Sun Identity Manager 8.1 Resources Reference

Chapter 40 Shell Script

Identity Manager provides the Shell Script resource adapter to manage a resource that is controlled by shell scripts running on the system hosting the resource. This adapter is a general purpose adapter, and is therefore highly configurable.

This adapter is defined in the com.waveset.adapter.ShellScriptResourceAdapter class.

Adapter Details

Resource Configuration Notes

You can use the ERROR_CODE_LIMIT attribute to define which error codes can represent errors. A code that exceeds the value specified here indicates an error. Any code that is less than this value should be used for informative or warning codes. If you do not set this value, then Identity Manager defaults to standard behavior, in which any non-zero return code indicates an error. You can add this optional attribute to the resource definition.

Identity Manager Installation Notes

To add this resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

Usage Notes

Do not use control characters (for example, 0x00, 0x7f) in user passwords.

Resource Actions

The Shell Script adapter allows you to create a set of actions that perform basic provisioning functions such as creating, updating, deleting, and retrieving user accounts. Each of these actions is defined in a shell script. The Shell Script adapter works by running resource actions as a UNIX resource adapter. To run resource actions, this adapter must

The adapter supports the provisioning actions listed in the following table:





Creates a new user. 

No, but if not provided, users cannot be created. 


Deletes an existing user. 

No, but if not provided, users cannot be deleted. 


Gets information about all users on the resource 

No, but if not provided, operations that depend on account iteration, such as reconciliation and Load From Resource will not be available. 


Fetches attributes for an existing user. 



Updates attributes for an existing user. 

No, but if not provided, users cannot be updated. 

The $WSHOME/sample/ShellScript directory contains a set of sample resource action definitions that could be used to provision users to a theoretical shell script-based host application. You must customize these definitions to your environment.

For general information about resource actions, see Chapter 50, Adding Actions to Resources.


The Shell Script adapter implements actions as shell script files that execute on the resource host. These scripts must be written to run on the shell that has been configured for the account running the scripts on the resource host.

Scripts should follow conventions and exit with a return code of 0, which indicates success. Returning a non-zero code (chosen by the script writer) indicates the operation may not have been correctly completed.

Scripts may output text to the standard error or standard output stream. Depending on the nature of the operation, the context of the operation, and the type of failure, the text may be displayed in the results for that operation.

For the getUser and getAllUsers operations, this text is parsed in the standard output stream to determine the attributes of each user.

The following types of environment variables can be exported to the scripts:

The following code example illustrates an example-generated environment:


WSRSRC_Host=’’; export WSRSRC_Host
WSRSRC_Port=’22’; export WSRSRC_Port
WSRSRC_Login_User=’root’; export WSRSRC_Login_User
WSRSRC_password=’074B7E28F5927C90:1C65216:108540A69DE:-7FFD|zGEBDGD3VRs=’; export WSRSRC_password
WSRSRC_Login_Shell_Prompt=’]#’; export WSRSRC_Login_Shell_Prompt
WSRSRC_Root_User=’root’; export WSRSRC_Root_User
WSRSRC_credentials=’074B7E28F5927C90:1C65216:108540A69DE:-7FFD|zGEBDGD3VRs=’; export WSRSRC_credentials
WSRSRC_Root_Shell_Prompt=’]#’; export WSRSRC_Root_Shell_Prompt"
WSRSRC_Connection_Type=’SSH’; export WSRSRC_Connection_Type"
WSRSRC_Maximum_Connections=’10’; export WSRSRC_Maximum_Connections"
WSRSRC_Connection_Idle_Timeout=’900’; export WSRSRC_Connection_Idle_Timeout"
WSRSRC_Display_Name_Attribute=’accountId’; export WSRSRC_Display_Name_Attribute"
WSRSRC_NAME=’ShellTest’; export WSRSRC_NAME"
WSRSRC_ID=’#ID#074B7E28F5927C90:B122A1:108E3E4CFAA:-7FFC’; export WSRSRC_ID"
WSRSRC_TYPE=’Resource’; export WSRSRC_TYPE"
WSRSRC_CLASS=’class com.waveset.object.Resource’; export WSRSRC_CLASS"

Generally, if an attribute’s value is null, you can omit the corresponding environment variable instead of having the value of a zero-length string.

For more information about the variables available in a script, see Chapter 50, Adding Actions to Resources.

Result Handling

The AttrParse mechanism processes the results returned by the getUser and getAllUsers actions through the standard output stream. See Chapter 49, Implementing the AttrParse Object for more information about this mechanism.

For getUser actions, AttrParse returns a map of user attributes. For the getAllUsers action, it generates a map of maps. Each entry for the returned map contains the following.

The collectCsvHeader and collectCsvLines AttrParse tokens can be used to determine attributes and values.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses the following connections to communicate with the shell script adapter:

For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.

Required Administrative Privileges

The administrative account that the script runs under must be authorized for all operations defined in the scripts.

Provisioning Notes

The following table summarizes the provisioning capabilities of the Shell Script adapter.



Create account 


Update account 


Delete account 


Enable/disable account 


Rename account 


Pass-through authentication 


Before/after actions 


Data loading methods 

If the getAllUsers action is defined, then the following data loading methods are supported:

  • Import directly from resource

  • Reconciliation

Account Attributes

The Shell Script adapter does not provide default account attributes because the account attributes vary greatly.

The account must have an account attribute in which the Identity System user attribute is named accountId.

Resource Object Management

Not supported.

Identity Template

None. You must supply the identity template with a valid value.

Sample Forms

There are no sample user forms, but an example resource and AttrParse definition are provided in the following location:



Use the Identity Manager debug pages to set trace options on the following class: