Solaris

Previous Contents Next
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3

Solaris

The Solaris resource adapter is defined in the com.waveset.adapter.SolarisResourceAdapter class.

This adapter supports the following versions of Solaris:

8

9

10

Resource Configuration Notes

If you will be using SSH (Secure Shell) for communication between the resource and Identity Manager, set up SSH on the resource before configuring the adapter.

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

The Solaris resource adapter primarily provides support for the following Solaris commands:

useradd, usermod, userdel

groupadd, groupmod, groupdel

passwd

For more information about supported attributes and files, refer to the Solaris manual pages for these commands.

When a rename of a user account is executed on a Solaris resource, the group memberships are moved to the new user name. The user's home directory is also renamed if the following conditions are true:

The original home directory name matched the user name.

A directory matching the new user name does not already exist.

The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX resource (AIX, HP-UX, Solaris, or Linux).

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager can use the following connections to communicate with the Solaris adapter:

Telnet

SSH (SSH must be installed independently on the resource.)

Required Administrative Privileges

The adapter supports logging in as a standard user, then performing a su command to switch to root (or root-equivalent account) to perform administrative activities. Direct logins as root user are also supported.

The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on Solaris 9 from a companion CD. sudo allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.

In addition, if sudo is enabled for a resource, its settings will override those configured on the resource definition page for the root user.

If you are using sudo, you must set the tty_tickets parameter to true for the commands enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for more information.

The administrator must be granted privileges to run the following commands with sudo:

User and Group Commands

NIS Commands

Miscellaneous Commands

  auths

  groupadd

  groupdel

  groupmod

  last

  listusers

  logins

  passwd

  profiles

  roles

  useradd

  userdel

  usermod

  make

  ypcat

  ypmatch

  yppasswd

  awk

  cat

  chmod

  chown

  cp

  cut

  diff

  echo

  grep

  ls

  mv

  rm

  sed

  sleep

  sort

  tail

  touch

  which

In addition, the NOPASSWORD option must be specified for each command.

You can use a test connection to test whether

These commands exist in the administrator user’s path

The administrative user can write to /tmp

The administrative user have rights to run certain commands

Note  A test connection can use different command options than a normal provision run.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature

Supported?

Enable/disable account

Solaris does not natively support Identity Manager enable and disable actions. Identity Manager simulates enabling and disabling accounts by changing the user password. The changed password is exposed on enable actions, but it is not exposed on disable actions.

As a result, enable and disable actions are processed as update actions. Any before or after actions that have been configured to operate on updates will execute.

Rename account

Yes

Pass-through authentication

Yes

Before/after actions

Yes

Data loading methods

  Import directly from resource

  Reconcile with resource

You can define resource attributes to control the following tasks for all users on this resource:

Create a home directory when creating the user

Copy files to the user’s home directory when creating the user

Delete the home directory when deleting the user

Account Attributes

The following tables list the Solaris user account attributes, including options for all versions of Solaris and for Solaris 8 or later.

Notes:

Attributes are optional unless noted in the description.

All attributes are Strings.

Options for All Versions of Solaris

Resource
User Attribute

useradd Equivalent

Description

accountId

login

Required. The user’s login name.

comment

-c comment

The user’s full name.

dir

-d directory

The user’s home directory.

expire

-e expiration date

Last date the account can be accessed.

group

-g group

The user’s primary group.

inactive

-f days

Number of days the account can be inactive before it is locked

secondary_group

-G group

The user’s secondary group or groups.

shell

-s /Path

The user’s login shell.

time_last_login

Obtained from the last command.

The date and time of the last login. This value is read-only.

uid

-u User ID

The user ID, in digit form.

Options for Solaris 8 and Later

Resource
User Attribute

useradd Equivalent

Description

authorization

-A authorization

A comma-separated list of authorizations.

profile

-P profile

A comma-separated list of profiles.

role

-R role

A comma-separated list of roles.

Resource Object Management

Identity Manager supports the following native Solaris objects:

Resource Object

Features Supported

Attributes Managed

Group

Create, update, delete, rename, save as

groupName, gid, users

Identity Template

$accountId$

Sample Forms

Built-In

Solaris Group Create Form

Solaris Group Update Form

Also Available

SolarisUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

com.waveset.adapter.SolarisResourceAdapter

com.waveset.adapter.SVIDResourceAdapter

com.waveset.adapter.ScriptedConnection

Previous      Contents      Next

Copyright 2006 Sun Microsystems, Inc. All rights reserved.

Feature	Supported?
Enable/disable account	Solaris does not natively support Identity Manager enable and disable actions. Identity Manager simulates enabling and disabling accounts by changing the user password. The changed password is exposed on enable actions, but it is not exposed on disable actions. As a result, enable and disable actions are processed as update actions. Any before or after actions that have been configured to operate on updates will execute.
Rename account	Yes
Pass-through authentication	Yes
Before/after actions	Yes
Data loading methods	Import directly from resource Reconcile with resource

Resource User Attribute	useradd Equivalent	Description
accountId	login	Required. The user’s login name.
comment	-c comment	The user’s full name.
dir	-d directory	The user’s home directory.
expire	-e expiration date	Last date the account can be accessed.
group	-g group	The user’s primary group.
inactive	-f days	Number of days the account can be inactive before it is locked
secondary_group	-G group	The user’s secondary group or groups.
shell	-s /Path	The user’s login shell.
time_last_login	Obtained from the last command.	The date and time of the last login. This value is read-only.
uid	-u User ID	The user ID, in digit form.

Resource User Attribute	useradd Equivalent	Description
authorization	-A authorization	A comma-separated list of authorizations.
profile	-P profile	A comma-separated list of profiles.
role	-R role	A comma-separated list of roles.