主页
产品
Red Hat Enterprise Linux
8
配置和管理身份管理
41.2. 配置 IdM stage用户帐户的自动激活

41.2. 配置 IdM stage用户帐户的自动激活

您可以创建一个脚本来激活 stage 用户。系统在指定的时间间隔自动运行脚本。这样可确保新用户帐户被自动激活，并在创建后很快可用。

重要

假设外部调配系统的所有者已经验证了用户，并且在脚本将它们添加到 IdM 之前，它们不需要在 IdM 端进行额外的验证。

这对于仅在一个 IdM 服务器上启用激活过程足够了。

先决条件

provisionator 和 activator 帐户在 IdM 中存在。详情请参阅为 stage 用户帐户的自动激活准备 IdM 帐户。
在运行该流程的 IdM 服务器上您需要有 root 权限。
以 IdM 管理员身份登录。
您信任外部调配系统。

流程

为激活帐户生成 keytab 文件：
```
ipa-getkeytab -s server.idm.example.com -p "activator" -k /etc/krb5.ipa-activation.keytab
```
```
# ipa-getkeytab -s server.idm.example.com -p "activator" -k /etc/krb5.ipa-activation.keytab
```
Copy to Clipboard Toggle word wrap
如果您要在多个 IdM 服务器上启用激活过程，请仅在一个服务器上生成 keytab 文件。然后，将 keytab 文件复制到其他服务器上。

创建一个包含以下内容的 /usr/local/sbin/ipa-activate-all 脚本来激活所有用户：

#!/bin/bash

kinit -k -i activator

ipa stageuser-find --all --raw | grep "  uid:" | cut -d ":" -f 2 | while read uid; do ipa stageuser-activate ${uid}; done

#!/bin/bash

kinit -k -i activator

ipa stageuser-find --all --raw | grep "  uid:" | cut -d ":" -f 2 | while read uid; do ipa stageuser-activate ${uid}; done

Copy to Clipboard

Toggle word wrap

编辑 ipa-activate-all 脚本的权限和所有权来使其可执行：

chmod 755 /usr/local/sbin/ipa-activate-all
chown root:root /usr/local/sbin/ipa-activate-all

# chmod 755 /usr/local/sbin/ipa-activate-all
# chown root:root /usr/local/sbin/ipa-activate-all

Copy to Clipboard

Toggle word wrap

创建一个 systemd 单元文件 /etc/systemd/system/ipa-activate-all.service，内容如下：

[Unit]
Description=Scan IdM every minute for any stage users that must be activated

[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ipa-activation.keytab
Environment=KRB5CCNAME=FILE:/tmp/krb5cc_ipa-activate-all
ExecStart=/usr/local/sbin/ipa-activate-all

[Unit]
Description=Scan IdM every minute for any stage users that must be activated

[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ipa-activation.keytab
Environment=KRB5CCNAME=FILE:/tmp/krb5cc_ipa-activate-all
ExecStart=/usr/local/sbin/ipa-activate-all

Copy to Clipboard

Toggle word wrap

创建一个 systemd 计时器 /etc/systemd/system/ipa-activate-all.timer，内容如下：

[Unit]
Description=Scan IdM every minute for any stage users that must be activated

[Timer]
OnBootSec=15min
OnUnitActiveSec=1min

[Install]
WantedBy=multi-user.target

[Unit]
Description=Scan IdM every minute for any stage users that must be activated

[Timer]
OnBootSec=15min
OnUnitActiveSec=1min

[Install]
WantedBy=multi-user.target

Copy to Clipboard

Toggle word wrap

重新载入新配置：
```
systemctl daemon-reload
```
```
# systemctl daemon-reload
```
Copy to Clipboard Toggle word wrap
启用 ipa-activate-all.timer:
```
systemctl enable ipa-activate-all.timer
```
```
# systemctl enable ipa-activate-all.timer
```
Copy to Clipboard Toggle word wrap
启动 ipa-activate-all.timer:
```
systemctl start ipa-activate-all.timer
```
```
# systemctl start ipa-activate-all.timer
```
Copy to Clipboard Toggle word wrap

可选：验证 ipa-activate-all.timer 守护进程是否正在运行：

systemctl status ipa-activate-all.timer

# systemctl status ipa-activate-all.timer
● ipa-activate-all.timer - Scan IdM every minute for any stage users that must be activated
   Loaded: loaded (/etc/systemd/system/ipa-activate-all.timer; enabled; vendor preset: disabled)
   Active: active (waiting) since Wed 2020-06-10 16:34:55 CEST; 15s ago
  Trigger: Wed 2020-06-10 16:35:55 CEST; 44s left

Jun 10 16:34:55 server.idm.example.com systemd[1]: Started Scan IdM every minute for any stage users that must be activated.

Copy to Clipboard

Toggle word wrap

返回顶部

41.2. 配置 IdM stage用户帐户的自动激活

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links