IBM Security Identity ManagerVersion 6.0
UNIX and Linux Adapter User Guide
IBM
IBM Security Identity ManagerVersion 6.0
UNIX and Linux Adapter User Guide
IBM
ii IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Contents
Figures . . . . . . . . . . . . . . . v
Tables . . . . . . . . . . . . . . . vii
Chapter 1. Overview . . . . . . . . . 1Prerequisites . . . . . . . . . . . . . . 2
Chapter 2. User account management . . 3Reconciling user accounts . . . . . . . . . . 3
Reconciling support data without reconciling useraccounts . . . . . . . . . . . . . . . 3Reconciling single user accounts . . . . . . . 4
Adding user accounts . . . . . . . . . . . 5Required attribute . . . . . . . . . . . 5Optional attributes on the account form . . . . 6Password lifespan for a user account . . . . . 7Determining the lifespan of a user account . . . 8Group assignment to users . . . . . . . . 8Role assignment to users . . . . . . . . . 8Support data attributes . . . . . . . . . . 9Discovery of sudo privileges. . . . . . . . 10
Modifying user accounts . . . . . . . . . . 12User unassignment from groups . . . . . . 12Role removal on AIX . . . . . . . . . . 12Password changes for user accounts . . . . . 12
Suspending user accounts . . . . . . . . . 12Restoring user accounts . . . . . . . . . . 13Deleting user accounts. . . . . . . . . . . 13
Chapter 3. Troubleshooting . . . . . . 15Error logs . . . . . . . . . . . . . . . 15Error messages and warnings . . . . . . . . 15
Chapter 4. Reference . . . . . . . . 19Adapter attributes . . . . . . . . . . . . 19
UNIX and Linux Adapter account form attributes 19UNIX and Linux Adapter service form attributes 22UNIX and Linux Adapter group form attributes 24UNIX and Linux Adapter role form attributes . . 25
Index . . . . . . . . . . . . . . . 27
iii
iv IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Figures
v
vi IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Tables
1. Prerequisites checklist . . . . . . . . . 22. Specifying the optional attributes on the
account form . . . . . . . . . . . . 63. Results of specifying the support data attributes
on the account form . . . . . . . . . . 9
4. Account form attributes . . . . . . . . 195. Service form attributes . . . . . . . . . 236. Group form attributes . . . . . . . . . 247. Role form attributes . . . . . . . . . . 25
vii
viii IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Chapter 1. Overview
The UNIX and Linux Adapter provides connectivity between the IBM® SecurityIdentity Manager server and the UNIX and Linux operating systems.
The adapter runs as a service, independent of whether you are logged on to IBMSecurity Identity Manager.
The adapter runs as a service, independent of whether you are logged on to IBMSecurity Identity Manager.
The UNIX and Linux Adapter automates the following tasks:
User account management
v Adding user accountsv Modifying user accountsv Suspending and restoring user accountsv Retrieving user accountsv Deleting user accountsv Reconciling user accounts and other support data
Group management
v Adding groupsv Modifying groupsv Deleting groupsv Retrieving groupsv Reconciling groups
AIX Role management
v Adding rolesv Modifying rolesv Deleting roles
The adapter contains Tivoli® Directory Integrator assembly lines that serve one ormore user account, UNIX group, and AIX® role operations. When the first requestis sent from IBM Security Identity Manager, the required assembly line is loadedinto Tivoli Directory Integrator. The same assembly line is then cached to servesubsequent operations of the same type.
Note:
v The reconciliation and test assembly lines are not cached.v AIX roles are not reconciled or managed by the adapter for any AIX service with
a user registry that is defined as LDAP.
The UNIX and Linux Adapter uses the Secure Shell (SSH) protocol to establishcommunication with the UNIX and Linux operating systems. Ensure that the SSHserver is running on the managed resource when you connect from IBM SecurityIdentity Manager. For more information about Secure Shell installation, see UNIXand Linux Adapter Installation and Configuration Guide.
1
PrerequisitesUse the Prerequisites checklist to install and configure the adapter before youperform any of the user account, group, or role management tasks, whereapplicable.
Table 1. Prerequisites checklist
Task For more information, see
Install the adapter. See the adapter's Installation andConfiguration Guide
Import the adapter profile into the IBMSecurity Identity server.
See the adapter's Installation andConfiguration Guide
Create an adapter service. See the adapter's Installation andConfiguration GuideNote: After you create a UNIX and LinuxAdapter service, the IBM Security IdentityManager server creates a defaultprovisioning policy for the adapter service.You can customize a provisioning policy forthe UNIX and Linux Adapter serviceaccording to the requirements of yourorganization. For more information, see thesection about Customizing a provisioningpolicy in the IBM Security Identity Managerproduct documentation.
Configure the adapter. See the adapter's Installation andConfiguration Guide
Perform a reconciliation operation to retrieveuser accounts and store them in the IBMSecurity Identity server.
Managing reconciliation schedules in the IBMSecurity Identity Manager productdocumentation
Adopt orphan accounts on IBM SecurityIdentity Manager.
Assigning an orphan account to a user in theIBM Security Identity Manager productdocumentation
Run the dispatcher, which in turn runs theadapter
See the adapter's Installation andConfiguration Guide
2 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Chapter 2. User account management
The UNIX and Linux Adapter manages user accounts for a specific person, aservice instance, or specific accounts by using the search function of IBM SecurityIdentity Manager.
You can perform the following operations:v Add, modify, or delete an accountv Suspend or restore an accountv Reconcile accounts
You can manage:v Accounts for a specific personv Accounts for a service instancev Specific accounts by using the search function of IBM Security Identity Manager
Reconciling user accountsReconciliation synchronizes the accounts and supporting data between IBMSecurity Identity server and the managed server. Reconciliation is required so thatdata is consistent and up-to-date.
The reconciliation operation retrieves the user account information from the UNIXand Linux and stores it in the directory server of IBM Security Identity Manager.
You can schedule reconciliation to run at specific times and to return specificparameters. Running a reconciliation before its schedule time does not cancel thescheduled reconciliation. For more information about scheduling reconciliation andrunning a scheduled reconciliation, see the IBM Security Identity Manager productdocumentation.
You can perform the following reconciliation tasks at any time from IBM SecurityIdentity Manager:v Reconciling support datav Reconciling a single user account
Reconciling support data without reconciling user accountsPerform support data reconciliation when you want an updated list of groups androles that are available on the operating systems.
About this task
When you perform support data reconciliation, the adapter retrieves the supportdata information without processing the user account information from theoperating system.
Support data for the UNIX or Linux user account includes the following attributes:v Primary groupv Secondary group
3
Note: You can reconcile the following additional support data attributes from theAIX operating system. For more information about the support data attributes onthe account form and the supported operating systems, see “Adapter attributes” onpage 19.v Groups that can use the su command to switch to this userv Groups that can be managed by this userv Administrative roles
To reconcile only the support data without reconciling user accounts:
Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services to display the Manage Services
page.3. Select the type of service from the Service type list and click Search. Use one
of the following service types:
POSIX AIX profileSelect this option when you want to manage user accounts on the AIXoperating system.
POSIX HP-UX profileSelect this option when you want to manage user accounts on theHP-UX operating system.
POSIX Linux profileSelect this option when you want to manage user accounts on theLinux operating system.
POSIX Solaris profileSelect this option when you want to manage user accounts on theSolaris operating system.
4. Select the name of the service that you created for the UNIX and LinuxAdapter.
5. Click the arrow icon to view the popup menu.6. Select Reconcile Now from the menu to display the Reconcile Now page.7. Click Define query.8. Select the Reconcile supporting data only check box and click Submit.
Reconciling single user accountsReconciling a single user account means performing a filter reconciliation.
About this task
Filter reconciliation takes less time than reconciling all the user accounts. Performfilter reconciliation when you want to:v Modify a specific user accountv Obtain information about a specific user account
Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services to display the Manage Services
page.
4 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
3. Select the type of service from the Service type list and click Search. Use oneof the following service types:
POSIX AIX profileSelect this option when you want to manage user accounts on the AIXoperating system.
POSIX HP-UX profileSelect this option when you want to manage user accounts on theHP-UX operating system.
POSIX Linux profileSelect this option when you want to manage user accounts on theLinux operating system.
POSIX Solaris profileSelect this option when you want to manage user accounts on theSolaris operating system.
4. Select the name of the service that you created for the UNIX and LinuxAdapter.
5. Click the arrow icon to viewView popup menu.6. Select Reconcile Now from the menu to display the Reconcile Now page.7. Click Define query.8. In the Reconcile accounts that match this filter field, type the following
syntax.(eruid=UserID)
UserID is the name of the user account that you want to reconcile.9. Click Submit.
Adding user accountsYou can add user accounts at any time for either an existing person or a newperson in the organization.
Adapter attributes define the accounts on the account form. For specificprocedures, see the IBM Security Identity Manager product documentation.
This section includes the following topics:v “Required attribute”v “Optional attributes on the account form” on page 6v “Password lifespan for a user account” on page 7v “Determining the lifespan of a user account” on page 8v “Group assignment to users” on page 8v “Role assignment to users” on page 8v “Support data attributes” on page 9v “Discovery of sudo privileges” on page 10
Required attributeThe User ID attribute is the only required attribute on the account form. Thisattribute on the account form is mapped to the Login Name attribute on the UNIXand Linux operating systems.
Chapter 2. User account management 5
Note: The account forms for the UNIX and Linux operating systems (AIX, HP-UX,Linux, and Solaris) are different. For more information about the attributes on theaccount form and the supported operating systems, see “UNIX and Linux Adapteraccount form attributes” on page 19.
You can also specify optional attributes on the account forms.
Optional attributes on the account formIn addition to the required attributes, you can create more fields on the accountform. You can use Design Forms in IBM Security Identity Manager to customizethe account form.
The Force a password change, Allow at jobs, and Allow cron jobs attributes areexamples of the optional attributes on the account form. For a more informationabout account attributes, see “UNIX and Linux Adapter account form attributes”on page 19 and the documentation for your operating system.
Note: The Allow at jobs and Allow cron jobs attributes affect the contents of thesefiles:v at.allowv at.denyv cron.allowv cron.deny
In some cases, platform-specific configuration might be required to enable the userto perform at or cron jobs. For example, on the AIX operating system the user’sdaemon attribute must be set to true to enable the user to run at or cron jobs.
Table 2. Specifying the optional attributes on the account form
Attribute
Supported operating system
ResultAIX HP-UX Linux Solaris
Force a passwordchange
' ' ' ' Selecting the Force a passwordchange check box forces you tochange your password the next timeyou log on to the operating system.
Allow at jobs ' ' ' ' Specifying the Allow at jobsattribute grants permissions to usersto submit jobs with the atcommand. You can run the atcommand once, at a particular timein the future.
When you select the Allow at jobscheck box from IBM SecurityIdentity Manager, the adapter:
v Creates the user account on theoperating system.
v Adds the user to the at.allowfile. If the file does not exist, thenthe adapter creates the at.allowfile on the system.
v Removes the user from theat.deny file if the file exists onthe operating system.
6 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Table 2. Specifying the optional attributes on the account form (continued)
Attribute
Supported operating system
ResultAIX HP-UX Linux Solaris
Allow cron jobs ' ' ' ' Specifying the Allow cron jobsattribute grants permissions to usersto use the cron utility to schedulerepetitive tasks.
When you select the Allow cronjobs check box from IBM SecurityIdentity Manager, the adapter:
v Creates the user account on theoperating system.
v Adds the user to the cron.allowfile. If the file does not exist, thenthe adapter creates thecron.allow file on the system.
v Removes the user from thecron.deny file if the file exists onthe operating system.
Delete useraccount even whenit is in use
' Selecting the Delete user accounteven when it is in use check boxends the active processes that a userhas when you delete the useraccount.
Execute userprofile?
' Specifying the Execute user profile?attribute causes the adapter userprofile to be run before the IBMSecurity Identity Manager task. Thisattribute enables special terminalcontrol characters such as @ or # onHP-UX services. If the profileremaps these characters and youenable this attribute, you can usethese characters in passwords whenyou add or modify accounts.
Do not change the default owner,group, or permissions of the/etc/profile and .profile of theadapter user. Doing so might causethe adapter to fail. Running theprofile has some limitations
v Do not call another shell fromprofile scripts, it can cause theadapter to hang.
v Do not echo anything when theprofile traps a logout signal, itcan cause the echo output to bemerged with command results.
Password lifespan for a user accountThe password lifespan attributes specify the time before the password of a useraccount expires.
Use the following attributes:
Chapter 2. User account management 7
Password maximum ageSpecifies the maximum number of days the password is valid. If youspecify this attribute, then after the specified number of days, thepassword expires. You must then change the password to continueaccessing the UNIX or Linux operating system.
Password minimum ageSpecifies the minimum number of days you cannot change your existingpassword. If you do not specify a value for this attribute, you can changethe password anytime.
Password warning ageSpecifies the number of days before the password expires from which youstart receiving a warning to change the existing password.
Determining the lifespan of a user accountThe lifespan of a user account is the time before it expires.
About this task
The Account Expiration Date attribute specifies the date on which the accountbecomes inactive and unavailable. The default value for this attribute is Never. Ifyou do not specify a date, the user account is valid indefinitely. Follow these stepsto specify a date value:
Procedure1. Clear the Never check box.2. Click the View Calendar icon and select the date.3. Click OK. The status of a user account becomes inactive and unavailable for
use when the following situations occur:v The account expiration date elapses.v The value of the Account Expiration Date attribute is same as the current
date.
In both the situations, the user account is created on the UNIX or Linuxoperating system, however the user cannot log on to the system.
Group assignment to usersYou can assign groups to users on the UNIX and Linux operating systems.
To assign groups to a user, select the groups that are listed on the account form.You can associate a user to the following groups:v Primary groupv Secondary group
You can assign only one primary group to a user, however you can assign multiplesecondary groups to a user. When you assign groups to a user from IBM SecurityIdentity Manager, the adapter creates the user account and associates the user tothe group.
Role assignment to usersTo assign administrative roles to a user, select the roles that are listed on theaccount form of the AIX operating system.
8 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
You can assign multiple administrative roles to a user. When you assign anadministrative role to a user, you provide permissions to the user to perform theadministrative actions defined for that role. Ensure that you assign roles that grantenough permissions to the user to accomplish administrative tasks.
When you assign administrative roles to a user from IBM Security IdentityManager, the adapter creates the user account. The adapter also sets the value ofthe administrative roles attribute on the AIX operating system.
Support data attributesSpecifying the support data attributes assign groups and roles to the users on theoperating system.
The following table lists:v The support data attributes on the account formv The supported operating systemsv The result of specifying the support data attributes
Table 3. Results of specifying the support data attributes on the account form
Support dataattribute
Supported operating system
ResultAIX HP-UX Linux Solaris
Primary group ' ' ' ' The adapter associates a user to aprimary group that is selected fromthe list on the account form.
When you assign a user to a primarygroup:
v The users gain privileges that areavailable to that group.
v The adapter creates the useraccount on the operating systemand sets the value of the primarygroup attribute on the operatingsystem.
You can associate a user only to oneprimary group.
Secondary group ' ' ' ' The adapter associates a user tosecondary groups that are selectedfrom the list on the account form.
When you assign a user to asecondary group:
v The user gains privileges that areavailable to that group.
v The adapter creates the useraccount on the operating systemmakes the user a member of eachof the selected secondary groups.
You can associate a user to multiplesecondary groups.
Chapter 2. User account management 9
Table 3. Results of specifying the support data attributes on the account form (continued)
Support dataattribute
Supported operating system
ResultAIX HP-UX Linux Solaris
Groups that canuse the sucommand toswitch to this user
' The adapter enables the users in theselected groups to use the sucommand to switch to the specifieduser account.
When you set the value of thisattribute:
v The adapter creates the useraccount on the AIX operatingsystem.
v The member users of the selectedgroups gain permissions to use thesu command to switch to thespecified user account.
Groups to beadministered
' The adapter enables a user toadminister the groups that areselected from the list on the accountform of the AIX operating system.
When you set the value of thisattribute:
v The adapter creates the useraccount.
v The adapter enables the user toadminister the selected groups.
Administrativeroles
' The adapter enables a user toperform administrative tasks byassigning roles on the AIX operatingsystem. An administrative roledefines the permissions granted to auser for administrative tasks.
When you assign administrativeroles to a user, the adapter createsthe user account. It sets the value ofthe user’s roles attribute on the AIXoperating system.
Discovery of sudo privilegesThe sudo privileges granted to users and groups on a system can be returnedduring account reconciliation. The privileges are read from the sudoers file on theresource where the reconciliation occurs.
To discover sudo privileges, enable the feature by selecting the check box Returnsudo privileges? on the service form. Also specify the path to the sudoers file, if itis not in the default location /etc/sudoers on the resource. The sudoers file on theresource must be readable by the ID that IBM Security Identity Manager uses toadminister the system. The UNIX and Linux Adapter does not validate the sudoersfile. Use only the visudo command to modify the sudoers file because it validatesthe file.
10 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
The sudo privileges that are discovered are displayed on the account and groupforms in read-only lists. The format of the sudo privileges is the same as thespecification in the sudoers file. However, alias names are replaced with the aliasmember values. Currently no functionality exists to provision changes in sudoprivileges in IBM Security Identity Manager to the sudoers file on services.
The sudo privileges displayed for user accounts do not include privileges that aredefined for groups. The user might inherit sudo privileges from groupmembership, but they are not displayed.
The sudo privileges that are returned from the resource might not be in the sameorder that they are in the sudoers file. The order of privileges displayed in IBMSecurity Identity Manager does not imply the order of precedence for privileges onthe system.
Restrictions on what the adapter reads from the sudoers fileBecause sudo command capabilities might vary widely between releases, the UNIXand Linux Adapter does limited processing of the sudoers file. Limiting theprocessing enables the adapter to support the most common usage across a widerange of sudo versions.
The adapter discovers sudo privileges for an account by reading the sudoers fileand searching for user specifications that match the account on the host computer.For the adapter to match accounts to user specifications, the accounts in thesudoers file must be specified by one of the following identifiers:v User namev Group IDv The keyword ALL
For the adapter to match the host computer to a user specification, one of thefollowing conditions must be met:v The host name must equal the value returned by the hostname command on the
workstation.v The IP address of the computer must match.v The keyword ALL must be specified.v A matching IP network is used.
Aliases can be used for users and hosts, but they must resolve to values that theadapter can match.
If the #include directive is used in the sudoers file, the adapter searches forprivileges in the specified file as well. However, advanced features such as the %hescape and the #includedir directives are not currently supported.
If aliases are used in the sudoers file, the adapter processes these aliases:v Cmnd_Aliasv User_Aliasv Runas_Aliasv Host_Alias
Other features of the sudoers file such as defaults, parameters, options, andwildcard characters are not processed by the adapter.
Chapter 2. User account management 11
Modifying user accountsYou can modify user account attributes at any time in IBM Security IdentityManager.
This section describes some typical adapter attributes that you can use to modifythe user accounts. For more attributes and specific procedures, see the IBMSecurity Identity Manager product documentation.
This section includes the following topics:v “User unassignment from groups”v “Role removal on AIX”v “Password changes for user accounts”v “Suspending user accounts”v “Restoring user accounts” on page 13
User unassignment from groupsWhen you use IBM Security Identity Manager to unassign a user from a group, theadapter modifies the user account on the operating system.
The adapter also removes the value of that group from the user account.
Role removal on AIXYou can unassign roles on AIX.
You can unassign an administrative role by deleting it from IBM Security IdentityManager. Users assigned to that role can no longer perform the administrativetasks that are defined for that role on the AIX operating system.
When you use IBM Security Identity Manager to unassign a user from anyadministrative role, the adapter modifies the user account. The adapter removesthe value of that role from the roles attribute of that user account.
Password changes for user accountsYou can change the password of any of the UNIX or Linux accounts that exist onIBM Security Identity Manager.
For information about changing passwords, see the IBM Security Identity Managerproduct documentation.
Suspending user accountsWhen you suspend a user account, the status of the user account on IBM SecurityIdentity Manager becomes inactive and the user account becomes unavailable foruse.
Suspending a user account does not remove the user account from IBM SecurityIdentity Manager. For more information about suspending user accounts, see theIBM Security Identity Manager product documentation.
12 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Restoring user accountsThe restore operation reinstates the suspended user accounts to IBM SecurityIdentity Manager.
After restoring a user account, the status of the user account on IBM SecurityIdentity Manager becomes active. For more information about restoring useraccounts, see the IBM Security Identity Manager product documentation.
Deleting user accountsUse the IBM Security Identity Manager deprovision feature to delete user accounts.
For more information about deleting user accounts, see the IBM Security IdentityManager product documentation.
When you delete a user account from IBM Security Identity Manager, the adapterremoves the user from the /etc/passwd file. You can no longer manage the useraccount.
Note: On Linux systems, you cannot delete account if the account user hasrunning processes. To delete a user with running processes, add theerPosixDelUsrInUse attribute as a check box to the Linux account form. Then,select the check box when you delete the account. See “Optional attributes on theaccount form” on page 6.
Chapter 2. User account management 13
14 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Chapter 3. Troubleshooting
Troubleshooting is the process of determining why a product does not function asit is designed to function. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur when managing the accounts or groups,where applicable.
The UNIX and Linux Adapter operation might fail if:v A change is made in the structure of standard files, such as /etc/passwd.v The UNIX and Linux operating system version is not supported by the adapter.
For information about the supported versions of the UNIX and Linux operatingsystems, see the UNIX and Linux Adapter Installation and Configuration Guide.
v The Secure Shell (SSH) must be configured properly. See Enabling securecommunication in the UNIX and Linux Adapter Installation and ConfigurationGuide.
Error logsWhen an operation fails, the corresponding error messages and warnings arelogged in the ibmdi.log file. This file is in the adapters solution/logs directory.The adapters solution directory is a Tivoli Directory Integrator work directory forIBM Security Identity Manager adapters.
You can display the error logs in the user interface by running the Dispatcher fromthe command prompt. You can also configure logging information for the adapter.For more information about displaying logs in the user interface and configuringlogging information, see the adapter's Installation and Configuration Guide.
Error messages and warningsA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.
The table lists the error messages and warnings that might occur while performingthe user account or group management tasks, where applicable.It also includes thecorrective actions to resolve the errors.
15
Error message Corrective action
The login credential is missing orincorrect.
Specify the values of the login attributes correctly.Ensure that:
v The managed resource (AIX, HP-UX, Solaris, orLinux) is functioning and that you are connected tothe correct resource.
v The value of the Managed resource location attributeon the service form is specified correctly.
v The name in the Administrator name field on theservice form is specified correctly.
v The value of the Password attribute on the serviceform is specified correctly.
v The Secure Shell (SSH) is enabled and running onthe managed resource. For information aboutinstalling and enabling the SSH, see the UNIX andLinux Adapter Installation and Configuration Guide.
The account exists. This error might occur when:
v A request is made to add a user that exists. Create auser account with another user ID.
v The UNIX and Linux operating system and IBMSecurity Identity Manager are not synchronized.Schedule a reconciliation between the managedresource and IBM Security Identity Manager. Formore information about scheduling a reconciliation,see the IBM Security Identity Manager productdocumentation.
v The adapter does not havepermission to add an account.
v The adapter does not havepermission to modify anaccount.
v The adapter does not havepermission to delete anaccount.
The user specified in the Administrator name field onthe service form does not have the permissions to add,modify, or delete the account. Perform one of thefollowing actions:
v Assign the appropriate privileges to the user whosename is specified in the Administrator name field.
v Change the name in the Administrator name field toa name that has the appropriate privileges. Forexample, root.Note: The Administrator name attribute is a requiredattribute on the service form.
v The required attributes aremissing from the request.
v There were no attributespassed to the adapter in therequest.
v One or more requiredattributes are missing in therequest.
One or more required attributes were not providedwhen a request was made to add, modify, delete, orsearch for a user. Ensure that the required User IDattribute is specified on the account form.
16 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Error message Corrective action
v A system error occurred whileadding an account. Theaccount was not added.
v A system error occurred whilemodifying an account. Theaccount was not changed.
v A system error occurred whiledeleting an account. Theaccount was not deleted.
v The search failed due to asystem error.
This error might occur for several reasons. Ensure that:
v The name in the Administrator name field on theservice form is specified correctly.
v The value of the Password attribute on the serviceform is specified correctly.
v The name in the Administrator name field has theappropriate privileges to add, modify, or delete a useraccount.
v The account was added butsome attributes failed.
v The account was modified butsome attributes failed.
v The account was deletedsuccessfully, but additionalsteps failed.
The account was created, modified, or deleted, howeversome of the specified attributes in the request were notset. See the list of attributes that failed and the errormessage that explains why the attribute failed. Correctthe errors associated with each attribute and performthe action again.Note: You might need to review the documentation onthe UNIX or Linux operating system to determine thecorrect values for some attributes.
The account is alreadysuspended.
This error occurs if an attempt is made to suspend analready suspended account.
The account was not suspended. The request to suspend the account failed. Ensure that:
v The name in the Administrator name field on theservice form is specified correctly.
v The value of the Password attribute on the serviceform is specified correctly.
v The name in the Administrator name field has thenecessary privileges to suspend an account.
v The user exists on the specified managed resource.
See the ibmdi.log file in the adapter solutionsdirectory of the Tivoli Directory Integrator server forspecific details about the error.
The account is already restored. This error occurs if an attempt is made to restore analready restored account.
The account was not restored. The request to restore the account failed. Ensure that:
v The name in the Administrator name field on theservice form is specified correctly.
v The value of the Password attribute on the serviceform is specified correctly.
v The name in the Administrator name field has thenecessary privileges to restore an account.
v The user exists on the specified managed resource.
See the ibmdi.log file in the adapter solutionsdirectory of the Tivoli Directory Integrator server forspecific details about the error.
Chapter 3. Troubleshooting 17
Error message Corrective action
The reconciliation is successful,but no accounts were added toyour service.
Check the ibmdi.log file to ensure that the usage of theshadow file is correct.Note: If you want the adapter to perform thereconciliation operation by using the shadow file, selectthe Use Shadow File check box on the service form.Shadow files are available on the Linux and HP-UXoperating systems.
The application could notestablish a connection tohostname.
Ensure that:
v The SSH is enabled on the managed resource.
v The managed resource is operational and connectedto the network.
The group cannot be addedbecause it exists.
This error occurs when a request is made to add agroup that exists. Create a group with another groupname.
The group cannot be addedbecause group with the GIDGroup ID number exists.
This error occurs when a request is made to add agroup with a group ID number that exists. Do either ofthe following:
v Do not specify a group ID number.
v Clear the Allow duplicate group IDs? checkbox ifthat option is supported for the managed resource.
The group Group name cannotbe modified or deleted because itdoes not exist.
This error occurs when a request is made to modify ordelete a group that does not exist on the managedresource. Perform a reconciliation operation to ensurethat the group exists on the managed resource.
An error occurred while creating,modifying, or deleting the Groupname group. The applicationcould not establish a connectionto managed resource.
Ensure the following on the service form:
v The name in the Administrator name field on theservice form is specified correctly.
v The value of the Password attribute on the serviceform is specified correctly.
v The managed resource is operational and connectedto the network.
The IBM Tivoli DirectoryIntegrator detected the followingerror. Error: Connector parameterexecuteUserProfile has a valuethat is not valid: true.
Clear the Execute user profile? check box for the serviceused in the operation.
18 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Chapter 4. Reference
Reference information is organized to help you locate particular facts quickly suchas adapter attributes, application programming interfaces, files and commands,where applicable..
Adapter attributesThe IBM Security Identity server communicates with the adapter by usingattributes, which are included in transmission packets that are sent over a network.
You can manage the adapter attributes that are on the various adapter forms.
These topics include:v Account form attributesv Service form attributesv UNIX group form attributesv AIX role form attributes
UNIX and Linux Adapter account form attributesYou can manage user accounts from IBM Security Identity Manager.
The following table lists:v The attributes that are displayed on the UNIX and Linux operating system
account form on IBM Security Identity Manager.v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.
Table 4. Account form attributes
Attribute name onthe UNIX and Linuxoperating systemaccount form on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
User ID erUid ' ' ' '
Gecos (comments) erPosixGecos ' ' ' '
UID number erPosixUid ' ' ' '
UNIX shell erPosixShell ' ' ' '
Account expirationdate
erPosixExpireDate ' ' ' '
Force a passwordchange
erPosixForcePwdChange ' ' ' '
Primary group erPosixPrimaryGroup ' ' ' '
Secondary group erPosixSecondGroup ' ' ' '
Groups that can usethe su command onthis user
erPosixSuGroup '
19
Table 4. Account form attributes (continued)
Attribute name onthe UNIX and Linuxoperating systemaccount form on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
Groups to beadministered
erPosixAdmGroups '
Home directory erPosixHomeDir ' ' ' '
Password maximumage
erPosixMaxPwdAge ' ' '
Password minimumage
erPosixMinPwdAge ' ' '
Password warningage
erPosixPwdWarnAge ' ' '
Administrative roles erPosixRoles '
Additionalmandatory methodsfor authenticating theuser
erPosixAuth1 '
Additional optionalmethods forauthenticating theuser
erPosixAuth2 '
Allow at jobs erPosixAT ' ' '
Allow cron jobs erPosixCron ' ' '
Audit class erPosixAuditClasses '
Allow user to executedaemon process
erPosixDaemonAllowed '
Allow user to log into the system
erPosixLoginAllowed '
Can another userswitch user to thisuser
erPosixSuGroup '
Is this user anadministrator
erPosixAdminUser '
Soft limit for thelargest core size
erPosixSoftCore '
Soft limit for themaximum amount ofCPU utilization
erPosixSoftCPU '
Soft limit for largestdata segment
erPosixSoftData '
Soft limit for thelargest file size
erPosixSoftFileSize '
Soft limit for thelargest stack segment
erPosixSoftStack '
Largest core size erPosixHardCore '
20 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Table 4. Account form attributes (continued)
Attribute name onthe UNIX and Linuxoperating systemaccount form on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
Maximum CPUutilization
erPosixHardCPU '
Largest data segment erPosixHardData '
Largest file size erPosixHardFileSize '
Largest stack segment erPosixHardStack '
Allowed login time erPosixLoginTimes '
Allowed number oflogin retries beforelocking the account
erPosixLoginRetries ' ' '
Maximum number ofdays (weeks for AIX)the account canremain valid after thepassword expires
erPosixPwdMaxAge ' '
Minimum number ofalphabetic charactersin password
erPosixPwdMinAlphaChar '
Minimum differencebetween the currentand last password
erPosixPwdMinDiff '
Maximum number ofcharacters that can berepeated in apassword
erPosixPwdMaxRepeats '
Minimum length ofthe password
erPosixPwdMinLen '
Password restrictionmethods
erPosixPwdCheck '
Password dictionariesused to restrictpasswords
erPosixPwdDiction '
Number of previouspasswords thatcannot be reused
erPosixPwdHistory '
Time for which auser cannot reusepasswords
erPosixPwdHistoryExpire '
Account last accessedon
erPosixLastAccessDate ' ' ' '
Valid terminalsallowed to access theaccount
erPosixValidTtys '
Chapter 4. Reference 21
Table 4. Account form attributes (continued)
Attribute name onthe UNIX and Linuxoperating systemaccount form on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
Systemauthenticationmechanism for theuser
erPosixRegistry '
Number of days theaccount can remainidle
erPosixIdleDays '
sudo privileges erPosixSudoPrivileges ' ' ' '
Allow duplicate UIDs erPosixDupUid ' ' '
Is No PasswordAccount?
erPosixNpAccount ' '
Do Not Create UserPrivate Group
erPosixPrivateGroup '
Hosts on which userwill be able to login
erPosixHostsAllowedLogin '
Hosts on which userwill not be able tologin
erPosixHostsDeniedLogin '
Create homedirectory whilecreating the account
erPosixDefaultHomedir ' ' ' '
Minimum number ofnon-alphabeticcharacters inpassword
erPosixPwdMinOtherChar '
Command used toquery failed logins
erPosixFailedLoginCmd '
File or directorywhere failed loginrecords are found
erPosixFailedLoginTallyLoc '
Maximum failedlogins allowed
erPosixMaxFailedLogins '
Delete user accounteven when it is inuse
erPosixDelUserInUse '
UNIX and Linux Adapter service form attributesYou must create a service for the UNIX and Linux Adapter before the IBM SecurityIdentity Manager server can use the adapter.
IBM Security Identity Manager uses the adapter to communicate with the managedresource. The following table lists:v The attributes that are displayed on the UNIX or Linux operating system service
form on IBM Security Identity Manager.
22 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.
Table 5. Service form attributes
Attribute name on theUNIX and Linuxoperating systemsservice form on IBMSecurity IdentityManager
Attribute name on the IIBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
Service name erServiceName ' ' ' '
Description description ' ' ' '
Tivoli DirectoryIntegrator location
erITDIurl ' ' ' '
Managed resourcelocation
erURL ' ' ' '
User registry erPosixRegistry '
Delete home directorywhen the account isdeleted?
erPosixHomeDirRemove ' ' ' '
Owner owner ' ' ' '
Service prerequisite erPrerequisite ' ' ' '
Administrator name erServiceUid ' ' ' '
Is sudo user? erPosixUseSudo ' ' ' '
Return sudoprivileges?
erPosixReturnSudoPrivileges ' ' ' '
Path to the sudoersfile
erPosixSudoersPath ' ' ' '
Authenticationmethod
erPosixAuthMethod ' ' ' '
Password erPassword ' ' ' '
Passphrase (Requiredfor key basedauthentication)
erPosixPassphrase ' ' ' '
Private key file(Required for keybased authentication)
erPosixPKFile ' ' ' '
Use a shadow file? erPosixUseShadow ' '
Disable AL Caching erPosixDisableALCache ' ' ' '
AL FileSystem Path erPosixALFileSystemPath ' ' ' '
Max ConnectionCount
erPosixMaxConnectionCnt ' ' ' '
Case Insensitive filter erLdapCaseInSensitiveFilter ' ' ' '
Execute user profile? erPosixExecuteUserProfile '
Command used toquery failed logins
erPosixFailedLoginCmd
erPosixFailedLoginTallyLoc
erPosixMaxFailedLogins
'
Chapter 4. Reference 23
UNIX and Linux Adapter group form attributesYou can manage UNIX groups from IBM Security Identity Manager.
The following table lists:v The attributes that are displayed on the UNIX and Linux operating system
group form on IBM Security Identity Manager.v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.
Table 6. Group form attributes
Attribute name onthe UNIX andLinux operatingsystems groupform on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
Group name erPosixGroupName ' ' ' '
Group ID number erPosixGroupId ' ' ' '
Administratorgroup
erPosixGroupIsAdmGrp '
Groupadministrators
erPosixGroupAdmin '
Group projects erPosixGroupProjects '
Define an Access No LDAP attribute exists.However, these other accessattributes can be set:
v erAccessOption
v erAccessName
v erObjectProfileName
v erAccessDescription
v owner
v erApprovalProcessID
v erNotifyAccessProvision
v erNotifyAccessDeprovision
' ' ' '
Enable Access erAccessOption = 2 ' ' ' '
Enable CommonAccess
erAccessOption = 3 ' ' ' '
Disable Access erAccessOption = 1 ' ' ' '
Access name erAccessName ' ' ' '
Access type erObjectProfileName ' ' ' '
Access description erAccessDescription ' ' ' '
Access owner owner ' ' ' '
Approval workflow erApprovalProcessID ' ' ' '
Notify users whenaccess isprovisioned andavailable for use
erNotifyAccessProvision ' ' ' '
24 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Table 6. Group form attributes (continued)
Attribute name onthe UNIX andLinux operatingsystems groupform on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
Notify users whenaccess isde-provisioned
erNotifyAccessDeprovision ' ' ' '
Allow duplicategroup IDs
erPosixGroupDupGid ' ' '
sudo privileges erPosixSudoPrivileges ' ' ' '
UNIX and Linux Adapter role form attributesYou can manage AIX roles from IBM Security Identity Manager.
The following table lists:v The attributes that are displayed on the UNIX and Linux operating system
group form on IBM Security Identity Manager.v The corresponding names on the IBM Tivoli Directory Server.v The supported operating systems.
Table 7. Role form attributes
Attribute name onthe UNIX andLinux operatingsystems groupform on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
AIX role name erPosixRoleName '
Authorizations erPosixRoleAuthorizations '
Roles implied erPosixRolelist '
List of groups erPosixRoleGroups '
Visibility erPosixRoleVisibility '
Define an Access No LDAP attribute exists.However, you can set theerAccessOption accessattribute.
'
Access name No LDAP attribute exists.However, you can set theerAccessName access attribute.
'
Access type No LDAP attribute exists.However, you can set theerObjectProfileName accessattribute.
'
Chapter 4. Reference 25
Table 7. Role form attributes (continued)
Attribute name onthe UNIX andLinux operatingsystems groupform on IBMSecurity IdentityManager
Attribute name on the IBMTivoli Directory Server
Supported operating system
AIX HP-UX Linux Solaris
Access description No LDAP attribute exists.However, you can set theerAccessDescription accessattribute.
'
Access owner No LDAP attribute exists.However, you can set theowner access attribute.
'
Approval workflow No LDAP attribute exists.However, you can set theerApprovalProcessID accessattribute.
'
Notify users whenaccess isprovisioned andavailable for use
No LDAP attribute exists.However, you can set theerNotifyAccessProvision accessattribute.
'
Notify users whenaccess isde-provisioned
No LDAP attribute exists.However, you can set theerNotifyAccessDeprovisionaccess attribute.
'
26 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
Index
Aaccount form
attributes 19required attributes 6
accountslifespan 8user account management 3
adapterattributes 19configuration checklist 2connectivity between server and
operating systems 1errors, troubleshooting 15overview 1restrictions on sudo 11user account management tasks 3
administrative roles 9AIX
role attributes 25role form attributes 19users from roles, unassigning 12
allow at jobs 6allow cron jobs 6attributes
account form 19group form 24on forms 19required 6role form 25service form 22
Cchecklist, configuration 2configuration
checklist 2overview 2
Ddeleting
user accounts 13
Eerror
logsaccessing 15warnings and messages 15
messages 15troubleshooting 15
Fforce a password change 6form attributes
accounts 19group 19, 24role 19
form attributes (continued)roles 25services 22
Ggroup form attributes 19, 24groups
administered 9assigning to users 8su command 9unassigning users 12
Llifespan
password 7time before account expiration 8user accounts 8
logsaccessing errors 15warnings and messages 15
Mmanagement tasks
user accounts 3messages
error 15warning 15
Ooperations
adding 5changing passwords 12modifying 12reconciling 3
optional attributesallow at jobs 6allow cron jobs 6force a password change 6
Ppassword
lifespan 7user account 7, 12
privileges, sudo 10problems, troubleshooting 15
Rreconciliation
single user accounts 4support data 3
required attributes, on the accountform 6
restoring, user accounts 13restrictions, sudo processing 11role form attributes 19, 25roles
assigning to users 9unassigning users 12
Sservice form attributes 19, 22su command
groups 9su command, groups 9sudo
restrictions 11user privileges 10
support dataattributes
primary group 9secondary group 9
reconciliation 3retrieval by adapter 3
suspending user accounts 12
Ttroubleshooting 15
error messages 15warning messages 15
Uunassigning
users from groups 12users from roles 12
UNIXaccount form attributes 19group form attributes 19, 24service form attributes 22
user accountsadding 5changing passwords 12deleting 13lifespan 8modifying 12reconciling 3, 4restoring 13suspending 12
usersassigning groups 8roles 9unassigning from groups 12unassigning from roles 12
Wwarning messages 15
27
28 IBM Security Identity Manager: UNIX and Linux Adapter User Guide
IBM®
Printed in USA