Overriding operations
You can add additional KVGroups to your Unix Listener configuration file to override account operations. They can be written using PSLang script syntax.
Complete documentation on how to write the override functions using PSLang is detailed in the pslang-override-sample.psl file that is included with the psunix installation in the psunix/conf/ directory. This file also provides a sample framework for configuring overrides for the built-in operations.
When using PSLang, you can also add pre/post operations that augment the built-in operations. For each <operation> in the sample script file, there is a corresponding pre_<operation> and post_<operation>. These provide entry points into an operation before and after the operation is executed. For example, the pre_<operation> is often useful when validating data or policies before the server performs the operation.
Refer to the pslang-override-sample.psl file for more detail and examples.
Caution
Any sample script should be modified to fit your environment and prevent security exploits.
Operation elements
Each operation is implemented using a PSLang function with the same name. Most of the functions (create, enable, etc.) take one parameter, an associative array. Each element is a string unless otherwise indicated. The following listing defines the elements that may be required:
Element | Description |
|---|---|
userid | The profile ID of the user. |
fullname | The full name of the user. |
acctid | The ID for the account that the user has on this system. |
newpw | The new password (for password reset/create operations). |
oldpw | The old password (for verify operations). |
modeluid | The model (template) ID for create. |
groupid | The group ID for the group operations. |
groupname | The group description for group operations. |
attributes | A KVGroup containing information about attributes to set during create and update operations. |
Utility functions
Utility functions are used by one or all operations to pass back information specific to the operation.
agentError Return an error message to the agent.
agentWarning Return a warning message to the agent.
agentInfo Return an info message to the agent.
agentListAttribute Return user attributes from a list operation.
agentListGroup Return group information, excluding the group SID, from a listgroups operation.
agentListGroupSID Return group information, including the group SID, from a listgroups operation.
agentIsEnabled Return enabled status from an isenabled operation.
agentIsLocked Return locked status from an islocked operation.
agentIsPassExpired Return password expired status from an ispwexpired operation.
agentIsAcctExpired Return account expired status from an isacctexpired operation. Although this function point is implemented, the isacctexpired operation is not yet supported.
agentLongId Return longid from a create operation.
agentShortId Return shortid from a create operation.
agentGroups Return a list of groups for which user belongs from a userattribute/checktpl operation.
Operation functions
The operation overrides that may be specified in the configuration file are as follows:
checktpl List the attribute information for a given acctid.
list List the accounts for the target.
listgroups List the groups for the target.
isenabled Checks if the account is enabled.
islocked Checks if the account is locked.
ispwexpired Checks if the account password is expired.
disable Disables an account.
enable Enables an account.
lock Locks an account.
unlock Unlocks an account.
expirepw Expires an account password.
unexpirepw Unexpires an account password.
create Creates an account.
delete Deletes an account.
verify Verify an account password and increment the failed password attempts on verification failure.
admin_verify Verify an account password.
verifyreset Verify an account password and on failed password verification, reset the password.
reset Reset an account password.
change Verify an account password and on successful password verification, reset the password.
resetexpirepw Reset an account password and expire the account password.
groupuseradd Add an account to a given group.
groupuserdelete Remove an account from a given group.
groupcreate Create a group.
groupdelete Delete a group.
update Updates an account.
Warning
Functions which reset or verify passwords in scripts used by Bravura Privilege for password randomization must always report the result of the reset or verification accurately. Inaccurate status information may result in checked out passwords not working; additionally, if the credential used to manage the target system is being randomized, Bravura Privilege may invalidate its own managed system credential when an erroneous status is returned. Do not assume scripted password changes are always successful; always check return codes.