WinRM Connector

Windows Remote Management (WinRM) connector can be used to connect to basically to any system which can be managed via powershell commands or some specialized client which can be called from powershell.

Connector is based on Connid CMD connector. We made fork of CMD connector version 0.4-SNAPSHOT.

We implemented some features which were missing.

• It contains more configuration fields for connecting to WinRM, which is the main purpose of this connector.
• Password for WinRM user is GuardedString in connector but we send is as plain text in to bash script. (This behavior is same in CMD connector for \_\_PASSWORD\_\_ attribute)
• If script return exit code other then 0 exceptions is thrown.
• Item In folder scripts/NameOfSystem you can find python scripts for each supported operation method:
  • Create
  • Update
  • Delete
  • Test
  • Search

Where "NameOfSystem" is one of these following values Exchange, OpenLims, o365, homeDir (More systems will maybe come in future). If you want use this connector for another system you can just implement scripts yourself. As a template you can use existing python + ps scripts.

Powershell scripts are in subfolders. It's not only "normal" powershell script which contains the commands which we want to execute, but it must handle exceptions and in the case of search scripts the response should be in json format, so we can parse in connector a forward it to IdM. The risk of not catching exceptions can be that IdM will show operation as successful but it failed or the other way around.

All of these scripts logging into connector server log

Then in folder "scripts" you can find python script, which is wrapper for pywinrm client - https://github.com/diyan/pywinrm which is used for connecting and executing PS scripts in windows server. You need to install first. In the link above there is a tutorial.

It's better to run it in connector server instead of directly adding dependency to your application(IdM). The reason for this is simple - better security. You can choose user with some limited permissions which will be used as the owner of connector server and then give him access to run only the scripts which you want.

It supports basic, ntlm, kerberos and credssp authentication schema for WinRM

It supports HTTP and HTTPS communication. HTTPS communication can be a little bit tricky to configure. You need the right certificate which is used in WinRM listener on Win server and then import crt to the trust store on machine where this connector is running. In file winrm_wrapper.py on line 39 where the session for WinRM is created you need to specify ca trust path. On Debian based system the default system ca path is "/etc/ssl/certs"

Connector has few settings which need to be configured before you used it.

If your connector server is running on Windows then you need to enter "python " before the actual path to script. E.g. "python C:\scripts\homeDir\testDir.py"

Path to Python create script

Path to powershell create script which will be loaded into python and executed on Windows

Path to Python update script

Path to powershell update script which will be loaded into python and executed on Windows

Path to Python search script

Path to powershell search script which will be loaded into python and executed on Windows

Path to Python delete script

Path to powershell delete script which will be loaded into python and executed on Windows

Path to Python test script

URL to the endpoint, where is WinRM accessible. Usually https://HOST:5986/wsman for HTTPS and http://HOST:5985/wsman for HTTP

One from supported values - basic, ntlm, kerberos, credssp

Username for user which will be used for authentication to WinRM

Password for this user

Connector is supporting basic schema generation. You will get these attributes:

• \_\_NAME\_\_
• \_\_UID\_\_
• \_\_PASSWORD\_\_

You need to create other attributes manually based on the system which you want to connect and you needs.

For objectClass GROUPS provisioning is not supported in current version.

For objectClass ACCOUNT, the connector is supporting these operations: CREATE, UPDATE, DELETE, SEARCH.

For ACCOUNT you need to use Reconciliation, normal synchronization is not supported in current version.

For using this connector you need to install a few things which is needed.

• Install python, tested version is 2.7
• Install pip for managing Python packages - for linux use package managers based on you distribution and install package python-pip. If you are using windows pip will be installed together with python if you use official installator.
• Install pywinrm and dependencies. You can follow official guide https://github.com/diyan/pywinrm Just don't forget to install additional packages if you want use Kerberos or CredSSP authentication. If you are using windows you need to execute only the commands for pip, you don't need to install other system dependencies.

Now we have prepared the tool which is used by our connector. Next you need to install java connector server. Connector server is not mandatory but as we wrote in the first section it's recommended to use it.

You can download whole bundle with prepared and tested connector server here:

Or you can follow this guide and prepare the connector server yourself if you want. This connector is tested in java connector server 1.4.5.1 https://connid.atlassian.net/wiki/spaces/BASE/pages/360458/Downloads#Downloads-JavaConnectorServer and with connector-framework 1.4.3.0

Next you will need to add these libraries into lib folder of the connector server:

• jackson-annotations-2.9.8
• jackson-core-2.9.8
• jackson-databind-2.9.8

You will probably need to add these libs into classpath in ConnectorServer.sh or ConnectorServer.bat it depends on your OS.

Now you can put winrm-connector-0.5.jar to the bundles folder inside connector server and you can start it.

Next thing which you need to do is configure WinRM on windows server or check if WinRM is accessible. You can follow steps from out tutorial