Support for AD-based local account discovery for Linux machines

Hi @csudderth,

To make sure I understand your request, the Linux servers are registered as computers in an OU in your domain is that correct? Assuming this, you would like to be able to do discovery across all the registered Linux machines in that OU and create local user PAM credentials based on that? This could theoretically, though not trivially, be achieved with the current Custom Provider system, It would require you to invoke the SSH executable through the PowerShell scripts and do a lot of back and forth, but I think it would be possible.

For a more managed experience, it would not be trivial to implement as our system is less flexible when it comes to machine vs credential management in terms of discovery and rotation. I'll take the time to speak with the team and see how we can go further and define a proper direction for this feature.

We do really appreciate the feedback, if you have any additional information you would like to add in this request feel free to share.

Cheers,

Hi Luc,

Thank you so much for the response! I was planning on trying to develop a custom provider. If I get it working well, I'd love to contribute back with that script. But to answer your question, yes our Linux machines are in an OU in AD. Essentially, it would SSH in to Linux devices it discovers in AD and rotate the password of a specified local account. Even if it were a toggle in the scan configuration that these were Linux devices, that would work.

That's an interesting perspective actually, if there is a way through LDAP for us to know if the computer is a linux machine or not, we could do the same thing that we do currently for AD computers.

I'll look into this, thank you.

Cheers,

The operatingSystem attribute should suffice. That attribute on our RHEL family servers (RHEL, Rocky Linux, AlmaLinux) have "redhat-linux-gnu" as the value and our Ubuntu servers have "pc-linux-gnu."

I hope this helps!