Virtual Users

From ProVide DocWiki
Jump to: navigation, search

Overview

Have ProVide integrate with any system for user authentication and configuration! With virtual script-based integration ProVide can connect to just about any data source (e.g. databases, management information systems, flat-files, ...) to verify and configure accounts. All you have to do is setup two access points; one for verifying that a user will be allowed access, and one that tells ProVide the user configuration (home directory structure, limitations, security settings, etc.).

Tip 1: An easy way to learn the format of the different settings you can add to your virtual users is by creating a user with your choice of settings already applied via the adminstration interface, then open the username.uac file found in inside "accounts" in the ProVide installation directory with Notepad or similar.

Tip 2: Use groups to define basic functionalities and then simply return which groups a user should get its configuration from.

Examples

A basic example

The example presented below display the basics with virtual user integration; two virtual accounts with different passwords and different home directory configuration.

Verification script in ProVide:

C:\Scripts\login.cmd "%IP%" "%USERNAME%" "%PASSWORD%"

Contents of file "C:\Scripts\login.cmd":

@echo off

rem Extract IP and remove quotes
set IP=%1
for /f "useback tokens=*" %%a in ('%IP%') do set IP=%%~a

rem Extract Username and remove quotes
set USER=%2
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Extract Password and remove quotes
set PASS=%3
for /f "useback tokens=*" %%a in ('%PASS%') do set PASS=%%~a

rem Check for valid logins

if /I "%USER%" == "testuser1" (
   if "%PASS%" == "pass pass" (
      exit 0
   )
)

if /I "%USER%" == "testuser2" (
   if "%PASS%" == "password" (
      if "%IP%" == "127.0.0.1" (
         exit 0
      )
   )
)

rem No valid login found - Deny access
exit 1

Configuration script in ProVide:

C:\Scripts\userconfig.cmd "%USERNAME%"

Contents of file "C:\Scripts\userconfig.cmd":

@echo off

rem Extract username and remove quotes
set USER=%1
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Configure accounts

if /I "%USER%" == "testuser1" (
   echo !Restriction - VirtualAccount
   echo /Virtual folder for testuser1^|^|
   echo /^|C:\^|RF,LD,RR
)

if /I "%USER%" == "testuser2" (
   echo !Restriction - VirtualAccount
   echo /a virtual folder^|^|
   echo /^|C:\^|RF,LD,RR
)

Requiring public/private key authentication and SFTP with virtual users

The example presented below shows how to require public/private key authentication. When using virtual users the two scripts "verification" and "configuration" are actually called separately; "verification" is only called once the user supplies a password to be verified, and "configuration" is called as soon as the server needs the complete setup of an account.

Thus, if the "configuration" script is to return a requirement that the user needs public key authentication then that will be required.

Note: The line containing the public key ("!Security - PubKey: [...]") must be on one long line.

Verification script in ProVide:

C:\Scripts\login.cmd "%IP%" "%USERNAME%" "%PASSWORD%"

Contents of file "C:\Scripts\login.cmd":

@echo off

rem Extract IP and remove quotes
set IP=%1
for /f "useback tokens=*" %%a in ('%IP%') do set IP=%%~a

rem Extract Username and remove quotes
set USER=%2
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Extract Password and remove quotes
set PASS=%3
for /f "useback tokens=*" %%a in ('%PASS%') do set PASS=%%~a

rem We do not allow any password verifications for virtual users - Deny all access

exit 1

Configuration script in ProVide:

C:\Scripts\userconfig.cmd "%USERNAME%"

Contents of file "C:\Scripts\userconfig.cmd":

@echo off

rem Extract username and remove quotes
set USER=%1
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Configure accounts

if /I "%USER%" == "testuser1" (
   echo !Restriction - VirtualAccount
   echo /Virtual folder for testuser1^|^|
   echo /^|C:\^|RF,LD,RR
   echo !Security - AllowFTP: False
   echo !Security - AllowFTPS: False
   echo !Security - AllowSFTP: True
   echo !Security - AllowTFTP: False
   echo !Security - AllowPubKey: False
   echo !Security - RequirePasswordIfNoPubKey: False
   echo !Security - RequirePubKey: True
   echo !Security - PubKey: ---- BEGIN SSH2 PUBLIC KEY ----\nComment: "rsa-key-20120316"\nAAAAB3Nza[...]\n---- END SSH2 PUBLIC KEY ----\n
)

if /I "%USER%" == "testuser2" (
   echo !Restriction - VirtualAccount
   echo /a virtual folder^|^|
   echo /^|C:\^|RF,LD,RR
   echo !Security - AllowFTP: False
   echo !Security - AllowFTPS: False
   echo !Security - AllowSFTP: True
   echo !Security - AllowTFTP: False
   echo !Security - AllowPubKey: False
   echo !Security - RequirePasswordIfNoPubKey: False
   echo !Security - RequirePubKey: True
   echo !Security - PubKey: ---- BEGIN SSH2 PUBLIC KEY ----\nComment: "rsa-key-20120316"\nn0N9zoHof[...]\n---- END SSH2 PUBLIC KEY ----\n
)