The Solaris resource adapter is defined in the com.waveset.adapter.SolarisResourceAdapter class.
If you will be using SSH (Secure Shell) for communication between the resource and Waveset, set up SSH on the resource before configuring the adapter. You must also edit the /etc/ssh/sshd_config file by changing the value of PAMAuthenticationViaKBDInt from yes to no. After completing this edit, you must restart the SSH service.
If you manage NIS accounts on Solaris, install patch 125549-01 for SPARC systems or patch 125550–01 for x86 systems to improve the performance of the logins command and the Solaris adapter.
No additional installation procedures are required on this resource.
The Solaris resource adapter primarily provides support for the following Solaris commands:
useradd, usermod, userdel
groupadd, groupmod, groupdel
passwd
For more information about supported attributes and files, refer to the Solaris manual pages for these commands.
The adapter does not support Solaris Trusted Extensions.
When a rename of a user account is executed on a Solaris resource, the group memberships are moved to the new user name. The user’s home directory is also renamed if the following conditions are true:
The original home directory name matched the user name.
A directory matching the new user name does not already exist.
The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX resource (AIX, HP-UX, Solaris, or Linux).
The administrative account that manages Solaris accounts must use the English (en) or C locale. This can be configured in the user’s .profile file.
In environments in which NIS is implemented, you can increase performance during bulk provisioning by implementing the following features:
Add an account attribute named user_make_nis to the schema map and use this attribute in your reconciliation or other bulk provisioning workflow. Specifying this attribute causes the system to bypass the step of connecting to the NIS database after each user update on the resource.
To write the changes to the NIS database after all provisioning has completed, create a ResourceAction named NIS_password_make in the workflow.
New user accounts on Solaris resources remain locked until the passwd(1) command is executed. After the user account on Solaris has been created, executing passwd -s <user> will show the status as locked(LK). After an account is created natively, the “Locked out Accounts” section of the Solaris Risk Analysis report will report the newly created account. In addition, the “Accounts With No Password” section of the Risk Analysis report will not list the newly created account.
Do not use control characters (for example, 0x00, 0x7f) in user passwords.
This section provides information about supported connections and privilege requirements.
Waveset can use the following connections to communicate with the Solaris adapter:
Telnet
SSH (SSH must be installed independently on the resource.)
SSHPubKey
For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.
The adapter supports logging in as a standard user, then performing a su command to switch to root (or root-equivalent account) to perform administrative activities. Direct logins as root user are also supported.
The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on Solaris 9 from a companion CD. sudo allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.
In addition, if sudo is enabled for a resource, its settings will override those configured on the resource definition page for the root user.
If you are using sudo, you must set the tty_tickets parameter to true for the commands enabled for the Waveset administrator. Refer to the man page for the sudoers file for more information.
The administrator must be granted privileges to run the following commands with sudo:
You can use a test connection to test whether
These commands exist in the administrator user’s path
The administrative user can write to /tmp
The administrative user have rights to run certain commands
A test connection can use different command options than a normal provision run.
The adapter provides basic sudo initialization and reset functionality. However, if a resource action is defined and contains a command that requires sudo authorization, then you must specify the sudo command along with the UNIX command. (For example, you must specify sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the native resource. Use visudo to register these commands.
The following table summarizes the provisioning capabilities of this adapter.
You can define resource attributes to control the following tasks for all users on this resource:
Create a home directory when creating the user
Copy files to the user’s home directory when creating the user
Delete the home directory when deleting the user
The following table lists the Solaris user account attributes. Attributes are optional unless noted in the description. All attributes are Strings.
Identity System User Attribute |
Resource User Attribute |
Description |
---|---|---|
accountId |
accountId |
Required. The user’s login name. |
Description |
comment |
The user’s full name. |
Home directory |
dir |
The user’s home directory. Any value specified in this account attribute takes precedence over a value specified in the Home Base Directory resource attribute. |
Expiration date |
expire |
Last date the account can be accessed. This attribute is not supported for NIS accounts. |
Inactive |
inactive |
Number of days the account can be inactive before it is locked. Not supported for NIS accounts. |
Primary group |
group |
The user’s primary group. |
Secondary groups |
secondary_group |
A comma-separated list of the user’s secondary group or groups. To enable a role to provision this attribute, you must add ’csv=true’ to the RoleAttribute element in the Role object XML. |
Login shell |
shell |
The user’s login shell. If you are provisioning to an NIS master, the value of the user shell will be checked on the NIS master only. Checks against other machines the user may log on to will not be performed. |
Last login time |
time_last_login |
The date and time of the last login. This value is read-only. |
User ID |
uid |
The user ID, in digit form. |
Authorizations |
authorization |
A comma-separated list of authorizations. |
Profiles |
profile |
A comma-separated list of profiles. |
Roles |
role |
A comma-separated list of roles. |
expirePassword |
force_change |
Forces the user to supply a new password upon login. This attribute is not listed in the schema map by default. |
Maximum Password Age |
pwdmaxag |
The maximum age of the password before it is rendered inactive. |
Minimum Password Age |
pwdminage |
The minimum age of the password. |
Password Warn Time |
pwdwarntime |
password warntime in number form |
Lock Account |
lock_account |
Specifies whether the password lock boolean(true/false) |
Waveset supports the following native Solaris objects:
Resource Object |
Features Supported |
Attributes Managed |
---|---|---|
Group |
Create, update, delete, rename, save as |
groupName, gid, users |
$accountId$
Solaris Group Create Form
Solaris Group Update Form
SolarisUserForm.xml
Use the Waveset debug pages to set trace options on the following classes:
com.waveset.adapter.SolarisResourceAdapter
com.waveset.adapter.SVIDResourceAdapter
com.waveset.adapter.ScriptedConnection