Sun Identity Manager 8.1 Resources Reference

Adapter Details

Resource Configuration Notes

If you will be using SSH (Secure Shell) for communication between the resource and Identity Manager, set up SSH on the resource before configuring the adapter.

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

The AIX resource adapter primarily provides support for the following AIX commands:

Note –

For more information about supported attributes and files, refer to the AIX manual pages for these commands.

The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX resource (AIX, HP-UX, Solaris, or Linux).

The administrative account that manages AIX accounts must use the English (en) or C locale. This can be configured in the user’s .profile file.

In environments in which NIS is implemented, you can increase performance during bulk provisioning by implementing the following features:

Do not use control characters (for example, 0x00, 0x7f) in user passwords.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses the following connections to communicate with the AIX adapter:

For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.

Required Administrative Privileges

Managing users and groups require that the administrator be root or a member of the security group.

The adapter supports logging in as a standard user, then performing a su command to switch to root (or root-equivalent account) to perform administrative activities. Direct logins as root user are also supported.

The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on AIX from the AIX Toolbox. The sudo facility allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.

In addition, if sudo is enabled for a resource, its settings will override those configured on the resource definition page for the root user and admin user.

If you are using sudo, you must set the tty_tickets parameter to true for the commands enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for more information.

The administrator must be granted privileges to run the following commands with sudo:

User, Group, and Security Commands  


NIS Commands  

Miscellaneous Commands  


  • chgroup

  • chgrpmem

  • chsec

  • chuser

  • lsgroup

  • lssec

  • lsuser

  • mkgroup

  • mkuser

  • rmgroup

  • rmuser

  • passwd

  • pwdadm

  • make

  • ypcat

  • ypmatch

  • yppasswd

  • awk

  • cat

  • cd

  • chmod

  • chown

  • cp

  • cut

  • diff

  • echo

  • grep

  • ls

  • mv

  • rm

  • sed

  • sleep

  • sort

  • tail

  • touch

You can use a test connection to test whether

Note –

A test connection can use different command options than a normal provision run.

The adapter provides basic sudo initialization and reset functionality. However, if a resource action is defined and contains a command that requires sudo authorization, then you must specify the sudo command along with the UNIX command. (For example, you must specify sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the native resource. Use visudo to register these commands.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.



Enable/disable account 


Rename account 


Pass-through authentication 


Before/after actions 


Data loading methods 

  • Import directly from resource

  • Reconcile with resource

You can define resource attributes to control the following tasks for all users on this resource:

Account Attributes

The following table lists the AIX user account attributes. All attributes are Strings. Attributes are optional unless noted in the description.

Resource User Attribute  

mkuser Equivalent  




Required. The user’s login name. 


account_locked=[true | false] 

Indicates if the user account is locked. 



Defines the administrative status of the user. 



Indicates whether the user can run programs using the cron or src daemon. 



The expiration date of the account. 



General information about the user. 



A comma-separated list of group names the user belongs to. 



The full path to the user’s home directory. Any value specified in this account attribute takes precedence over a value specified in the Home Base Directory resource attribute.



A unique integer string that specifies the user ID. 


login=[true | false] 

Indicates whether the user can log in to the system with the login command. 



The number of unsuccessful login attempts allowed after the last successful login before the system locks the account. 



The maximum age, in weeks, of a password. 



The maximum time, in weeks, beyond the maxage value that a user can change an expired password. 



The user’s primary group. 


rlogin=[true | false] 

Permits access to the account from a remote location with the telnet or rlogin commands. 



The program run for the user at session initiation. 

If you are provisioning to an NIS master, the value of the user shell will be checked on the NIS master only. Checks against other machines the user may log on to will not be performed. 


su=[true | false] 

Indicates whether another user can switch to the specified user account with the su command. 



Sets file permissions. 

Resource Object Management

Identity Manager supports the following native AIX objects:

Resource Object  

Features Supported  

Attributes Managed  


Create, update, delete, save as 

groupName, admin, users

Identity Template


Sample Forms


Also Available



Use the Identity Manager debug pages to set trace options on the following classes: