Sun Java[TM] System Identity Manager 7.1 Resources Reference |
AIXThe AIX resource adapter is defined in the com.waveset.adapter.AIXResourceAdapter class.
This adapter supports the following versions of AIX:
Resource Configuration Notes
If you will be using SSH (Secure Shell) for communication between the resource and Identity Manager, set up SSH on the resource before configuring the adapter.
Identity Manager Installation Notes
No additional installation procedures are required on this resource.
Usage Notes
The AIX resource adapter primarily provides support for the following AIX commands:
The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX resource (AIX, HP-UX, Solaris, or Linux).
The administrative account that manages Solaris accounts must use the English (en) or C locale. This can be configured in the user's .profile file.
In environments in which NIS is implemented, you can increase performance during bulk provisioning by implementing the following features:
- Add an account attribute named user_make_nis to the schema map and use this attribute in your reconciliation or other bulk provisioning workflow. Specifying this attribute causes the system to bypass the step of connecting to the NIS database after each user update on the resource.
- To write the changes to the NIS database after all provisioning has completed, create a ResourceAction named NIS_password_make in the workflow.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the following connections to communicate with the AIX adapter:
Required Administrative Privileges
Managing users and groups require that the administrator be root or a member of the security group.
The adapter supports logging in as a standard user, then performing a su command to switch to root (or root-equivalent account) to perform administrative activities. Direct logins as root user are also supported.
The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on AIX from the AIX Toolbox. The sudo facility allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.
In addition, if sudo is enabled for a resource, its settings will override those configured on the resource definition page for the root user and admin user.
If you are using sudo, you must set the tty_tickets parameter to true for the commands enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for more information.
The administrator must be granted privileges to run the following commands with sudo:
In addition, the NOPASSWORD option must be specified for each command.
You can use a test connection to test whether
The adapter provides basic sudo initialization and reset functionality. However, if a resource action is defined and contains a command that requires sudo authorization, then you must specify the sudo command along with the UNIX command. (For example, you must specify sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the native resource. Use visudo to register these commands.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
No
Pass-through authentication
Yes
Before/after actions
Yes
Data loading methods
You can define resource attributes to control the following tasks for all users on this resource:
Account Attributes
The following table lists the AIX user account attributes. All attributes are Strings. Attributes are optional unless noted in the description.
Resource Object Management
Identity Manager supports the following native AIX objects:
Resource Object
Features Supported
Attributes Managed
Group
Create, update, delete, save as
groupName, admin, users
Identity Template
$accountId$
Sample Forms
Built-In
Also Available
AIXUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes: