessful,this message displays:

    Error: Failed to establish connection from Studio to the connected system.

    Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs.

  5. Click the Apply button to apply changes. The Category Association window displays.

    1. Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 5.

    2. Click the Add button to associate the selected object categories to the connected system.

  6. Click OK to accept selected categories.

 See Copying, Modifying, and Deleting Connected Systems for additional information.

Using the Connected System for Provisioning

Perform these procedures to configure the connector:

Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.

 Configuring for Export

Perform these procedures to configure the connector for data export:

From the Workflow and Connectivity Studio, select the MIT Kerbero UserExport workflow listed under the projects folder.

If a workflow does not already exist, create an export workflow. See the Workflow and Connectivity Studio document for details on creating export workflows.

Configuring the Export Connector

  1. In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:


  2. From the Configure Plug-in tab, set these properties as required:

    Name Description
    Associated Connected System Select the connected system from the list. The export operation will be done from this connected system.
    Data Formats  Select the type of data format to use: Profiles (default) or ChangeLog.
    DeltaExportMode

    Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):

    OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.

    ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.

    AllAttributes - Performs a full export of all attributes that contain a value.
    DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.
    DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS):
    • None - There will not be any Dynamic System Support.
    • Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
    • GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.

    ExportMode

    Select the type of data to export:

    • FullExport - Exports all attributes.
    • DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.
    Filter  Specify search criteria to determine the objects to be exported from the container specified in ExportDN. Use the Set Filter button that becomes active to create a filter. See "Set Filter" on page 34 for additional information.

    FoldSubRecords

    If this property is TRUE, the sub records will be folded and returned as attributes.

    GetPrincipal

    Option to fetch details of a user by providing principal

    MaxResults

    Select the maximum number of results to be returned. If this property has a value "0", all the entries matching the search criteria are returned.

    ResultsPerPage

    Select the no. of entries fetched in a single call. Default value is 100.
  3. (Optional) Select the Attributes Only standard attributes display:


    Modify schema attributes using these buttons:

    Add

    Adds additional attributes to the list. The Add New Attribute dialog displays.

    Export

    Exports the schema list to an XML file.

    Import

    Imports the schema list from an XML file.

    Refresh Schema

    Dynamically discovers the schema from the connected system. It also includes local as well as global attributes added in the Studio.

    Reset Schema

    Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added.
  4. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.

  5. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  6. In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. This Configure Link window displays:



    Source Attributes

    Select the attributes to export.

    Selected Attributes

    Displays default attributes and those attributes that have been selected from the Source Attributes. Check the box of any selected attribute required for a delta export.

    Format

    Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information.

    Notes:

    • The Format button is only enabled for date attributes.
    • The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.

    Key Attribute

    Displays the attribute designated as the key attribute. For CSV and Excel (*.xlsx) data format, multiple attributes can be set as Key Attribute. The key value is generated by concatenating the value of key attributes in the order it is set.
  7. From the Attribute Selection tab, select attributes to export.

  8. (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.

    1. Select the Include Time check box to add the timestamp with the date.

    2. Select the 24 Hour or 12 Hour option button and then select the required date/time format.

    3. Click OK to save the selected format. The Configure Link window displays.

  9. (Optional) Select the Appearance tab to change how the link displays in the Design pane.

  10. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  11. (Optional) To create scripts for advanced functionality, right-click the export link and select the export task properties. See the section ‘Success Scripts and Failure Scripts’ in the Workflow and Connectivity Studio document for specific details.

  12. Deploy the workflow by selecting Deploy _ New Deployment. See the Workflow and Connectivity Studio document for details of deployment options.

  13. Manage and run the deployed workflow from the Admin UI _ Server tab. See the Identity Suite Administration Guide for details.

Configuring for Import

Perform these procedures to configure the connector for data import:

From the Workflow and Connectivity Studio, select the MITKerberos UserAdd, UserModify, or UserDelete workflow listed under the projects folder.

If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio document for details on creating import workflows.

Configuring the Import Connector

  1. In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:

  2. From the Configure Plug-in tab, set these properties as required:

    Associated Connected System Select the connected system from the list. The import operation will be done to this connected system.
    Data Formats Select the type of data format to use: CSV (default), Excel (*.xlsx), ExcelSheet, LDIF, Word (*.docx), WordTable (*.docx) or XML.
    DynamicConnectedSystem Select the global variable to use as the dynamic connected sys- tem name. This works in conjunction with DynamicCon- nectedSystemOption when GlobalVariable is selected.
    DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS):
    • None - There will not be any Dynamic System Support.
    • Transaction-SystemName - The value of the Transaction- SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction- SystemName; if it is missing in data, the operation will fail.
    • GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
    See the Dynamic System Support appendix in the Workflow and Connectivity Studio document for additional information.

    Id*

    Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system.

    loginId*

    Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system.

    SubRecordsInFolder State

    If this property is TRUE, connector will accept sub records folded as attributes.

    Notes:

    * Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the

    Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.

    Hover the pointer over a property to view its description.

  3. (Optional) Select the Attributes tab. Only standard attributes display:


    Modify schema attributes with the buttons.

  4. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
  5. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  6. In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). This Configure Link window displays:

    Source Attributes

    		 Select the attributes to import.
    Check for attribute-level auditing. If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes.

    Source Attributes

    Select the attributes to import.

    Selected Attributes

    Displays default attributes and those attributes that have been selected from the Source Attributes. Check the box of any attribute required for attribute-level auditing.

    Note: The default attributes are those that are commonly used to create a new user.

    Advanced Settings

    		 Displays the Configure Attributes window for selecting any attributes that need to be encrypted.

    Audit Key

    Select the attribute to associate with the Audit Key.
  7. From the Attribute Selection tab, select attributes to import.

  8. (Optional) Select the Appearance tab to change how the link displays in the Design pane.
  9. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
  10. Deploy the workflow by selecting Deploy ► New Deployment.
    See the Workflow and Connectivity Studio document for details of deployment options.
  11. Manage and run the deployed workflow from the Admin UI ► Server tab.
    See the Identity Suite Administration Guide for details.

Connector Details for Provisioning


Configuration import properties Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
This table shows the default attributes specified for these properties

Import Property System Attribute
Id Principal
loginId Principal

Connector Attributes

The command line attributes are designed to run a series of commands in the order which they are entered in the Data Mapper. In the event, if one of the commands returns an error, workflow execution will terminate at the command line where that script is run. The items in the MV (multi-valued), Export, Create, Modify, and Delete columns have these meanings:

  • Y = Yes (attribute is supported for this operation)
  • N = No (attribute is not supported for this operation)
  • R = Required (attribute is mandatory for this operation)

Name

MV

Export

Create

Modify

Delete

Description

AllowDupSKey

N

N

Y

Y

N

Enables user-to-user authentication for the principal by allowing the principal to obtain a session key for another user

AllowForwardable Tickets

N

N

Y

Y

N

Allows principals to obtain forward able tickets

AllowPostDated Tickets

N

N

Y

Y

N

Allows principals to obtain postdated tickets

AllowProxiable Tickets

N

N

Y

Y

N

Allows principals to obtain proxiable tickets

AllowRenewabl Tickets

N

N

Y

Y

N

Allows principals to obtain renewable tickets

AllowService

N

N

Y

Y

N

Allows the issuance of service tickets for the principals.

AllowTGServiceReq

N

N

Y

Y

N

Specifies that a Ticket-Granting Service (TGS) request for a service ticket for the principal is permitted.

AllowTix

N

N

Y

Y

N

Allows the issuance of any ticket for the principals.

Attributes

N

Y

Y

Y

Y

To retrieve a listing of

the attributes and/or policies associated with a principal,

ClearPolicy

N

N

Y

Y

N

Prevents any policy from being assigned when policy is not specified.

EncryptSalt

N

N

Y

Y

N

Uses the specified keysalt list for setting the keys of the principal

ExpirationDate

N

Y

Y

y

Y

Account expiry date

FailedPassword Attempts

N

Y

N

N

N

Sets the number of authentication failures before the principal is locked.

Authentication failures are only tracked for principals which require pre-authentication. The counter of failed attempts resets to 0 after a successful attempt to authenticate.

Key

Y

Y

N

N

N

Causes the principal to be created with key.

KeyVersionNumber

N

N

Y

Y

N

The initial key version number

LastFailed Authentication

N

Y

N

N

N

Date of the last failed authentication.

LastModified

N

Y

N

N

N

Date of the last modification done for the principal.

LastPassword Change

N

Y

N

N

N

Date of the last Password change.

LastSuccessful Authentication

N

Y

N

N

N

Date of the last Successful Authentication.

Maximum RenewableLife

N

Y

Y

Y

N

The maximum renewable life of tickets for the principal.

MaximumTicketLife

N

Y

Y

Y

N

Maximum Ticket life for the principal.

MKey

N

Y

N

N

N

Principal Master Key.

NeedChange

N

N

Y

Y

N

Forces a password change on the next initial authentication to this principal.

NoAuthData Required

N

N

Y

Y

N

Prevents PAC or AD- SIGNEDPATH data from being added to service tickets for the principal.

NoKey

N

N

Y

Y

N

Causes the principal to be created with no key.

OkAsDelegate

N

N

Y

Y

N

Sets the okay as delegate flag on tickets issued with the principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service.

OkToAuthAs Delegate

N

N

Y

Y

N

Allows the principal to acquire forward able tickets to itself from arbitrary users, for use with constrained delegation.

Original_Principal

N

Y

Y

Y

N

Specifies the current name of the account during a rename operation.

Password

N

N

R

N

N

Password of the Principal used for login.

PasswordChanging Service

N

N

Y

Y

N

Marks the principal as a password change service principal.

PasswordExpiration Date

N

N

Y

Y

Y

The password expiration date.

Principal

N

Y

R

Y

Y

Unique key for the user name. (Name of the user.)

Policy

N

Y

Y

Y

Y

The password policy used by this principal. If not specified, the policy default is used if it exists.
Was this article helpful?