Sun Identity Manager 8.1 Resources Reference

Chapter 31 Red Hat Linux and SuSE Linux

The Red Hat Linux and SuSE Linux resource adapter are two separate adapters defined in the com.waveset.adapter.RedHatLinuxResourceAdapter and com.waveset.adapter.SUSELinuxResourceAdapter classes, respectively.

Adapter Details

Resource Configuration Notes

If you will be using SSH (Secure Shell) for communications between the resource and Identity Manager, set up SSH on the resource before configuring the adapter.

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

The Linux resource adapters primarily provide support for the following commands:

useradd, usermod, userde1
groupadd, groupmod, groupdel
passwd

For more information about supported attributes and files, refer to the Linux manual pages for these commands.

When a rename of a user account is executed on a Linux resource, the group memberships are moved to the new user names. The user's home directory is also renamed if the following conditions are true:

The original home directory name matched the user name.
A directory matching the new user name does not already exist.

The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a Linux resource.

The administrative account that manages Linux accounts must use the English (en) or C locale. This can be configured in the user's .profile file. Do note use control characters (for example, 0x00, 0x7f) in user passwords.

In environments in which NIS is implemented, you can increase performance during bulk provisioning by implementing the following features:

Add an account attribute named user_make_nis to the schema map and use this attribute in your reconciliation or other bulk provisioning workflow. Specifying this attribute causes the system to bypass the step of connecting to the NIS database after each user update on the resource.
To write the changes to the NIS database after all provisioning has completed, create a ResourceAction named NIS_password_make in the workflow.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager can use the following connections to communicate with this adapter:

Telnet
SSH (SSH must be installed independently on the resource.)
SSHPubKey

For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.

Required Administrative Privileges

The adapter supports logging in as a standard user, then performing a su command to switch to root (or root-equivalent account) to perform administrative activities. Direct logins as root user are also supported.

The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on Solaris 9 from a companion CD. sudo allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.

In addition, if sudo is enabled for a resource, its settings will override those configured on the resource definition page for the root user.

If you are using sudo, you must set the tty_tickets parameter to true for the commands enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for more information.

The administrator must be granted privileges to run the following commands with sudo:

User and Group Commands		Miscellaneous Commands
`chsh` `groupadd` `groupdel` `groupmod` `last`	`passwd` `useradd` `userdel` `usermod`	`awk` `cat` `chmod` `chown` `cp` `cut` `diff` `echo` `grep`	ln `ls` `mv` `ps` `rm` sed `sort` `tail` `touch`

The adapter does not support NIS commands with sudo, because the yppasswd command requires the root password.

You can use a test connection to test whether

These commands exist in the administrator user’s path
The administrative user can write to /tmp
The administrative user have rights to run certain commands

A test connection can use different command options than a typical provision run.

The adapter provides basic sudo initialization and reset functionality. However, if a resource action is defined and contains a command that requires sudo authorization, then you must specify the sudo command along with the UNIX command. (For example, you must specify sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the native resource. Use visudo to register these commands.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature	Supported?
Enable/disable account	Linux does not natively support Identity Manager enable and disable actions. Identity Manager simulates enabling and disabling accounts by changing the user password. The changed password is exposed on enable actions, but it is not exposed on disable actions. As a result, enable and disable actions are processed as update actions. Any before or after actions that have been configured to operate on updates will execute.
Rename account	Yes
Pass-through authentication	Yes
Before/after actions	Yes
Data loading methods	Import directly from resource Reconcile with resource

You can define resource attributes to control the following tasks for all users on this resource:

Create a home directory when creating the user
Copy files to the user’s home directory when creating the user
Delete the home directory when deleting the user

Account Attributes

The following table lists the Red Hat Linux and SuSE Linux user account attributes. Attributes are optional unless noted in the description. All attributes are Strings.

Resource User Attribute	useradd Equivalent	Description
`accountId`	`login`	Required. The user’s login name.
`comment`	- `c` comment	The user’s full name.
`dir`	- `d` dir	The user’s home directory. Any value specified in this account attribute takes precedence over a value specified in the Home Base Directory resource attribute.
`expire`	- `e` expiration date	Last date the account can be accessed.
`group`	- `g` group	The user’s primary group.
`inactive`	- `f` days	Number of days the account can be inactive before it is locked.
`secondary_group`	- `G` group	A comma-separated list of the user’s secondary group or groups. To enable a role to provision this attribute, you must add `’csv=true’` to the `RoleAttribute` element in the Role object XML.
`shell`	-`s/`Path	The user’s login shell. If you are provisioning to an NIS master, the value of the user shell will be checked on the NIS master only. Checks against other machines the user may log on to will not be performed.
`time_last_login`	Obtained from the lastlog command.	The date and time of the last login. This value is read-only. If you do not need to track this attribute, delete it from the schema map, as additional calls to the resource are required to retrieve the last login time.
`uid`	- `u` `User ID`	The user ID, in digit form.

Resource Object Management

Identity Manager supports the following native Solaris objects:

Resource Object	Features Supported	Attributes Managed
Group	Create, update, delete, rename, save as	groupName, gid, users

Identity Template

$accountId$

Sample Forms

Built-In

Red Hat Linux Group Create Form
Red Hat Linux Group Update Form
SuSE Linux Group Create Form
SuSE Linux Group Update Form

Also Available

RedHatLinuxUserForm.xml
SUSELinuxUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

com.waveset.adapter.RedHatLinuxResourceAdapterr
com.waveset.adapter.SUSELinuxResourceAdapter
com.waveset.adapter.SVIDResourceAdapter
com.waveset.adapter.ScriptedConnection