Sun Identity Manager 8.1 Resources Reference

Adapter Details

Resource Configuration Notes

If you will be using SSH (Secure Shell) for communication between the resource and Identity Manager, set up SSH on the resource before configuring the adapter.

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

The AIX resource adapter primarily provides support for the following AIX commands:


Note –

For more information about supported attributes and files, refer to the AIX manual pages for these commands.


The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX resource (AIX, HP-UX, Solaris, or Linux).

The administrative account that manages AIX accounts must use the English (en) or C locale. This can be configured in the user’s .profile file.

In environments in which NIS is implemented, you can increase performance during bulk provisioning by implementing the following features:

Do not use control characters (for example, 0x00, 0x7f) in user passwords.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses the following connections to communicate with the AIX adapter:

For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.

Required Administrative Privileges

Managing users and groups require that the administrator be root or a member of the security group.

The adapter supports logging in as a standard user, then performing a su command to switch to root (or root-equivalent account) to perform administrative activities. Direct logins as root user are also supported.

The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on AIX from the AIX Toolbox. The sudo facility allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.

In addition, if sudo is enabled for a resource, its settings will override those configured on the resource definition page for the root user and admin user.

If you are using sudo, you must set the tty_tickets parameter to true for the commands enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for more information.

The administrator must be granted privileges to run the following commands with sudo:

User, Group, and Security Commands  

 

NIS Commands  

Miscellaneous Commands  

 

  • chgroup

  • chgrpmem

  • chsec

  • chuser

  • lsgroup

  • lssec

  • lsuser

  • mkgroup

  • mkuser

  • rmgroup

  • rmuser

  • passwd

  • pwdadm

  • make

  • ypcat

  • ypmatch

  • yppasswd

  • awk

  • cat

  • cd

  • chmod

  • chown

  • cp

  • cut

  • diff

  • echo

  • grep

  • ls

  • mv

  • rm

  • sed

  • sleep

  • sort

  • tail

  • touch

You can use a test connection to test whether


Note –

A test connection can use different command options than a normal provision run.


The adapter provides basic sudo initialization and reset functionality. However, if a resource action is defined and contains a command that requires sudo authorization, then you must specify the sudo command along with the UNIX command. (For example, you must specify sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the native resource. Use visudo to register these commands.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature  

Supported?  

Enable/disable account 

Yes 

Rename account 

No 

Pass-through authentication 

Yes 

Before/after actions 

Yes 

Data loading methods 

  • Import directly from resource

  • Reconcile with resource

You can define resource attributes to control the following tasks for all users on this resource:

Account Attributes

The following table lists the AIX user account attributes. All attributes are Strings. Attributes are optional unless noted in the description.

Resource User Attribute  

mkuser Equivalent  

Description  

accountId 

login_name 

Required. The user’s login name. 

account_locked 

account_locked=[true | false] 

Indicates if the user account is locked. 

admin 

admin=[true|false] 

Defines the administrative status of the user. 

daemon 

daemon=[true|false] 

Indicates whether the user can run programs using the cron or src daemon. 

expires 

expires=MMDDhhmmyy 

The expiration date of the account. 

gecos 

gecos=String 

General information about the user. 

groups 

groups=GroupNames 

A comma-separated list of group names the user belongs to. 

home 

home=PathName 

The full path to the user’s home directory. Any value specified in this account attribute takes precedence over a value specified in the Home Base Directory resource attribute.

id 

id=Integer 

A unique integer string that specifies the user ID. 

login 

login=[true | false] 

Indicates whether the user can log in to the system with the login command. 

loginretries 

loginretries=attempts 

The number of unsuccessful login attempts allowed after the last successful login before the system locks the account. 

maxage 

maxage=weeks 

The maximum age, in weeks, of a password. 

maxexpired 

maxexpired=weeks 

The maximum time, in weeks, beyond the maxage value that a user can change an expired password. 

pgrp 

pgrp=GroupName 

The user’s primary group. 

rlogin 

rlogin=[true | false] 

Permits access to the account from a remote location with the telnet or rlogin commands. 

shell 

shell=PathName 

The program run for the user at session initiation. 

If you are provisioning to an NIS master, the value of the user shell will be checked on the NIS master only. Checks against other machines the user may log on to will not be performed. 

su 

su=[true | false] 

Indicates whether another user can switch to the specified user account with the su command. 

umask 

umask=Value 

Sets file permissions. 

Resource Object Management

Identity Manager supports the following native AIX objects:

Resource Object  

Features Supported  

Attributes Managed  

Group 

Create, update, delete, save as 

groupName, admin, users

Identity Template

$accountId$

Sample Forms

Built-In

Also Available

AIXUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes: