Sun Identity Manager 8.1 Resources Reference

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager can use the following connections to communicate with the Solaris adapter:

For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.

Required Administrative Privileges

The adapter supports logging in as a standard user, then performing a su command to switch to root (or root-equivalent account) to perform administrative activities. Direct logins as root user are also supported.

The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on Solaris 9 from a companion CD. sudo allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.

In addition, if sudo is enabled for a resource, its settings will override those configured on the resource definition page for the root user.

If you are using sudo, you must set the tty_tickets parameter to true for the commands enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for more information.

The administrator must be granted privileges to run the following commands with sudo:

User and Group Commands  


NIS Commands  

Miscellaneous Commands  

  • auths

  • groupadd

  • groupdel

  • groupmod

  • last

  • listusers

  • logins

  • passwd

  • profiles

  • roles

  • useradd

  • userdel

  • usermod

  • make

  • ypcat

  • ypmatch

  • yppasswd

  • awk

  • cat

  • chmod

  • chown

  • cp

  • cut

  • diff

  • echo

  • grep

  • ls

  • mv

  • rm

  • sed

  • sleep

  • sort

  • tail

  • touch

  • which

You can use a test connection to test whether

Note –

A test connection can use different command options than a normal provision run.

The adapter provides basic sudo initialization and reset functionality. However, if a resource action is defined and contains a command that requires sudo authorization, then you must specify the sudo command along with the UNIX command. (For example, you must specify sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the native resource. Use visudo to register these commands.