--- title: Kerberos connector description: Connectors continue to be released outside the IDM release. For the latest documentation, refer to the OpenICF documentation. component: pingidm version: 7.2 page_id: pingidm:connector-reference:kerberos canonical_url: https://docs.pingidentity.com/pingidm/7.2/connector-reference/kerberos.html section_ids: ssh-kerberos-schema: Kerberos connector schema ssh-kerberos-config: Configure the Kerberos connector implemented-interfaces-org-forgerock-openicf-connectors-kerberos-KerberosConnector-1.5.20.15: OpenICF Interfaces Implemented by the Kerberos Connector config-properties-org-forgerock-openicf-connectors-kerberos-KerberosConnector-1.5.20.15: Kerberos Connector Configuration configuration-properties-org-forgerock-openicf-connectors-kerberos-KerberosConnector-1.5.20.15: Configuration properties --- # Kerberos connector | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Connectors continue to be released outside the IDM release. For the latest documentation, refer to the [OpenICF documentation](https://docs.pingidentity.com/openicf/index.html). | The Kerberos connector is an implementation of the SSH connector, and is based on Java Secure Channel (JSch) and the Java implementation of the Expect library (Expect4j). The Kerberos connector lets you manage Kerberos user principals from IDM. The connector bundles a number of Groovy scripts, to interact with a Kerberos admin server. You should not edit the bundled Groovy scripts. The scripts use the `kadmin` utility to communicate with the Kerberos server. The Kerberos connector lets you perform the following operations on Kerberos user principals: * List the existing principals. * Display the details of a principal. * Add a user principal. * Change the password of a user principal and unlock the principal. * Delete a user principal. ## Kerberos connector schema The Kerberos connector can only be used to manage the Kerberos `principal` object type (which maps to the OpenICF `__ACCOUNT__` object). The following attributes are supported in the schema: * `principal` - (maps to `__NAME__` and `__UID__`) * `__PASSWORD__` - updatable, required when an object is created * `__LOCK_OUT__` - updatable only; unlock an account by setting this attribute to `false` * `policy` - the password policy used by the principal * `expirationDate` - the date that the user principal expires * `passwordExpiration` - the date that the password expires * `maximumTicketLife` - the maximum ticket life for the principal. At the end of the ticket lifetime, the ticket can no longer be used. However, if the renewable lifetime (`maximumRenewableLife`) is longer than the ticket lifetime, the ticket holder can present the ticket to the KDC and request a new ticket. * `maximumRenewableLife` - the period during which the ticket can be renewed. A renewed ticket usually has a new ticket lifetime, dating from the time that it was renewed, that is constrained by the renewable ticket lifetime. In addition, the following read-only attributes are supported: * `lastPasswordChange` * `lastModified` * `lastSuccessfulAuthentication` * `lastFailedAuthentication` * `failedPasswordAttempts` ## Configure the Kerberos connector Create a connector configuration using the admin UI: 1. From the navigation bar, click Configure > Connectors. 2. On the Connectors page, click New Connector. 3. On the New Connector page, type a Connector Name. 4. From the Connector Type drop-down list, select Kerberos Connector - 1.5.20.15. 5. Complete the Base Connector Details. 6. Click Save. Alternatively, configure the connector with a configuration file. \+ A sample connector configuration (`provisioner.openicf-kerberos.json`) is provided in the `/path/to/openidm/samples/sync-with-kerberos/conf/` directory. Copy the sample connector configuration to your project's `conf/` directory, and adjust it to match your Kerberos environment. 1. Set the authentication properties, as described in [Configure Authentication to the SSH Server](ssh.html#ssh-authentication). In addition, set at least the following properties: * `customConfiguration` Specify the details of the user principal and the default realm here. The sample connector configuration is as follows: ```json "customConfiguration" : "kadmin { cmd = '/usr/sbin/kadmin.local'; user = ''; default_realm = '' }" ``` A complete custom configuration will look something like this: ```json "customConfiguration" : "kadmin { cmd = '/usr/sbin/kadmin.local'; user = 'openidm/admin'; default_realm = 'EXAMPLE.COM' }" ``` * `customSensitiveConfiguration` Set the password for the user principal here. The sample connector configuration is as follows: ```json "customSensitiveConfiguration" : "kadmin {password = ''}" ``` Change this to reflect your user principal password, for example: ```json "customSensitiveConfiguration" : "kadmin {password = 'Passw0rd'}" ``` > **Collapse: Basic Kerberos Connector Configuration** > > This list describes the basic Kerberos connector configuration properties. For a complete list, see [Configuration Properties](#configuration-properties-org-forgerock-openicf-connectors-kerberos-KerberosConnector-1.5.20.15): > > * `host` > > The host name or IP address of the SSH server on which the `kadmin` command is run. > > * `port` > > The port number on which the SSH server listens. > > Default: `22` (the default SSH port) > > * `user` > > The username of the account that is used to connect to the SSH server. > > This is *not* the same as your Kerberos user principal. This account must be able to `ssh` into the server on which Kerberos is running, with the password provided in the next parameter. > > If you use the `root` user, the `sudo` command in the Test script will never get the `'pass::'` prompt. Instead of using the `root` user, create a regular user and add that user to the group that has `sudo` privileges. Alternatively, modify the Test script so that it does not use `sudo`. > > * `password` > > The password of the account that is used to connect to the SSH server. > > * `prompt` > > A string representing the remote SSH session prompt. This must be the exact prompt string, in the format `username@target:`, for example `root@localhost:~$`. > > If the prompt includes a trailing space, you must include the space in the value of this property. > > Consider customizing your Linux prompt with the `PS1` and `PS2` variables, to set a *safe* prompt. For information about customizing prompts, see [this article](https://help.ubuntu.com/community/CustomizingBashPrompt). > > * `sudoCommand` > > A string that shows the full path to the `sudo` command; for example `/usr/bin/sudo`. > > * `echoOff` > > If set to `true` (the default), the input command echo is disabled. If set to `false`, every character that is sent to the server is sent back to the client in the `expect()` call. > > * `terminalType` > > Sets the terminal type to use for the session. The list of supported types is determined by your Linux/UNIX system. For more information, see the `terminfo` manual page (`man terminfo`). > > Default: `vt102` > > * `setLocale` > > If set to `true`, indicates that the default environment locale should be changed to the value of the `locale` property. > > Default: `false` > > * `locale` > > Sets the locale for LC\_ALL, LANG, and LANGUAGE environment variables, if `setLocale` is set to `true`. > > Default: `en_US.utf8` > > * `connectionTimeout` > > Specifies the connection timeout to the remote server, in milliseconds. > > Default: `5000` > > * `expectTimeout` > > Specifies the timeout used by the `expect()` calls in scripts, in milliseconds. > > Default: `5000` > > * `authenticationType` > > Sets the authentication type, either `PASSWORD` or `PUBKEY`. For more information, see [connector-reference:ssh.adoc#ssh-authentication](ssh.html#ssh-authentication). > > Default: `PASSWORD` > > * `throwOperationTimeoutException` > > If `true`, the connector throws an exception when the timeout is reached for an operation. Otherwise, the operation fails silently. > > Default: `true` > > * `scriptRoots` > > The path to the Groovy scripts that will perform the OpenICF operations, relative to your installation directory. For the Kerberos connector, the scripts are bundled up in the connector .jar file, so this path is set to `jar:file:connectors/kerberos-connector-1.5.20.15.jar!/script/kerberos/` in the sample connector configuration. > > * `classpath` > > The directory in which the compiler should look for compiled classes. The default classpath, if not is specified, is `install-dir/lib`. > > * `ScriptFileName` > > The script that is used for each OpenICF operation. Do not change these script names in the bundled Kerberos connector. ## OpenICF Interfaces Implemented by the Kerberos Connector The Kerberos Connector implements the following OpenICF interfaces. For additional details, see [OpenICF interfaces](interfaces.html): * Authenticate Provides simple authentication with two parameters, presumed to be a user name and password. * Create Creates an object and its `uid`. * Delete Deletes an object, referenced by its `uid`. * Resolve Username Resolves an object by its username and returns the `uid` of the object. * Schema Describes the object types, operations, and options that the connector supports. * Script on Connector Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics: * The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access. * The script has access to a `connector` variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. * The script has access to any script arguments passed in by the application. * Script on Resource Runs a script on the target resource that is managed by this connector. * Search Searches the target resource for all objects that match the specified object class and filter. * Sync Polls the target resource for synchronization events, that is, native changes to objects on the target resource. * Test Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid. This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out). You can invoke the test operation before a connector configuration has been validated. * Update Updates (modifies or replaces) objects on a target resource. ## Kerberos Connector Configuration The Kerberos Connector has the following configurable properties: ### Configuration properties | Property | Type | Default | Encrypted(1) | Required(2) | | ---------------------------------- | --------------- | ---------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------ | | `customSensitiveConfiguration` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Description is not available | | | | | | `createScriptFileName` | `String` | `null` | | * [\[interface-CreateApiOp\]](#interface-CreateApiOp) | | Description is not available | | | | | | `targetDirectory` | `File` | `null` | | [icon: times, set=fas]No | | Description is not available | | | | | | `customizerScriptFileName` | `String` | `null` | | [icon: times, set=fas]No | | Description is not available | | | | | | `warningLevel` | `int` | `1` | | [icon: times, set=fas]No | | Description is not available | | | | | | `authenticateScriptFileName` | `String` | `null` | | - [\[interface-AuthenticationApiOp\]](#interface-AuthenticationApiOp) | | Description is not available | | | | | | `scriptExtensions` | `String[]` | `['groovy']` | | [icon: times, set=fas]No | | Description is not available | | | | | | `scriptOnResourceScriptFileName` | `String` | `null` | | * [\[interface-ScriptOnResourceApiOp\]](#interface-ScriptOnResourceApiOp) | | Description is not available | | | | | | `minimumRecompilationInterval` | `int` | `100` | | [icon: times, set=fas]No | | Description is not available | | | | | | `deleteScriptFileName` | `String` | `null` | | - [\[interface-DeleteApiOp\]](#interface-DeleteApiOp) | | Description is not available | | | | | | `scriptBaseClass` | `String` | `null` | | [icon: times, set=fas]No | | Description is not available | | | | | | `scriptRoots` | `String[]` | `null` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `customConfiguration` | `String` | `null` | | [icon: times, set=fas]No | | Description is not available | | | | | | `resolveUsernameScriptFileName` | `String` | `null` | | * [\[interface-ResolveUsernameApiOp\]](#interface-ResolveUsernameApiOp) | | Description is not available | | | | | | `searchScriptFileName` | `String` | `null` | | - [\[interface-GetApiOp\]](#interface-GetApiOp) - [\[interface-SearchApiOp\]](#interface-SearchApiOp) | | Description is not available | | | | | | `tolerance` | `int` | `10` | | [icon: times, set=fas]No | | Description is not available | | | | | | `updateScriptFileName` | `String` | `null` | | * [\[interface-UpdateApiOp\]](#interface-UpdateApiOp) | | Description is not available | | | | | | `debug` | `boolean` | `false` | | [icon: times, set=fas]No | | Description is not available | | | | | | `classpath` | `String[]` | `[]` | | [icon: times, set=fas]No | | Description is not available | | | | | | `disabledGlobalASTTransformations` | `String[]` | `null` | | [icon: times, set=fas]No | | Description is not available | | | | | | `schemaScriptFileName` | `String` | `null` | | - [\[interface-SchemaApiOp\]](#interface-SchemaApiOp) | | Description is not available | | | | | | `verbose` | `boolean` | `false` | | [icon: times, set=fas]No | | Description is not available | | | | | | `testScriptFileName` | `String` | `null` | | * [\[interface-TestApiOp\]](#interface-TestApiOp) | | Description is not available | | | | | | `sourceEncoding` | `String` | `UTF-8` | | [icon: times, set=fas]No | | Description is not available | | | | | | `syncScriptFileName` | `String` | `null` | | - [\[interface-SyncApiOp\]](#interface-SyncApiOp) | | Description is not available | | | | | | `recompileGroovySource` | `boolean` | `false` | | [icon: times, set=fas]No | | Description is not available | | | | | | `host` | `String` | `null` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `port` | `int` | `22` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `user` | `String` | `null` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `password` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Description is not available | | | | | | `passphrase` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Description is not available | | | | | | `privateKey` | `String[]` | `[]` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Description is not available | | | | | | `authenticationType` | `String` | `PASSWORD` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `prompt` | `String` | \`root\@localhost:# \` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `sudoCommand` | `String` | `/usr/bin/sudo` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `echoOff` | `boolean` | `true` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `terminalType` | `String` | `vt102` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `locale` | `String` | `en_US.utf8` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `setLocale` | `boolean` | `false` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `connectionTimeout` | `int` | `5000` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `expectTimeout` | `long` | `5000` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `throwOperationTimeoutException` | `boolean` | `true` | | [icon: check, set=fas]Yes | | Description is not available | | | | | | `promptReadyTimeout` | `long` | `20` | | [icon: times, set=fas]No | | Description is not available | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations.