Difference between revisions of "Virtual Users"

From ProVide DocWiki
Jump to: navigation, search
Line 2: Line 2:
 
Have ProVide integrate with any system for user authentication and configuration! With virtual script-based integration ProVide can connect to just about any data source (e.g. databases, management information systems, flat-files, ...) to verify and configure accounts. All you have to do is setup two access points; one for verifying that a user will be allowed access, and one that tells ProVide the user configuration (home directory structure, limitations, security settings, etc.).
 
Have ProVide integrate with any system for user authentication and configuration! With virtual script-based integration ProVide can connect to just about any data source (e.g. databases, management information systems, flat-files, ...) to verify and configure accounts. All you have to do is setup two access points; one for verifying that a user will be allowed access, and one that tells ProVide the user configuration (home directory structure, limitations, security settings, etc.).
  
''Tip 1:'' Use the graphical user interface to create a user account the way you want the setup to be. Then use this account file as a template for your user file creations.
+
''Tip 1:'' You can use the ProVide Administration Interface to create a user with your chosen options, you can then open the "username.uac" file found inside the "accounts" folder in your ProVide installation directory, in that file you can then see the format and different options you have set.
  
 
''Tip 2:'' Use groups to define basic functionalities and then simply return which groups a user should get its configuration from.
 
''Tip 2:'' Use groups to define basic functionalities and then simply return which groups a user should get its configuration from.

Revision as of 08:23, 23 April 2015

Overview

Have ProVide integrate with any system for user authentication and configuration! With virtual script-based integration ProVide can connect to just about any data source (e.g. databases, management information systems, flat-files, ...) to verify and configure accounts. All you have to do is setup two access points; one for verifying that a user will be allowed access, and one that tells ProVide the user configuration (home directory structure, limitations, security settings, etc.).

Tip 1: You can use the ProVide Administration Interface to create a user with your chosen options, you can then open the "username.uac" file found inside the "accounts" folder in your ProVide installation directory, in that file you can then see the format and different options you have set.

Tip 2: Use groups to define basic functionalities and then simply return which groups a user should get its configuration from.

Examples

A basic example

The example presented below display the basics with virtual user integration; two virtual accounts with different passwords and different home directory configuration.

Verification script in ProVide:

C:\Scripts\login.cmd "%IP%" "%USERNAME%" "%PASSWORD%"

Contents of file "C:\Scripts\login.cmd":

@echo off

rem Extract IP and remove quotes
set IP=%1
for /f "useback tokens=*" %%a in ('%IP%') do set IP=%%~a

rem Extract Username and remove quotes
set USER=%2
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Extract Password and remove quotes
set PASS=%3
for /f "useback tokens=*" %%a in ('%PASS%') do set PASS=%%~a

rem Check for valid logins

if /I "%USER%" == "testuser1" (
   if "%PASS%" == "pass pass" (
      exit 0
   )
)

if /I "%USER%" == "testuser2" (
   if "%PASS%" == "password" (
      if "%IP%" == "127.0.0.1" (
         exit 0
      )
   )
)

rem No valid login found - Deny access
exit 1

Configuration script in ProVide:

C:\Scripts\userconfig.cmd "%USERNAME%"

Contents of file "C:\Scripts\userconfig.cmd":

@echo off

rem Extract username and remove quotes
set USER=%1
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Configure accounts

if /I "%USER%" == "testuser1" (
   echo !Restriction - VirtualAccount
   echo /Virtual folder for testuser1^|^|
   echo /^|C:\^|RF,LD,RR
)

if /I "%USER%" == "testuser2" (
   echo !Restriction - VirtualAccount
   echo /a virtual folder^|^|
   echo /^|C:\^|RF,LD,RR
)

Requiring public/private key authentication and SFTP with virtual users

The example presented below shows how to require public/private key authentication. When using virtual users the two scripts "verification" and "configuration" are actually called separately; "verification" is only called once the user supplies a password to be verified, and "configuration" is called as soon as the server needs the complete setup of an account.

Thus, if the "configuration" script is to return a requirement that the user needs public key authentication then that will be required.

Note: The line containing the public key ("!Security - PubKey: [...]") must be on one long line.

Verification script in ProVide:

C:\Scripts\login.cmd "%IP%" "%USERNAME%" "%PASSWORD%"

Contents of file "C:\Scripts\login.cmd":

@echo off

rem Extract IP and remove quotes
set IP=%1
for /f "useback tokens=*" %%a in ('%IP%') do set IP=%%~a

rem Extract Username and remove quotes
set USER=%2
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Extract Password and remove quotes
set PASS=%3
for /f "useback tokens=*" %%a in ('%PASS%') do set PASS=%%~a

rem We do not allow any password verifications for virtual users - Deny all access

exit 1

Configuration script in ProVide:

C:\Scripts\userconfig.cmd "%USERNAME%"

Contents of file "C:\Scripts\userconfig.cmd":

@echo off

rem Extract username and remove quotes
set USER=%1
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Configure accounts

if /I "%USER%" == "testuser1" (
   echo !Restriction - VirtualAccount
   echo /Virtual folder for testuser1^|^|
   echo /^|C:\^|RF,LD,RR
   echo !Security - AllowFTP: False
   echo !Security - AllowFTPS: False
   echo !Security - AllowSFTP: True
   echo !Security - AllowTFTP: False
   echo !Security - AllowPubKey: False
   echo !Security - RequirePasswordIfNoPubKey: False
   echo !Security - RequirePubKey: True
   echo !Security - PubKey: ---- BEGIN SSH2 PUBLIC KEY ----\nComment: "rsa-key-20120316"\nAAAAB3Nza[...]\n---- END SSH2 PUBLIC KEY ----\n
)

if /I "%USER%" == "testuser2" (
   echo !Restriction - VirtualAccount
   echo /a virtual folder^|^|
   echo /^|C:\^|RF,LD,RR
   echo !Security - AllowFTP: False
   echo !Security - AllowFTPS: False
   echo !Security - AllowSFTP: True
   echo !Security - AllowTFTP: False
   echo !Security - AllowPubKey: False
   echo !Security - RequirePasswordIfNoPubKey: False
   echo !Security - RequirePubKey: True
   echo !Security - PubKey: ---- BEGIN SSH2 PUBLIC KEY ----\nComment: "rsa-key-20120316"\nn0N9zoHof[...]\n---- END SSH2 PUBLIC KEY ----\n
)