ibm security identity manager: unix and linux...

IBM Security Identity ManagerVersion 6.0

UNIX and Linux Adapter User Guide

IBM

ii IBM Security Identity Manager: UNIX and Linux Adapter User Guide

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Chapter 1. Overview . . . . . . . . . 1Prerequisites . . . . . . . . . . . . . . 2

Chapter 2. User account management . . 3Reconciling user accounts . . . . . . . . . . 3

Reconciling support data without reconciling useraccounts . . . . . . . . . . . . . . . 3Reconciling single user accounts . . . . . . . 4

Adding user accounts . . . . . . . . . . . 5Required attribute . . . . . . . . . . . 5Optional attributes on the account form . . . . 6Password lifespan for a user account . . . . . 7Determining the lifespan of a user account . . . 8Group assignment to users . . . . . . . . 8Role assignment to users . . . . . . . . . 8Support data attributes . . . . . . . . . . 9Discovery of sudo privileges. . . . . . . . 10

Modifying user accounts . . . . . . . . . . 12User unassignment from groups . . . . . . 12Role removal on AIX . . . . . . . . . . 12Password changes for user accounts . . . . . 12

Suspending user accounts . . . . . . . . . 12Restoring user accounts . . . . . . . . . . 13Deleting user accounts. . . . . . . . . . . 13

Chapter 3. Troubleshooting . . . . . . 15Error logs . . . . . . . . . . . . . . . 15Error messages and warnings . . . . . . . . 15

Chapter 4. Reference . . . . . . . . 19Adapter attributes . . . . . . . . . . . . 19

UNIX and Linux Adapter account form attributes 19UNIX and Linux Adapter service form attributes 22UNIX and Linux Adapter group form attributes 24UNIX and Linux Adapter role form attributes . . 25

Index . . . . . . . . . . . . . . . 27

iii

iv IBM Security Identity Manager: UNIX and Linux Adapter User Guide

Figures

v

vi IBM Security Identity Manager: UNIX and Linux Adapter User Guide

Tables

1. Prerequisites checklist . . . . . . . . . 22. Specifying the optional attributes on the

account form . . . . . . . . . . . . 63. Results of specifying the support data attributes

on the account form . . . . . . . . . . 9

4. Account form attributes . . . . . . . . 195. Service form attributes . . . . . . . . . 236. Group form attributes . . . . . . . . . 247. Role form attributes . . . . . . . . . . 25

vii

viii IBM Security Identity Manager: UNIX and Linux Adapter User Guide

Chapter 1. Overview

The UNIX and Linux Adapter provides connectivity between the IBM® SecurityIdentity Manager server and the UNIX and Linux operating systems.

The adapter runs as a service, independent of whether you are logged on to IBMSecurity Identity Manager.

The adapter runs as a service, independent of whether you are logged on to IBMSecurity Identity Manager.

The UNIX and Linux Adapter automates the following tasks:

User account management

v Adding user accountsv Modifying user accountsv Suspending and restoring user accountsv Retrieving user accountsv Deleting user accountsv Reconciling user accounts and other support data

Group management

v Adding groupsv Modifying groupsv Deleting groupsv Retrieving groupsv Reconciling groups

AIX Role management

v Adding rolesv Modifying rolesv Deleting roles

The adapter contains Tivoli® Directory Integrator assembly lines that serve one ormore user account, UNIX group, and AIX® role operations. When the first requestis sent from IBM Security Identity Manager, the required assembly line is loadedinto Tivoli Directory Integrator. The same assembly line is then cached to servesubsequent operations of the same type.

Note:

v The reconciliation and test assembly lines are not cached.v AIX roles are not reconciled or managed by the adapter for any AIX service with

a user registry that is defined as LDAP.

The UNIX and Linux Adapter uses the Secure Shell (SSH) protocol to establishcommunication with the UNIX and Linux operating systems. Ensure that the SSHserver is running on the managed resource when you connect from IBM SecurityIdentity Manager. For more information about Secure Shell installation, see UNIXand Linux Adapter Installation and Configuration Guide.

1

PrerequisitesUse the Prerequisites checklist to install and configure the adapter before youperform any of the user account, group, or role management tasks, whereapplicable.

Table 1. Prerequisites checklist

Task For more information, see

Install the adapter. See the adapter's Installation andConfiguration Guide

Import the adapter profile into the IBMSecurity Identity server.

See the adapter's Installation andConfiguration Guide

Create an adapter service. See the adapter's Installation andConfiguration GuideNote: After you create a UNIX and LinuxAdapter service, the IBM Security IdentityManager server creates a defaultprovisioning policy for the adapter service.You can customize a provisioning policy forthe UNIX and Linux Adapter serviceaccording to the requirements of yourorganization. For more information, see thesection about Customizing a provisioningpolicy in the IBM Security Identity Managerproduct documentation.

Configure the adapter. See the adapter's Installation andConfiguration Guide

Perform a reconciliation operation to retrieveuser accounts and store them in the IBMSecurity Identity server.

Managing reconciliation schedules in the IBMSecurity Identity Manager productdocumentation

Adopt orphan accounts on IBM SecurityIdentity Manager.

Assigning an orphan account to a user in theIBM Security Identity Manager productdocumentation

Run the dispatcher, which in turn runs theadapter

See the adapter's Installation andConfiguration Guide

2 IBM Security Identity Manager: UNIX and Linux Adapter User Guide

Chapter 2. User account management

The UNIX and Linux Adapter manages user accounts for a specific person, aservice instance, or specific accounts by using the search function of IBM SecurityIdentity Manager.

You can perform the following operations:v Add, modify, or delete an accountv Suspend or restore an accountv Reconcile accounts

You can manage:v Accounts for a specific personv Accounts for a service instancev Specific accounts by using the search function of IBM Security Identity Manager

Reconciling user accountsReconciliation synchronizes the accounts and supporting data between IBMSecurity Identity server and the managed server. Reconciliation is required so thatdata is consistent and up-to-date.

The reconciliation operation retrieves the user account information from the UNIXand Linux and stores it in the directory server of IBM Security Identity Manager.

You can schedule reconciliation to run at specific times and to return specificparameters. Running a reconciliation before its schedule time does not cancel thescheduled reconciliation. For more information about scheduling reconciliation andrunning a scheduled reconciliation, see the IBM Security Identity Manager productdocumentation.

You can perform the following reconciliation tasks at any time from IBM SecurityIdentity Manager:v Reconciling support datav Reconciling a single user account

Reconciling support data without reconciling user accountsPerform support data reconciliation when you want an updated list of groups androles that are available on the operating systems.

About this task

When you perform support data reconciliation, the adapter retrieves the supportdata information without processing the user account information from theoperating system.

Support data for the UNIX or Linux user account includes the following attributes:v Primary groupv Secondary group

3

Note: You can reconcile the following additional support data attributes from theAIX operating system. For more information about the support data attributes onthe account form and the supported operating systems, see “Adapter attributes” onpage 19.v Groups that can use the su command to switch to this userv Groups that can be managed by this userv Administrative roles

To reconcile only the support data without reconciling user accounts:

Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services to display the Manage Services

page.3. Select the type of service from the Service type list and click Search. Use one

of the following service types:

POSIX AIX profileSelect this option when you want to manage user accounts on the AIXoperating system.

POSIX HP-UX profileSelect this option when you want to manage user accounts on theHP-UX operating system.

POSIX Linux profileSelect this option when you want to manage user accounts on theLinux operating system.

POSIX Solaris profileSelect this option when you want to manage user accounts on theSolaris operating system.

4. Select the name of the service that you created for the UNIX and LinuxAdapter.

5. Click the arrow icon to view the popup menu.6. Select Reconcile Now from the menu to display the Reconcile Now page.7. Click Define query.8. Select the Reconcile supporting data only check box and click Submit.

Reconciling single user accountsReconciling a single user account means performing a filter reconciliation.

About this task

Filter reconciliation takes less time than reconciling all the user accounts. Performfilter reconciliation when you want to:v Modify a specific user accountv Obtain information about a specific user account

Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services to display the Manage Services

page.


3. Select the type of service from the Service type list and click Search. Use oneof the following service types:

POSIX AIX profileSelect this option when you want to manage user accounts on the AIXoperating system.

POSIX HP-UX profileSelect this option when you want to manage user accounts on theHP-UX operating system.

POSIX Linux profileSelect this option when you want to manage user accounts on theLinux operating system.

POSIX Solaris profileSelect this option when you want to manage user accounts on theSolaris operating system.

4. Select the name of the service that you created for the UNIX and LinuxAdapter.

5. Click the arrow icon to viewView popup menu.6. Select Reconcile Now from the menu to display the Reconcile Now page.7. Click Define query.8. In the Reconcile accounts that match this filter field, type the following

syntax.(eruid=UserID)

UserID is the name of the user account that you want to reconcile.9. Click Submit.

Adding user accountsYou can add user accounts at any time for either an existing person or a newperson in the organization.

Adapter attributes define the accounts on the account form. For specificprocedures, see the IBM Security Identity Manager product documentation.

This section includes the following topics:v “Required attribute”v “Optional attributes on the account form” on page 6v “Password lifespan for a user account” on page 7v “Determining the lifespan of a user account” on page 8v “Group assignment to users” on page 8v “Role assignment to users” on page 8v “Support data attributes” on page 9v “Discovery of sudo privileges” on page 10

Required attributeThe User ID attribute is the only required attribute on the account form. Thisattribute on the account form is mapped to the Login Name attribute on the UNIXand Linux operating systems.

Chapter 2. User account management 5

Note: The account forms for the UNIX and Linux operating systems (AIX, HP-UX,Linux, and Solaris) are different. For more information about the attributes on theaccount form and the supported operating systems, see “UNIX and Linux Adapteraccount form attributes” on page 19.

You can also specify optional attributes on the account forms.

Optional attributes on the account formIn addition to the required attributes, you can create more fields on the accountform. You can use Design Forms in IBM Security Identity Manager to customizethe account form.

The Force a password change, Allow at jobs, and Allow cron jobs attributes areexamples of the optional attributes on the account form. For a more informationabout account attributes, see “UNIX and Linux Adapter account form attributes”on page 19 and the documentation for your operating system.

Note: The Allow at jobs and Allow cron jobs attributes affect the contents of thesefiles:v at.allowv at.denyv cron.allowv cron.deny

In some cases, platform-specific configuration might be required to enable the userto perform at or cron jobs. For example, on the AIX operating system the user’sdaemon attribute must be set to true to enable the user to run at or cron jobs.

Table 2. Specifying the optional attributes on the account form

Attribute

Supported operating system

ResultAIX HP-UX Linux Solaris

Force a passwordchange

' ' ' ' Selecting the Force a passwordchange check box forces you tochange your password the next timeyou log on to the operating system.

Allow at jobs ' ' ' ' Specifying the Allow at jobsattribute grants permissions to usersto submit jobs with the atcommand. You can run the atcommand once, at a particular timein the future.

When you select the Allow at jobscheck box from IBM SecurityIdentity Manager, the adapter:

v Creates the user account on theoperating system.

v Adds the user to the at.allowfile. If the file does not exist, thenthe adapter creates the at.allowfile on the system.

v Removes the user from theat.deny file if the file exists onthe operating system.


Table 2. Specifying the optional attributes on the account form (continued)

Attribute



Allow cron jobs ' ' ' ' Specifying the Allow cron jobsattribute grants permissions to usersto use the cron utility to schedulerepetitive tasks.

When you select the Allow cronjobs check box from IBM SecurityIdentity Manager, the adapter:

v Creates the user account on theoperating system.

v Adds the user to the cron.allowfile. If the file does not exist, thenthe adapter creates thecron.allow file on the system.

v Removes the user from thecron.deny file if the file exists onthe operating system.

Delete useraccount even whenit is in use

' Selecting the Delete user accounteven when it is in use check boxends the active processes that a userhas when you delete the useraccount.

Execute userprofile?

' Specifying the Execute user profile?attribute causes the adapter userprofile to be run before the IBMSecurity Identity Manager task. Thisattribute enables special terminalcontrol characters such as @ or # onHP-UX services. If the profileremaps these characters and youenable this attribute, you can usethese characters in passwords whenyou add or modify accounts.

Do not change the default owner,group, or permissions of the/etc/profile and .profile of theadapter user. Doing so might causethe adapter to fail. Running theprofile has some limitations

v Do not call another shell fromprofile scripts, it can cause theadapter to hang.

v Do not echo anything when theprofile traps a logout signal, itcan cause the echo output to bemerged with command results.

Password lifespan for a user accountThe password lifespan attributes specify the time before the password of a useraccount expires.

Use the following attributes:


Password maximum ageSpecifies the maximum number of days the password is valid. If youspecify this attribute, then after the specified number of days, thepassword expires. You must then change the password to continueaccessing the UNIX or Linux operating system.

Password minimum ageSpecifies the minimum number of days you cannot change your existingpassword. If you do not specify a value for this attribute, you can changethe password anytime.

Password warning ageSpecifies the number of days before the password expires from which youstart receiving a warning to change the existing password.

Determining the lifespan of a user accountThe lifespan of a user account is the time before it expires.

About this task

The Account Expiration Date attribute specifies the date on which the accountbecomes inactive and unavailable. The default value for this attribute is Never. Ifyou do not specify a date, the user account is valid indefinitely. Follow these stepsto specify a date value:

Procedure1. Clear the Never check box.2. Click the View Calendar icon and select the date.3. Click OK. The status of a user account becomes inactive and unavailable for

use when the following situations occur:v The account expiration date elapses.v The value of the Account Expiration Date attribute is same as the current

date.

In both the situations, the user account is created on the UNIX or Linuxoperating system, however the user cannot log on to the system.

Group assignment to usersYou can assign groups to users on the UNIX and Linux operating systems.

To assign groups to a user, select the groups that are listed on the account form.You can associate a user to the following groups:v Primary groupv Secondary group

You can assign only one primary group to a user, however you can assign multiplesecondary groups to a user. When you assign groups to a user from IBM SecurityIdentity Manager, the adapter creates the user account and associates the user tothe group.

Role assignment to usersTo assign administrative roles to a user, select the roles that are listed on theaccount form of the AIX operating system.


You can assign multiple administrative roles to a user. When you assign anadministrative role to a user, you provide permissions to the user to perform theadministrative actions defined for that role. Ensure that you assign roles that grantenough permissions to the user to accomplish administrative tasks.

When you assign administrative roles to a user from IBM Security IdentityManager, the adapter creates the user account. The adapter also sets the value ofthe administrative roles attribute on the AIX operating system.

Support data attributesSpecifying the support data attributes assign groups and roles to the users on theoperating system.

The following table lists:v The support data attributes on the account formv The supported operating systemsv The result of specifying the support data attributes

Table 3. Results of specifying the support data attributes on the account form

Support dataattribute



Primary group ' ' ' ' The adapter associates a user to aprimary group that is selected fromthe list on the account form.

When you assign a user to a primarygroup:

v The users gain privileges that areavailable to that group.

v The adapter creates the useraccount on the operating systemand sets the value of the primarygroup attribute on the operatingsystem.

You can associate a user only to oneprimary group.

Secondary group ' ' ' ' The adapter associates a user tosecondary groups that are selectedfrom the list on the account form.

When you assign a user to asecondary group:

v The user gains privileges that areavailable to that group.

v The adapter creates the useraccount on the operating systemmakes the user a member of eachof the selected secondary groups.

You can associate a user to multiplesecondary groups.


Table 3. Results of specifying the support data attributes on the account form (continued)

Support dataattribute



Groups that canuse the sucommand toswitch to this user

' The adapter enables the users in theselected groups to use the sucommand to switch to the specifieduser account.

When you set the value of thisattribute:

v The adapter creates the useraccount on the AIX operatingsystem.

v The member users of the selectedgroups gain permissions to use thesu command to switch to thespecified user account.

Groups to beadministered

' The adapter enables a user toadminister the groups that areselected from the list on the accountform of the AIX operating system.

When you set the value of thisattribute:

v The adapter creates the useraccount.

v The adapter enables the user toadminister the selected groups.

Administrativeroles

' The adapter enables a user toperform administrative tasks byassigning roles on the AIX operatingsystem. An administrative roledefines the permissions granted to auser for administrative tasks.

When you assign administrativeroles to a user, the adapter createsthe user account. It sets the value ofthe user’s roles attribute on the AIXoperating system.

Discovery of sudo privilegesThe sudo privileges granted to users and groups on a system can be returnedduring account reconciliation. The privileges are read from the sudoers file on theresource where the reconciliation occurs.

To discover sudo privileges, enable the feature by selecting the check box Returnsudo privileges? on the service form. Also specify the path to the sudoers file, if itis not in the default location /etc/sudoers on the resource. The sudoers file on theresource must be readable by the ID that IBM Security Identity Manager uses toadminister the system. The UNIX and Linux Adapter does not validate the sudoersfile. Use only the visudo command to modify the sudoers file because it validatesthe file.


The sudo privileges that are discovered are displayed on the account and groupforms in read-only lists. The format of the sudo privileges is the same as thespecification in the sudoers file. However, alias names are replaced with the aliasmember values. Currently no functionality exists to provision changes in sudoprivileges in IBM Security Identity Manager to the sudoers file on services.

The sudo privileges displayed for user accounts do not include privileges that aredefined for groups. The user might inherit sudo privileges from groupmembership, but they are not displayed.

The sudo privileges that are returned from the resource might not be in the sameorder that they are in the sudoers file. The order of privileges displayed in IBMSecurity Identity Manager does not imply the order of precedence for privileges onthe system.

Restrictions on what the adapter reads from the sudoers fileBecause sudo command capabilities might vary widely between releases, the UNIXand Linux Adapter does limited processing of the sudoers file. Limiting theprocessing enables the adapter to support the most common usage across a widerange of sudo versions.

The adapter discovers sudo privileges for an account by reading the sudoers fileand searching for user specifications that match the account on the host computer.For the adapter to match accounts to user specifications, the accounts in thesudoers file must be specified by one of the following identifiers:v User namev Group IDv The keyword ALL

For the adapter to match the host computer to a user specification, one of thefollowing conditions must be met:v The host name must equal the value returned by the hostname command on the

workstation.v The IP address of the computer must match.v The keyword ALL must be specified.v A matching IP network is used.

Aliases can be used for users and hosts, but they must resolve to values that theadapter can match.

If the #include directive is used in the sudoers file, the adapter searches forprivileges in the specified file as well. However, advanced features such as the %hescape and the #includedir directives are not currently supported.

If aliases are used in the sudoers file, the adapter processes these aliases:v Cmnd_Aliasv User_Aliasv Runas_Aliasv Host_Alias

Other features of the sudoers file such as defaults, parameters, options, andwildcard characters are not processed by the adapter.


Modifying user accountsYou can modify user account attributes at any time in IBM Security IdentityManager.

This section describes some typical adapter attributes that you can use to modifythe user accounts. For more attributes and specific procedures, see the IBMSecurity Identity Manager product documentation.

This section includes the following topics:v “User unassignment from groups”v “Role removal on AIX”v “Password changes for user accounts”v “Suspending user accounts”v “Restoring user accounts” on page 13

User unassignment from groupsWhen you use IBM Security Identity Manager to unassign a user from a group, theadapter modifies the user account on the operating system.

The adapter also removes the value of that group from the user account.

Role removal on AIXYou can unassign roles on AIX.

You can unassign an administrative role by deleting it from IBM Security IdentityManager. Users assigned to that role can no longer perform the administrativetasks that are defined for that role on the AIX operating system.

When you use IBM Security Identity Manager to unassign a user from anyadministrative role, the adapter modifies the user account. The adapter removesthe value of that role from the roles attribute of that user account.

Password changes for user accountsYou can change the password of any of the UNIX or Linux accounts that exist onIBM Security Identity Manager.

For information about changing passwords, see the IBM Security Identity Managerproduct documentation.

Suspending user accountsWhen you suspend a user account, the status of the user account on IBM SecurityIdentity Manager becomes inactive and the user account becomes unavailable foruse.

Suspending a user account does not remove the user account from IBM SecurityIdentity Manager. For more information about suspending user accounts, see theIBM Security Identity Manager product documentation.


Restoring user accountsThe restore operation reinstates the suspended user accounts to IBM SecurityIdentity Manager.

After restoring a user account, the status of the user account on IBM SecurityIdentity Manager becomes active. For more information about restoring useraccounts, see the IBM Security Identity Manager product documentation.

Deleting user accountsUse the IBM Security Identity Manager deprovision feature to delete user accounts.

For more information about deleting user accounts, see the IBM Security IdentityManager product documentation.

When you delete a user account from IBM Security Identity Manager, the adapterremoves the user from the /etc/passwd file. You can no longer manage the useraccount.

Note: On Linux systems, you cannot delete account if the account user hasrunning processes. To delete a user with running processes, add theerPosixDelUsrInUse attribute as a check box to the Linux account form. Then,select the check box when you delete the account. See “Optional attributes on theaccount form” on page 6.


Chapter 3. Troubleshooting

Troubleshooting is the process of determining why a product does not function asit is designed to function. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur when managing the accounts or groups,where applicable.

The UNIX and Linux Adapter operation might fail if:v A change is made in the structure of standard files, such as /etc/passwd.v The UNIX and Linux operating system version is not supported by the adapter.

For information about the supported versions of the UNIX and Linux operatingsystems, see the UNIX and Linux Adapter Installation and Configuration Guide.

v The Secure Shell (SSH) must be configured properly. See Enabling securecommunication in the UNIX and Linux Adapter Installation and ConfigurationGuide.

Error logsWhen an operation fails, the corresponding error messages and warnings arelogged in the ibmdi.log file. This file is in the adapters solution/logs directory.The adapters solution directory is a Tivoli Directory Integrator work directory forIBM Security Identity Manager adapters.

You can display the error logs in the user interface by running the Dispatcher fromthe command prompt. You can also configure logging information for the adapter.For more information about displaying logs in the user interface and configuringlogging information, see the adapter's Installation and Configuration Guide.

Error messages and warningsA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.

The table lists the error messages and warnings that might occur while performingthe user account or group management tasks, where applicable.It also includes thecorrective actions to resolve the errors.

15

Error message Corrective action

The login credential is missing orincorrect.

Specify the values of the login attributes correctly.Ensure that:

v The managed resource (AIX, HP-UX, Solaris, orLinux) is functioning and that you are connected tothe correct resource.

v The value of the Managed resource location attributeon the service form is specified correctly.

v The name in the Administrator name field on theservice form is specified correctly.

v The value of the Password attribute on the serviceform is specified correctly.

v The Secure Shell (SSH) is enabled and running onthe managed resource. For information aboutinstalling and enabling the SSH, see the UNIX andLinux Adapter Installation and Configuration Guide.

The account exists. This error might occur when:

v A request is made to add a user that exists. Create auser account with another user ID.

v The UNIX and Linux operating system and IBMSecurity Identity Manager are not synchronized.Schedule a reconciliation between the managedresource and IBM Security Identity Manager. Formore information about scheduling a reconciliation,see the IBM Security Identity Manager productdocumentation.

v The adapter does not havepermission to add an account.

v The adapter does not havepermission to modify anaccount.

v The adapter does not havepermission to delete anaccount.

The user specified in the Administrator name field onthe service form does not have the permissions to add,modify, or delete the account. Perform one of thefollowing actions:

v Assign the appropriate privileges to the user whosename is specified in the Administrator name field.

v Change the name in the Administrator name field toa name that has the appropriate privileges. Forexample, root.Note: The Administrator name attribute is a requiredattribute on the service form.

v The required attributes aremissing from the request.

v There were no attributespassed to the adapter in therequest.

v One or more requiredattributes are missing in therequest.

One or more required attributes were not providedwhen a request was made to add, modify, delete, orsearch for a user. Ensure that the required User IDattribute is specified on the account form.



v A system error occurred whileadding an account. Theaccount was not added.

v A system error occurred whilemodifying an account. Theaccount was not changed.

v A system error occurred whiledeleting an account. Theaccount was not deleted.

v The search failed due to asystem error.

This error might occur for several reasons. Ensure that:



v The name in the Administrator name field has theappropriate privileges to add, modify, or delete a useraccount.

v The account was added butsome attributes failed.

v The account was modified butsome attributes failed.

v The account was deletedsuccessfully, but additionalsteps failed.

The account was created, modified, or deleted, howeversome of the specified attributes in the request were notset. See the list of attributes that failed and the errormessage that explains why the attribute failed. Correctthe errors associated with each attribute and performthe action again.Note: You might need to review the documentation onthe UNIX or Linux operating system to determine thecorrect values for some attributes.

The account is alreadysuspended.

This error occurs if an attempt is made to suspend analready suspended account.

The account was not suspended. The request to suspend the account failed. Ensure that:



v The name in the Administrator name field has thenecessary privileges to suspend an account.

v The user exists on the specified managed resource.

See the ibmdi.log file in the adapter solutionsdirectory of the Tivoli Directory Integrator server forspecific details about the error.

The account is already restored. This error occurs if an attempt is made to restore analready restored account.

The account was not restored. The request to restore the account failed. Ensure that:



v The name in the Administrator name field has thenecessary privileges to restore an account.

v The user exists on the specified managed resource.

See the ibmdi.log file in the adapter solutionsdirectory of the Tivoli Directory Integrator server forspecific details about the error.

Chapter 3. Troubleshooting 17


The reconciliation is successful,but no accounts were added toyour service.

Check the ibmdi.log file to ensure that the usage of theshadow file is correct.Note: If you want the adapter to perform thereconciliation operation by using the shadow file, selectthe Use Shadow File check box on the service form.Shadow files are available on the Linux and HP-UXoperating systems.

The application could notestablish a connection tohostname.

Ensure that:

v The SSH is enabled on the managed resource.

v The managed resource is operational and connectedto the network.

The group cannot be addedbecause it exists.

This error occurs when a request is made to add agroup that exists. Create a group with another groupname.

The group cannot be addedbecause group with the GIDGroup ID number exists.

This error occurs when a request is made to add agroup with a group ID number that exists. Do either ofthe following:

v Do not specify a group ID number.

v Clear the Allow duplicate group IDs? checkbox ifthat option is supported for the managed resource.

The group Group name cannotbe modified or deleted because itdoes not exist.

This error occurs when a request is made to modify ordelete a group that does not exist on the managedresource. Perform a reconciliation operation to ensurethat the group exists on the managed resource.

An error occurred while creating,modifying, or deleting the Groupname group. The applicationcould not establish a connectionto managed resource.

Ensure the following on the service form:



v The managed resource is operational and connectedto the network.

The IBM Tivoli DirectoryIntegrator detected the followingerror. Error: Connector parameterexecuteUserProfile has a valuethat is not valid: true.

Clear the Execute user profile? check box for the serviceused in the operation.


Chapter 4. Reference

Reference information is organized to help you locate particular facts quickly suchas adapter attributes, application programming interfaces, files and commands,where applicable..

Adapter attributesThe IBM Security Identity server communicates with the adapter by usingattributes, which are included in transmission packets that are sent over a network.

You can manage the adapter attributes that are on the various adapter forms.

These topics include:v Account form attributesv Service form attributesv UNIX group form attributesv AIX role form attributes

UNIX and Linux Adapter account form attributesYou can manage user accounts from IBM Security Identity Manager.

The following table lists:v The attributes that are displayed on the UNIX and Linux operating system

account form on IBM Security Identity Manager.v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.

Table 4. Account form attributes

Attribute name onthe UNIX and Linuxoperating systemaccount form on IBMSecurity IdentityManager

Attribute name on the IBMTivoli Directory Server


AIX HP-UX Linux Solaris

User ID erUid ' ' ' '

Gecos (comments) erPosixGecos ' ' ' '

UID number erPosixUid ' ' ' '

UNIX shell erPosixShell ' ' ' '

Account expirationdate

erPosixExpireDate ' ' ' '

Force a passwordchange

erPosixForcePwdChange ' ' ' '

Primary group erPosixPrimaryGroup ' ' ' '

Secondary group erPosixSecondGroup ' ' ' '

Groups that can usethe su command onthis user

erPosixSuGroup '

19

Table 4. Account form attributes (continued)





Groups to beadministered

erPosixAdmGroups '

Home directory erPosixHomeDir ' ' ' '

Password maximumage

erPosixMaxPwdAge ' ' '

Password minimumage

erPosixMinPwdAge ' ' '

Password warningage

erPosixPwdWarnAge ' ' '

Administrative roles erPosixRoles '

Additionalmandatory methodsfor authenticating theuser

erPosixAuth1 '

Additional optionalmethods forauthenticating theuser

erPosixAuth2 '

Allow at jobs erPosixAT ' ' '

Allow cron jobs erPosixCron ' ' '

Audit class erPosixAuditClasses '

Allow user to executedaemon process

erPosixDaemonAllowed '

Allow user to log into the system

erPosixLoginAllowed '

Can another userswitch user to thisuser

erPosixSuGroup '

Is this user anadministrator

erPosixAdminUser '

Soft limit for thelargest core size

erPosixSoftCore '

Soft limit for themaximum amount ofCPU utilization

erPosixSoftCPU '

Soft limit for largestdata segment

erPosixSoftData '

Soft limit for thelargest file size

erPosixSoftFileSize '

Soft limit for thelargest stack segment

erPosixSoftStack '

Largest core size erPosixHardCore '







Maximum CPUutilization

erPosixHardCPU '

Largest data segment erPosixHardData '

Largest file size erPosixHardFileSize '

Largest stack segment erPosixHardStack '

Allowed login time erPosixLoginTimes '

Allowed number oflogin retries beforelocking the account

erPosixLoginRetries ' ' '

Maximum number ofdays (weeks for AIX)the account canremain valid after thepassword expires

erPosixPwdMaxAge ' '

Minimum number ofalphabetic charactersin password

erPosixPwdMinAlphaChar '

Minimum differencebetween the currentand last password

erPosixPwdMinDiff '

Maximum number ofcharacters that can berepeated in apassword

erPosixPwdMaxRepeats '

Minimum length ofthe password

erPosixPwdMinLen '

Password restrictionmethods

erPosixPwdCheck '

Password dictionariesused to restrictpasswords

erPosixPwdDiction '

Number of previouspasswords thatcannot be reused

erPosixPwdHistory '

Time for which auser cannot reusepasswords

erPosixPwdHistoryExpire '

Account last accessedon

erPosixLastAccessDate ' ' ' '

Valid terminalsallowed to access theaccount

erPosixValidTtys '

Chapter 4. Reference 21






Systemauthenticationmechanism for theuser

erPosixRegistry '

Number of days theaccount can remainidle

erPosixIdleDays '

sudo privileges erPosixSudoPrivileges ' ' ' '

Allow duplicate UIDs erPosixDupUid ' ' '

Is No PasswordAccount?

erPosixNpAccount ' '

Do Not Create UserPrivate Group

erPosixPrivateGroup '

Hosts on which userwill be able to login

erPosixHostsAllowedLogin '

Hosts on which userwill not be able tologin

erPosixHostsDeniedLogin '

Create homedirectory whilecreating the account

erPosixDefaultHomedir ' ' ' '

Minimum number ofnon-alphabeticcharacters inpassword

erPosixPwdMinOtherChar '

Command used toquery failed logins

erPosixFailedLoginCmd '

File or directorywhere failed loginrecords are found

erPosixFailedLoginTallyLoc '

Maximum failedlogins allowed

erPosixMaxFailedLogins '

Delete user accounteven when it is inuse

erPosixDelUserInUse '

UNIX and Linux Adapter service form attributesYou must create a service for the UNIX and Linux Adapter before the IBM SecurityIdentity Manager server can use the adapter.

IBM Security Identity Manager uses the adapter to communicate with the managedresource. The following table lists:v The attributes that are displayed on the UNIX or Linux operating system service

form on IBM Security Identity Manager.


v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.

Table 5. Service form attributes

Attribute name on theUNIX and Linuxoperating systemsservice form on IBMSecurity IdentityManager

Attribute name on the IIBMTivoli Directory Server



Service name erServiceName ' ' ' '

Description description ' ' ' '

Tivoli DirectoryIntegrator location

erITDIurl ' ' ' '

Managed resourcelocation

erURL ' ' ' '

User registry erPosixRegistry '

Delete home directorywhen the account isdeleted?

erPosixHomeDirRemove ' ' ' '

Owner owner ' ' ' '

Service prerequisite erPrerequisite ' ' ' '

Administrator name erServiceUid ' ' ' '

Is sudo user? erPosixUseSudo ' ' ' '

Return sudoprivileges?

erPosixReturnSudoPrivileges ' ' ' '

Path to the sudoersfile

erPosixSudoersPath ' ' ' '

Authenticationmethod

erPosixAuthMethod ' ' ' '

Password erPassword ' ' ' '

Passphrase (Requiredfor key basedauthentication)

erPosixPassphrase ' ' ' '

Private key file(Required for keybased authentication)

erPosixPKFile ' ' ' '

Use a shadow file? erPosixUseShadow ' '

Disable AL Caching erPosixDisableALCache ' ' ' '

AL FileSystem Path erPosixALFileSystemPath ' ' ' '

Max ConnectionCount

erPosixMaxConnectionCnt ' ' ' '

Case Insensitive filter erLdapCaseInSensitiveFilter ' ' ' '

Execute user profile? erPosixExecuteUserProfile '

Command used toquery failed logins

erPosixFailedLoginCmd

erPosixFailedLoginTallyLoc

erPosixMaxFailedLogins

'


UNIX and Linux Adapter group form attributesYou can manage UNIX groups from IBM Security Identity Manager.


group form on IBM Security Identity Manager.v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.

Table 6. Group form attributes

Attribute name onthe UNIX andLinux operatingsystems groupform on IBMSecurity IdentityManager




Group name erPosixGroupName ' ' ' '

Group ID number erPosixGroupId ' ' ' '

Administratorgroup

erPosixGroupIsAdmGrp '

Groupadministrators

erPosixGroupAdmin '

Group projects erPosixGroupProjects '

Define an Access No LDAP attribute exists.However, these other accessattributes can be set:

v erAccessOption

v erAccessName

v erObjectProfileName

v erAccessDescription

v owner

v erApprovalProcessID

v erNotifyAccessProvision

v erNotifyAccessDeprovision

' ' ' '

Enable Access erAccessOption = 2 ' ' ' '

Enable CommonAccess

erAccessOption = 3 ' ' ' '

Disable Access erAccessOption = 1 ' ' ' '

Access name erAccessName ' ' ' '

Access type erObjectProfileName ' ' ' '

Access description erAccessDescription ' ' ' '

Access owner owner ' ' ' '

Approval workflow erApprovalProcessID ' ' ' '

Notify users whenaccess isprovisioned andavailable for use

erNotifyAccessProvision ' ' ' '


Table 6. Group form attributes (continued)





Notify users whenaccess isde-provisioned

erNotifyAccessDeprovision ' ' ' '

Allow duplicategroup IDs

erPosixGroupDupGid ' ' '

sudo privileges erPosixSudoPrivileges ' ' ' '

UNIX and Linux Adapter role form attributesYou can manage AIX roles from IBM Security Identity Manager.


group form on IBM Security Identity Manager.v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.

Table 7. Role form attributes





AIX role name erPosixRoleName '

Authorizations erPosixRoleAuthorizations '

Roles implied erPosixRolelist '

List of groups erPosixRoleGroups '

Visibility erPosixRoleVisibility '

Define an Access No LDAP attribute exists.However, you can set theerAccessOption accessattribute.

'

Access name No LDAP attribute exists.However, you can set theerAccessName access attribute.

'

Access type No LDAP attribute exists.However, you can set theerObjectProfileName accessattribute.

'


Table 7. Role form attributes (continued)





Access description No LDAP attribute exists.However, you can set theerAccessDescription accessattribute.

'

Access owner No LDAP attribute exists.However, you can set theowner access attribute.

'

Approval workflow No LDAP attribute exists.However, you can set theerApprovalProcessID accessattribute.

'

Notify users whenaccess isprovisioned andavailable for use

No LDAP attribute exists.However, you can set theerNotifyAccessProvision accessattribute.

'

Notify users whenaccess isde-provisioned

No LDAP attribute exists.However, you can set theerNotifyAccessDeprovisionaccess attribute.

'


Index

Aaccount form

attributes 19required attributes 6

accountslifespan 8user account management 3

adapterattributes 19configuration checklist 2connectivity between server and

operating systems 1errors, troubleshooting 15overview 1restrictions on sudo 11user account management tasks 3

administrative roles 9AIX

role attributes 25role form attributes 19users from roles, unassigning 12

allow at jobs 6allow cron jobs 6attributes

account form 19group form 24on forms 19required 6role form 25service form 22

Cchecklist, configuration 2configuration

checklist 2overview 2

Ddeleting

user accounts 13

Eerror

logsaccessing 15warnings and messages 15

messages 15troubleshooting 15

Fforce a password change 6form attributes

accounts 19group 19, 24role 19

form attributes (continued)roles 25services 22

Ggroup form attributes 19, 24groups

administered 9assigning to users 8su command 9unassigning users 12

Llifespan

password 7time before account expiration 8user accounts 8

logsaccessing errors 15warnings and messages 15

Mmanagement tasks

user accounts 3messages

error 15warning 15

Ooperations

adding 5changing passwords 12modifying 12reconciling 3

optional attributesallow at jobs 6allow cron jobs 6force a password change 6

Ppassword

lifespan 7user account 7, 12

privileges, sudo 10problems, troubleshooting 15

Rreconciliation

single user accounts 4support data 3

required attributes, on the accountform 6

restoring, user accounts 13restrictions, sudo processing 11role form attributes 19, 25roles

assigning to users 9unassigning users 12

Sservice form attributes 19, 22su command

groups 9su command, groups 9sudo

restrictions 11user privileges 10

support dataattributes

primary group 9secondary group 9

reconciliation 3retrieval by adapter 3

suspending user accounts 12

Ttroubleshooting 15

error messages 15warning messages 15

Uunassigning

users from groups 12users from roles 12

UNIXaccount form attributes 19group form attributes 19, 24service form attributes 22

user accountsadding 5changing passwords 12deleting 13lifespan 8modifying 12reconciling 3, 4restoring 13suspending 12

usersassigning groups 8roles 9unassigning from groups 12unassigning from roles 12

Wwarning messages 15

27

IBM®

Printed in USA

ibm security identity manager: unix and linux...

Documents