WinRM Connector

This connector can be used to connect to basically to any system which can be managed via powershell commands or some specialized client which can be called from powershell.

Connector is based on Connid CMD connector. We made fork of CMD connector version 0.4-SNAPSHOT.

We implemented some features which were missing.

• It contains more configuration fields for connecting to WinRM, which is the main purpose of this connector.
• Password for WinRM user is GuardedString in connector but we send is as plain text in to bash script. (This behavior is same in CMD connector for \_\_PASSWORD\_\_ attribute)
• If script return exit code other then 0 exceptions is thrown.
• Item In folder scripts/NameOfSystem you can find python scripts for each supported operation method:
  • Create
  • Update
  • Delete
  • Test
  • Search

Where "NameOfSystem" is one of these following values Exchange, OpenLims, o365, homeDir (More systems will maybe come in future). If you want use this connector for another system you can just implement scripts yourself. As a template you can use existing python + ps scripts.

Powershell scripts are in subfolders. It's not only "normal" powershell script which contains the commands which we want to execute, but it must handle exceptions and in the case of search scripts the response should be in json format, so we can parse in connector a forward it to IdM. The risk of not catching exceptions can be that IdM will show operation as successful but it failed or the other way around.

All of these scripts logging into connector server log

Then in folder "scripts" you can find python script, which is wrapper for pywinrm client - https://github.com/diyan/pywinrm which is used for connecting and executing PS scripts in windows server. You need to install first. In the link above there is a tutorial.

It's better to run it in connector server instead of directly adding dependency to your application(IdM). The reason for this is simple - better security. You can choose user with some limited permissions which will be used as the owner of connector server and then give him access to run only the scripts which you want.

It supports basic, ntlm, kerberos and credssp authentication schema for WinRM

It supports HTTP and HTTPS communication. HTTPS communication can be a little bit tricky to configure. You need the right certificate which is used in WinRM listener on Win server and then import crt to the trust store on machine where this connector is running. In file winrm_wrapper.py on line 39 where the session for WinRM is created you need to specify ca trust path. On Debian based system the default system ca path is "/etc/ssl/certs"

Connector has few settings which need to be configured before you used it.

Path to Python create script

Path to powershell create script which will be loaded into python and executed on Windows

Path to Python update script

Path to powershell update script which will be loaded into python and executed on Windows

Path to Python search script

Path to powershell search script which will be loaded into python and executed on Windows

Path to Python delete script

Path to powershell delete script which will be loaded into python and executed on Windows

Path to Python test script

URL to the endpoint, where is WinRM accessible. Usually https://HOST:5986/wsman for HTTPS and http://HOST:5985/wsman for HTTP

One from supported values - basic, ntlm, kerberos, credssp

Username for user which will be used for authentication to WinRM

Password for this user

Connector is supporting basic schema generation. You will get these attributes:

• \_\_NAME\_\_
• \_\_UID\_\_
• \_\_PASSWORD\_\_

You need to create other attributes manually based on the system which you want to connect and you needs.

For objectClass GROUPS provisioning is not supported in current version.

For objectClass ACCOUNT, the connector is supporting these operations: CREATE, UPDATE, DELETE, SEARCH.

For ACCOUNT you need to use Reconciliation, normal synchronization is not supported in current version.