Active Directory sync with Python and Dynamic Manifests API.
96 views
Skip to first unread message
Timothy Sikes
Aug 6, 2012, 2:10:20 PM8/6/12
to simian-...@googlegroups.com
I talked with someone during office hours the other day about using Simian and interfacing with our AD group based software policies.
I've put together a little 'proof-of-concept' script to how I think it should work with the Dynamic Manifests API.
The users and groups are grabbed from AD, and the list of software a group has access to is stored elsewhere and can be easily accessed. Simian will be kept up to date with a python script and the Dynamic Manifests API.
I've put together a little 'proof-of-concept' script to how I think it should work with the Dynamic Manifests API.
http://pastebin.com/y1CU1MCN
The main conceptual problem I'm still trying to get around is how to deal with someone losing access to a particular software. If I ran this script to update a user whenever they changed groups, a user who loses access to a particular program will still have access to the old program. Am I correct on this? How should I get around this? Is there any easy way to delete all the manifests for a particular user/mod_type? Any suggestions for setting this up differently?
-Thanks for all the help.
Justin McWilliams
Aug 6, 2012, 6:52:42 PM8/6/12
to simian-...@googlegroups.com
Timothy,
The POC script looks like it's on the right track. You have pointed
out a valid problem, though; removing users from particular "groups"
is not easy. Currently, the Dynamic Manifest API is designed to only
work for a single entity. So for users/owners, you can only
get/add/del a single owner mod. In order to remove a user from a
particular manifest mod, you'd have to know the user was removed from
an AD group then HTTP DELETE using the API:
http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/api/dynamic_manifest.py#156
However, keeping track of users that were removed from groups in AD
would be painful, as you'd have to maintain a separate group-state
somewhere else. There's no way (again, currently) to delete all
manifests mods for a particular user or mod_type; I think the API
could be relatively easily extended to do this, though.
Another thought is the creation of a new mod_type entirely. We already
have Tags for the idea of grouping computers, and we could do
something very similar for grouping of owner usernames, which then
could be easily managed in bulk. Then we would just need to add a
OwnerGroupManifestModication:
http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/models/base.py#1037
+ http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/munki/common.py#645
- Justin
The POC script looks like it's on the right track. You have pointed
out a valid problem, though; removing users from particular "groups"
is not easy. Currently, the Dynamic Manifest API is designed to only
work for a single entity. So for users/owners, you can only
get/add/del a single owner mod. In order to remove a user from a
particular manifest mod, you'd have to know the user was removed from
an AD group then HTTP DELETE using the API:
http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/api/dynamic_manifest.py#156
However, keeping track of users that were removed from groups in AD
would be painful, as you'd have to maintain a separate group-state
somewhere else. There's no way (again, currently) to delete all
manifests mods for a particular user or mod_type; I think the API
could be relatively easily extended to do this, though.
Another thought is the creation of a new mod_type entirely. We already
have Tags for the idea of grouping computers, and we could do
something very similar for grouping of owner usernames, which then
could be easily managed in bulk. Then we would just need to add a
OwnerGroupManifestModication:
http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/models/base.py#1037
+ http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/munki/common.py#645
- Justin
Timothy Sikes
Aug 7, 2012, 5:18:17 PM8/7/12
to simian-...@googlegroups.com
I'll be keeping up with the development of Simian then. Built in user-group control via a new mod_type would be very useful to our setup, and I would guess that it would benefit other types of setups as well.
Thanks for the help and information Justin.
-Timothy Sikes
Reply all
Reply to author
Forward
Message has been deleted
0 new messages