Release notes - IBM® Tivoli® Identity Manager UNIX and Linux Adapter 5.1.32
IBM Tivoli Identity Manager UNIX and Linux Adapter 5.1.32 is available. Compatibility, installation, and other getting-started issues are addressed.
Installation and Configuration Notes
Customizing or Extending Adapter Features
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
· Directory Integrator-based UNIX and Linux Adapter Installation and Configuration Guide
· Directory Integrator-based UNIX and Linux Adapter User Guide
The UNIX and Linux Adapter is designed to create and manage accounts on AIX, HP-UX, Solaris, RedHat and SUSE Linux systems. The adapter runs in "agentless" mode and communicates using Secure Shell (SSH) to the systems being managed.
IBM recommends this adapter (and the prerequisite Tivoli Directory Integrator) be installed on each node of an IBM Tivoli Identity Manager WebSphere cluster. A single copy of the adapter can handle multiple IBM Tivoli Identity Manager services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Tivoli Identity Manager Provisioning Policies and Approval Workflow process. Please refer to IBM Tivoli Identity Manager Information Center for a discussion of these topics.
IBM Tivoli Identity Manager adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Tivoli Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
The ability to manage service groups is a new feature introduced in Tivoli Identity Manager 5.1. By service groups, IBM Tivoli Identity Manager is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
· Create service groups on the managed resource.
· Modify attribute of a service group.
· Delete a service group.
Notes:
· Modify service group name is not supported.
· This adapter supports LDAP as a user registry on AIX only.
· This adapter does not support Network Information Service (NIS).
|
Component |
Version |
|
Release Date |
2015 February 24 17.49.54 |
|
Adapter Version |
5.1.32 |
|
Component Versions |
Adapter build: 5.1.32.121 Profile: 5.1.32.121 Connector: 5.1.32.121 Dispatcher: 5.725 or higher (packaged separately). Dispatcher version 5.1.27 or higher is required to take advantage of the adapter timeout feature. |
|
Documentation |
Directory Integrator-Based UNIX and Linux Adapter Installation and Configuration Guide SC23-9655-01
Directory Integrator-Based UNIX and Linux User Guide SC23-9656-01 |
|
Enhancement # (FITS) |
Description |
|
Items included in the current release (5.1.32) |
|
|
None |
|
|
Items included in the 5.1.31 release |
|
|
Not released |
|
|
|
Items included in the 5.1.30 release |
|
RTC 107091 |
Support for RHEL 7 |
|
|
Items included in the 5.1.29 release |
|
RFE 48769 RTC 107131 |
Support for RHEL 6.5 |
|
RTC 107094 |
Support for RHEL 5.10 |
|
RFE 48768 RTC 107132 |
Support for RHEL 5.7 |
|
RTC 105557
|
SunSSH server support for Solaris endpoint.
This version of the POSIX adapter is enhanced to support SunSsh server on Solaris.
|
|
RFE 40182 |
Manage Linux server with Tectia SSH server
This version of the POSIX adapter is enhanced to support Tectia SSH server on Linux.
For details refer to the following section: Tectia SSH server support instructions
|
|
|
Items included in the 5.1.28 release |
|
RFE 41074
|
Tectia 6.4 SSH server support for AIX 7 endpoint.
This version of the POSIX adapter is enhanced to support Tectia 6.4 SSH server on Aix.
For details refer to the following section: Tectia SSH server support instructions |
|
|
Items included in the 5.1.27 release |
|
|
None |
|
|
Items included in the 5.1.26 release |
|
PMR 06691,122,000 PMR 47616,122,000 PMR 58647,122,000 Bugz 1025 Bugz 1032 Bugz 1073 |
Enable timeout feature in the UNIX and Linux Adapter
This feature allows the Dispatcher to end an operation that the adapter is running if the operation takes too long to complete. This feature requires Dispatcher version 5.1.27 or higher.
Remote operations performed by the UNIX and Linux Adapter can hang for a variety of reasons: for example, network delays, configuration errors for SSH or sudo configuration files on the target system, or configuration errors for password prompts on the service definition. In large environments, an accumulation of hanging operations can cause functional and performance problems for both the IBM Tivoli Directory Integrator and the IBM Tivoli Identity Manager server.
For Dispatcher versions prior to 5.1.27, stop and restart the Dispatcher service to clear hanging adapters. In version 5.1.27, you can configure the Dispatcher to detect an operation that has been running too long and interrupt it. An interrupted UNIX and Linux Adapter will clean up its state (including closing connections to the target system) before the Dispatcher ends the operation.
For information on enabling and configuring the timeout feature, see the Dispatcher documentation.
|
|
|
Items included in the 5.1.25 release |
|
|
None |
|
|
Items included in the 5.1.24 release |
|
RFE 31713
RTC 78308
|
The erPosixMaxConnectionCnt attribute has a default value in all service.def files to limit the number of concurrent requests of a given type to a service.
See the Installation and Configuration Notes section for additional information.
|
|
RFE 31222 (18219)
RTC 78795
|
Request for support of following Login Shell other than /bin/sh by TIM 5.1 UNIXLinux adapter AIX: /usr/bin/ksh |
|
RFE 33755
|
Adapter certification on RHEL 6.4 |
|
|
Items included in the 5.1.23 release |
|
RFE 9853
RTC 74564
|
Add support to manage AIX LDAP groups The adapter manages AIX groups if the user registry is set to LDAP |
|
RFE 12884 RTC 67379 |
Adapter certification on SLES11 on zSeries |
|
MR0606115532 RTC 67190
|
Documentation change for at/cron attribute support on Linux
The documentation should read that the /bin/mkdir and /bin/rm commands are required in the sudoers entry on a Linux system which has a sudo administrative user.
See the Installation and Configuration Notes section for additional information.
|
|
RFE 16913
RTC 74562 |
Add Last Access Date support for HP-UX and Linux
The adapter now returns account last access date when recon’ing HP-UX and Linux systems.
See the Installation and Configuration Notes section for additional information.
|
|
RFE 8467 RTC 74563 |
Adapter certification on Solaris 11 |
|
|
Adapter certification on RHEL 6.3 |
|
|
Adapter certification on RHEL 5.9
|
|
RFE 14449 |
Adapter certification on Oracle Linux 6.3 |
|
|
Items included in the 5.1.14-5.1.22 releases |
|
|
Not released |
|
|
Items included in the 5.1.13 release |
|
MR0611101655 RTC 67192 |
Enhance adapter so that Linux accounts can be deleted even if they are in use. The adapter kills any active processes owned by the user before deleting the account. This behavior is controlled by a new attribute that is set with a checkbox on the Linux account form labeled "Delete user account even when it is in use". See additional information in "Installation and Configuration Notes" section of this document. |
|
MR0606115532 RTC 67190
|
Add support for the at/cron attributes on Linux The adapter allows you to manage users' permissions to execute "at" or "cron" jobs on Linux systems.
|
|
RFE 7275 RTC 67664
|
Enable sudo user to change root password on AIX On AIX, the adapter can change the root user's password even if the minimum password age has not elapsed. After the password change, the value of the ADMCHG flag (which requires the user to change his password on next login) is set to whatever the value was prior to the password change.
|
|
|
Items included in the 5.1.12 release |
|
PMR 17092,422,000
Bugz 501
RTC 55781 |
faillog command not found on Linux RHEL 6.1
The faillog command, used when determining account status, was removed in RHEL 6.1. The adapter has been modified to make the method of evaluating failed login status configurable. See the section "Determining account status on Linux" under Configuration Notes for additional information.
|
|
|
Items included in the 5.1.11 release |
|
MR1208115927 |
The adapter has been certified on AIX7.1
|
|
N/A |
The adapter has been certified with TDI7.1 |
|
|
Items included in the 5.1.10 release |
|
MR060311623 |
Handle accounts locked for failed login attempts exceeded on AIX.
In previous versions of the adapter, the account status (active/inactive) on AIX systems was managed through the 'account_locked' attribute only. This version of the adapter will also check the condition: (unsuccessful_login_count >= loginretries) and set the account to inactive if the condition is true.
|
|
MR0125114835 |
Return success instead of a warning when restoring an account that is already active or suspending an account that is already inactive.
|
|
N/A |
The adapter has been certified on RHEL 6.1
|
|
|
Items included in the 5.1.9 release |
|
N/A |
Provide an option to run a user's .profile and etc/profile on HP-UX systems.
Special tty characters in the password prevent new user creation or password modification on HP-UX systems. The user would normally map the tty characters in the login profile to get around the issue. The adapter has been enhanced to allow the user to specify whether or not a user .profile and /etc/profile should be run when running commands on the HP-UX system.
See "Profile Specifics" in Chapter 3:Install the adapter of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
N/A |
Provide an option to return user and group account sudo privileges.
The adapter has been enhanced to optionally return the sudo privileges of a user or group during a reconciliation operation.
See "Discovering sudo privileges" in Chapter 3:User account management tasks of the UNIX and Linux Adapter User Guide for a complete discussion of this additional information.
|
|
MR0125114835 |
UNIX/Linux: adapter should handle expired passwords on SuSE 10
The adapter has been enhanced to allow a password change on SuSE10 systems when the password has expired.
|
|
N/A |
The adapter has been certified on Tivoli Directory Integrator 7.1 |
|
ODBC |
The adapter has been certified on RHEL 6.0
|
|
|
Items included in the 5.1.8 release |
|
MR0726102757 |
Provide an option in the UNIX/Linux adapter to not copy reconcile script to remote machine
See "Reconciling with custom scripts" in Appendix B of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
MR1025106553 |
Support non-login accounts (passwd -N)
See "Non-login account (passwd –N) support" in Appendix B of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
MR0624101856 |
MR0624101856 - Add support for last access date in the UNIX/Linux Adapter for Solaris systems
See "Last access date support for Solaris systems" in Appendix B of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
MR042810477 |
UNIX/Linux adapter documentation should describe scoped sudo command setup
See Appendix D in the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
|
Items included in the 5.1.7 release |
|
N/A |
Added support for installation in AIX WPAR.
|
|
N/A |
Installer updated from ISMP to InstallAnywhere.
The RMI Dispatcher is no longer automatically installed by the UNIX and Linux adapter. It must be installed separately.
|
|
|
Items included in the 5.1.6 release |
|
N/A |
Enhance the UNIX/Linux adapter to optionally terminate user session when user is suspended.
See "Ending a user session after suspension" in Appendix B of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
|
Items included in the 5.1.5 release |
|
MR1121083313 |
The UNIX and Linux adapter should return the exact OS error message when add request fails due to a duplicate UID.
On AIX systems, this version of the adapter is enhanced to reflect the exact system message returned when a user add request fails due to either duplicate ID or duplicate username. This enhancement is provided for Solaris, Linux, and HP-UX systems in an earlier release of the adapter.
|
|
MR0513095642 |
UNIX and Linux adapter support of DSA keys.
This version of the UNIX and Linux adapter is enhanced to add the support for DSA key based authentication. The adapter already supports RSA key-based authentication.
See "Ending a user session after suspension" in Appendix B of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
N/A |
Enhanced UNIX and Linux adapter reconciliation performance for AIX, HP-UX, Linux and Solaris systems.
Reconciliation scripts have been updated in this version of the adapter to increase reconciliation performance.
|
|
N/A |
UNIX/Linux: Remove an adapter-specific utility dependency from the RMI Dispatcher. The class files for utility file POSIXAdapterUtils.java are bundled in the POSIXConnector.jar file.
|
|
N/A |
UNIX/Linux: Remove the POSIX connector dependency on the RMI Dispatcher.
The connector used constants from RMI Dispatcher-related classes in previous versions of adapter. These constants are now included in the connector in order to remove the dispatcher dependency.
|
|
|
Items included in the 5.1.4 release |
|
MR0320094354 |
Add Debian Linux support to the UNIX and Linux adapter.
This version of the adapter is enhanced to support DEBIAN Linux version 5.0. The adapter has been certified with DEBIAN Linux version 5.0.2.
|
|
OSDB |
Add SLES 11 support to the UNIX and Linux adapter.
The adapter has been certified on SLES 11.
|
|
MR0218094115 |
Enhance the UNIX and Linux adapter to use private/public keys without a passphrase.
Note: the adapter allows an empty passphrase when using key based authentication.
|
|
MR0420095941 |
Enhance the UNIX and Linux adapter to support AIX account attributes "hostsallowedlogin" and "hostsdeniedlogin".
The adapter supports two new account related AIX attributes: hostsallowedlogin and hostsdeniedlogin. Please refer to AIX 5L 5.2 (and forward ) documentation for more details on these attributes.
See Appendix A. "Adapter attributes" in the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
MR0904095127 |
UNIX and Linux adapter sudo setup should not require access to the grep command.
This version of the UNIX and Linux adapter is enhanced to work without requiring sudo access to the grep command.
|
|
MR0908096656 |
The Solaris UNIX and Linux adapter does not create a home directory based on the default parent directory as specified on Solaris Server configuration.
See "User home directory creation" in Chapter 5 of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
MR0921095040 |
The UNIX and Linux adapter should not try to run any script from /tmp directory.
This version of the adapter provides an option to change the default location where the adapter script is copied. See "Configuring alternative adapter scripts location" in Appendix B of the UNIX and Linux Adapter Installation and Configuration Guide for additional information
|
|
MR0918093229 |
Enhance the UNIX and Linux adapter to support status from pre and post exec script execution.
See "Running user-defined scripts" in Chapter 5 of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
MR0921095854 |
UNIX and Linux adapter sudo setup should not require access to the echo command.
This version of the adapter is enhanced to work without requiring sudo access to the echo command.
|
|
N/A |
UNIX/Linux: Enhanced adapter reconciliation performance for Linux systems.
Linux reconciliation scripts have been updated in this version of the adapter to increase reconciliation performance.
|
|
MR0804091650 |
Configure the Solaris UNIX and Linux adapter to not prompt for a new password when restoring account to support new functionality provided by Solaris 10.
The adapter supports an enhancement in Solaris 10 that optionally does not force a password reset on an account restore operation. When set, the old password is considered valid.
|
|
|
Items included in the 5.1.3 release |
|
MR0206092518 |
Enhance the UNIX and Linux adapter to support usernames longer than eight characters.
This feature is supported only on AIX v5.3 onwards.
|
|
MR1126085319 |
Enhance the UNIX and Linux adapter to work with HP-UX trusted mode password prompts.
|
|
MR0611084354 |
Reset failed login attempts count on Linux
The Linux adapter has been enhanced to reset failed login attempts count to zero during a successful change password or restore operation.
Note: The adapter does not reset failed login attempts during a restore operation if the user is currently logged in to the resource.
|
|
MR0130085348 |
Enhance the adapter to include the unsuccessful max login count on Linux (similar to umaxlntr to HP-UX).
This feature can be used to set maximum login retries for any user on Linux systems.
Note: If the adapter is running from a sudo-super user account, the faillog command must be in the path. The full path name is "/usr/bin/faillog".
|
|
|
Items included in the 5.1.2 release |
|
|
None
|
|
|
Items included in the 5.1.1 release |
|
|
Initial release for Tivoli Identity Manager v5.1
|
|
Internal# |
APAR# |
PMR# / Description |
|
Items closed in the current release (5.1.32) |
||
|
RTC107865 |
IV59791 |
Adapter fails to parse sudoers files with escaped colons ("\:" strings) in alias entries; recon fails. |
|
Items closed in the 5.1.31 release |
||
|
Not released |
||
|
|
|
Items closed in the 5.1.30 release |
|
Bugz 1411 |
IV61321 |
Inquiry about default Regular Expression for password change for each platform. For details refer to the following section: Default Regular Expression for password change
|
|
Bugz 1387, 1401 RTC109728 |
|
UNIX/Linux adapter should not return prematurely without error when it hits a bad recon entry.
|
|
|
|
Items closed in the 5.1.29 release |
|
Bugz1263 RTC105558 |
IV56880 |
Filter recon on Posix AIX adapter service using erposixhomedir attribute does not return any account. |
|
Bugz1310 RTC105559 |
IV56847
|
Unix/Linux Adapter 5.1.24 unable to delete home directory on AIX. |
|
Bugz1107 RTC75219 |
IV50088/IV50199 |
erlastaccessdate attribute is not updated on Solaris.
For details refer to the following section: erlastaccessdate attribute is not updated on Solaris
|
|
|
|
Items closed in the 5.1.28 release |
|
RTC103026 |
|
Some account attributes are not updated correctly on AIX. |
|
Bugz1139 |
|
PMR 36032,616,760
Dispatcher seems to be hung when provisioning AIX accounts in a highly concurrent environment.
|
|
|
IV54867
|
The debug ibmdi.log file output of UnixLinux adapter shows passphrase value in cleartext.
|
|
|
|
Items closed in the 5.1.27 release |
|
Bugz1206 |
|
PMR 33800,999,000
suspend of Solaris account does not actually update/suspend account
|
|
|
|
Items closed in the 5.1.26 release |
|
Bugz1149 |
|
PMR 72591,999,649
HP-UX Trusted recon is slow
Documentation update: When a sudo user administers an HP-UX Trusted service, the "/usr/bin/test" command is required in the user's sudoers file entry.
|
|
|
|
Items closed in the 5.1.25 release |
|
Bugz1065
RTC91275 |
IV47170 |
PMR 35637,616,760
Unable to get erPosixLastAccessDate attribute value from Linux target if TDI is running on Japanese locale
|
|
Bugz1032
|
|
PMR 47616,122,000
UnixLinux connections leak issue
|
|
|
|
Items closed in the 5.1.24 release |
|
Bugz999 |
IV43378 |
PMR 21862,122,000
Key-based authentication broken in 5.1.23 adapter
|
|
Bugz903 RTC76727 |
IV36353 |
Improve error behavior when setting umask and home directory permissions attributes.
See the Installation and Configuration Notes section for additional information.
|
|
RTC66506
|
|
UnixLinux restore: failed login count is not reset if password is valid. |
|
RTC72341
|
|
UNIXLinux connector loginDelete() should process at and cron files after account has been deleted, not before.
|
|
|
|
Items closed in the 5.1.12 release |
|
Bugz 837 RTC71111 |
IV31939
|
Extraneous log messages removed from the search and add assembly lines.
|
|
Bugz 700 RTC64454
|
IV24557
|
PMR 73299,489,000 Warning adding user on SUSE The optional Linux account attribute erPosixPrivateGroup causes a warning when a user account is added on SUSE Linux. To prevent the warning, see the section "Using the erPosixPrivateGroup attribute" under Configuration Notes below
|
|
Bugz 701 RTC68070 |
IV27986
|
UnixLinux adapter return invalid format for pwdlastchangedate – Aix LDAP.
|
|
|
|
Items closed in the 5.1.11 release |
|
|
N/A
|
PMR 71697,000,834 UnixLinux Adapter 5.0.18 fails on AIX with SUDO 1.8.3-4 The adapter has been tested with Sudo version sudo-1.6.9p23 available on the AIX Linux Toolkit website. Other versions of sudo may or may not work.
|
|
|
IV21428
|
PMR 87432,033,000 UnixLinux doc bug See "Installation and configuration Notes" for corrected information about setup of the erPosixCopyAdpFilesTo and erPosixReconScriptLocation attributes on the service forms.
|
|
|
IV17922
|
Admin account using sudo cannot change its own password on Suse10. This version of adapter has been enhanced to allow sudo admin user to change its own password |
|
|
IV16570
|
PMR 56495,766,766 Gecos not provisioned in the correct codepage (UTF-8) See "Installation and configuration Notes" for additional information.
|
|
|
|
PMR 05809,SGC,724 Account getting Inactive with unsuccessful_login_count>0 but loginretries=0
The adapter will now return status of account as active on AIX if loginretries<=0 and account_locked attribute is false. |
|
|
IV17165 |
PMR 61740,227,000 Manage groups from non-file repository (adding –R to lsgroup)
This version of adapter will return local groups only in case of files as registry. Adapter will not manage groups from multiple registries together |
|
|
IV16024 |
PMR 52744,227,000 RXA timeout on service form not documented
See "Installation and configuration Notes" for additional information. |
|
|
N/A |
Changes to silent Mode Installation note
See "Installation and configuration Notes" for additional information. |
|
|
N/A |
PMR 06433,999,000– ITIM51 AIX adapter conn fails intermittently
Unix and Linux Adapter OpenSSH support
OpenSSH 3.9 is the minimum supported version. Individual platforms might not support this version.
OpenSSH updates are ongoing. Some updates might introduce bugs that affect individual platforms. Therefore, not every released version of OpenSSH works on every platform. Refer to the individual platform support site for the list of supported OpenSSH versions.
If intermittent connection failures occur, verify that the installed version of OpenSSH is supported on that platform. Update OpenSSH, if necessary. If intermittent connection failures still occur, update OpenSSH to the latest version supported by that platform. |
|
|
|
Items closed in the 5.1.10 release |
|
|
N/A
|
PMR 26966,227,000 – Reconciliation did not return groups whose names contain hyphens.
The reconciliation operation will now return group names containing hyphens if a hyphen is not the first character in the name.
|
|
|
IV02847
|
PMR 66166,6X8,760 - Unable to change the primary and secondary groups in the same operation to modify a SUSE Linux account. SUSE Linux does not allow a group to be set as a secondary group if it is currently set as the primary group.
The adapter has been modified to work around the limitation on SUSE Linux. |
|
|
|
Items closed in the 5.1.9 release |
|
|
N/A |
PMR 91996,003,756 – Tivoli Identity Manager - trusted HP-UX new account creation.
Special tty characters in the password prevent new user creation or password modification on HP-UX systems. The user would normally map the tty characters in the login profile to get around the issue. The adapter has been enhanced to allow the user to specify whether or not the user .profile and /etc/profile should be run when running commands on the HP-UX system.
|
|
|
IZ94629 |
UNIX/Linux: Password with special character problem with LDAP user registry.
The adapter has been changed to support special characters.
|
|
|
IZ97195 |
Release notes documentation error: sudoers specification for Linux.
|
|
|
IZ98611 |
Installation guide documentation error: remove AIXLDAPconnres.sh references.
|
|
|
|
Items closed in the 5.1.8 release |
|
N/A |
|
N/A Delete on AIX may show success even if user is not deleted. The earlier version of the adapter could not give an error if user deletion with non root user without sudo permission fails. The fix for this is provided so that it gives an error with proper error message.
|
|
|
N/A |
PMR 43352,122,000 erPOSIXPwdWarnAge not supported on HP-UX nontrusted mode. Update to attribute table in Appendix A.
|
|
|
|
Items closed in the 5.1.7 release |
|
|
N/A |
PMR 37391,487,000 - UNIX/Linux issues with AIX & LDAP_AUTH.
The earlier version of the adapter was using chsec command to reset attribute unsuccessful_login_count=0 for AIX LDAP users. The chsec command is not intended for the remote users and it is designed for the local users only. This version of the UNIX and Linux adapter uses chuser command to reset attribute unsuccessful_login_count=0 for AIX LDAP users.
|
|
|
N/A |
PMR 50664,499,000 Reconciliation of an AIX system with 20000 accounts takes too long.
In this version of the adapter, reconcile scripts for AIX systems have been changed to enhance the reconciliation performance.
|
|
|
N/A |
N/A RXA timeout option not consistent on all the profiles.
RXA timeout option was not present on service form of Tivoli Identity Manager 5.1 profiles, whereas it was present on service form for 46 and 50 profiles. In this release, the 5.1 profiles display the RXA timeout option on service form.
|
|
|
IZ86059 |
30173,122,000 UNIX/Linux contains 5.0 profiles that do not support group management.
|
|
|
|
Items closed in the 5.1.6 release |
|
|
IZ75546 |
PMR 31640,004,000 at.allow/at.deny/cron.allow/cron.deny corruption when deleting accounts.
A lock has been introduced into the cron file processing to synchronize concurrent updates.
|
|
|
IZ76603 |
15219,999,000 The path to faillog used by Tivoli Identity Manager adapter in release notes should be updated.
Note: If the adapter is running from a sudo/super user account, the "faillog" command must be in the path. The full path of command is "/usr/bin/faillog".
|
|
|
IZ73366 |
94202,100,838 UNIX AND LINUX ADAPTER 5.0.11 FAILS RECONCILING GROUP-ID ON AIX-LDAP.
The adapter fails to reconcile group information, if AIX is configured to use an LDAP registry. The adapter is enhanced to reconcile group data from LDAP.
Note: Group data is returned from the LDAP registry as well as /etc/group.
|
|
|
N/A |
N/A The chsec command is run twice during a restore operation on AIX systems.
|
|
|
N/A |
N/A HP-UX systems do not allow double quotes (") as part of the home directory name.
A constraint has been placed on the home directory field of the account form to disallow the double quote symbol.
|
|
|
N/A |
N/A Adapter hangs when a group name with "()" is associated with user in useradd request.
The adapter has been modified to properly handle "(" and ")" in group names.
|
|
|
N/A |
N/A The UNIX and Linux adapter on HP-UX non-trusted systems returns an error when attempting to suspend an already suspended account and restoring an already active account.
The adapter has been modified to return a warning for these conditions instead of the error.
|
|
|
N/A |
N/A The UNIX and Linux adapter on Linux (nonShadow) systems reconciles a suspended account as active.
The adapter has been modified to return the proper reconciled state. |
|
|
N/A |
N/A The adapter has been changed to support a space in the home directory name. |
|
|
|
Items closed in the 5.1.5 release |
|
|
IZ65609 |
90822,070,72 UNIX/Linux adapter cannot set umask. This version of the adapter can set the umask value in the profile file.
|
|
|
IZ64091 |
06584,035,724 Special characters in gecos field causes an exception in POSIX connector that results in a reconcile failure.
The earlier version of the adapter could not reconcile special characters in the gecos field if the characters are from some locale other than English.
This version of the UNIX and Linux adapter is enhanced to reconcile the user data that contains special characters. That is, characters from some locale other than English.
Prerequisites: 1. This feature is needed to be used mainly for non-English locales. No additional setup is required for English locales. 2. If no value is supplied, the default value is UTF-8. 3. The system running the RMI Dispatcher must have the required code page installed. For example, if the language/locale on the target system is German and the ISO-8859-1 code page has been used to encode data sent to the adapter, then the ISO-8859-1 code page must be present on the system where the RMI Dispatcher is running.
|
|
|
N/A |
25190,370,000 Display non-zero return code in log after password change fails.
The earlier version of the adapter was showing incomplete error message if the password change operation fails. The fix is provided by adding the return code value of the operation in the error message.
|
|
|
IZ70478 |
46974,122,000 Home directory group owner on Solaris should be the primary group.
The fix is provided so that the home directory owner is set to the primary group instead of default. The fix is also provided for Linux systems.
Note: If either the home directory or the primary group is not valid, then neither of the attributes is set. The user is still created, but the operation returns a warning. |
|
|
N/A |
N/A Missing # sign to comment out the second line in LinuxShadowPConnRes.sh.
|
|
36484 |
|
46118,487,000 UNIX/Linux adapter does not reconcile erpasswordmaxage = -1 on Solaris.
Previous versions of the adapter did not reconcile any password age-related attribute with the value is set to -1. With this fix, the lowest value allowed for password age-related attributes is -1. The affected attributes are (per platform):
Solaris erPOSIXMinPwdAge erPOSIXMaxPwdAge erPOSIXPwdWarnAge erPOSIXIdledays
AIX: erPOSIXPwdWarnAge
Linux: erPOSIXMinPwdAge erPOSIXMaxPwdAge erPOSIXPwdWarnAge
HP-UX: erPOSIXMinPwdAge erPOSIXMaxPwdAge
|
|
|
|
Items closed in the 5.1.4 release |
|
|
IZ57781 |
15535,004,000 - City Public Service Problems with erPOSIXForcePwdChange attribute.
CAUTION: The return value of the attribute "erPOSIXForcePwdChange" is in effect from this release of adapter forward. Please check compatibility with your Provisioning Policies before installing this version of the adapter.
The adapter returns either TRUE or FALSE for the erPOSIXForcePwdChange attribute value, depending on the value of the ADMCHG flag on the target AIX system. If the ADMCHG flag is set for that user then the return value is TRUE, otherwise, FALSE. It never returns a null value. The earlier version of the adapter was returning null if ADMCHG flag was not set on the target system.
|
|
|
IZ65638 |
60280,6X8,760 The UNIX/Linux adapter occasionally misidentified target OS type.
Earlier versions of the adapter at times did not correctly interpret the target OS type. The problem has been fixed in this version of the adapter.
|
|
|
N/A |
01689,6X1,760 PREEXEC and POSTEXEC do not work on the delete operation of UNIX and Linux adapter.
The UNIX and Linux adapter has been enhanced to allow for user-defined scripts.
See "Running user-defined scripts" in Chapter 5 of the UNIX and Linux adapter Installation and Configuration Guide for additional information.
|
|
36468 |
|
N/A When password attribute is not present on restore, the Solaris adapter should not delete users’ old password on Solaris version less than 5.10.
Earlier versions of the UNIX and Linux adapter on Solaris 5.8 & 5.9 delete the user password during an account restore operation if the restore request does not contain the account password.
In this version of the adapter and forward, the account restore request fails if a password is not supplied in the restore request. The error message, "No password specified. The restore operation cannot proceed" is returned. This applies to Solaris 5.8 and 5.9 systems.
Note: Passwords are not required for account restore operations on Solaris 5.10 and above.
|
|
|
|
Items closed in the 5.1.3 release |
|
|
IZ55495 |
26800,694,760 Warning occurs while changing password on AIX "root" account.
The AIX Adapter returns a warning when changing the password of root user through a sudo-super user.
When the adapter is running from a sudo-super user account the chsec command must be in the path. The full path name is /usr/bin/chsec. |
|
|
IZ52238 |
77301,228,631 Negative value not allowed in POSIX values.
Earlier versions of the adapter did not allow the user to reset password aging on Solaris by setting the value for the Max Password Age attribute to -1. This constraint has been removed. |
|
|
N/A |
54343,000,000 Clear force password change on AIX modify operation.
Earlier versions of the UNIX and Linux adapter on AIX did not clear the user force password change flag during an account modify operation. When the force password change flag is set in an account create request, then unset in an account modify request, the adapter did not clear the associated flag for the user on the resource.
The adapter behavior on AIX systems has changed such that an unset force password change flag in a modify request clears the associated flag on the resource.
|
|
|
IZ50821 |
54067,6X8,760 Warning occurs when trying to create an HP-UX or Solaris account with UMASK attribute.
When the adapter is running from a sudo-super user account the tee command must be in the path. The full path name is /usr/bin/tee.
|
|
|
IZ53507 |
54040,033,000 UID for 'NOBODY' displays in Tivoli Identity Manager as -2, but the number in /ETC/PASSWD is 4294967294.
|
|
|
IZ52" |
51106,025,724 Missing commands in install guide. See updates in the "Installation" section for more information.
|
|
|
IZ55238 |
35585,999,000 AIX sudo user and key file configuration.
This is a documentation defect. The keygen program must be run when logged in as the user who uses the key.
See Appendix E of the UNIX and Linux Adapter Installation and Configuration Guide for additional information.
|
|
|
N/A |
36260,033,000 Error during Linux reconciliation.
This was a documentation defect. Customer faced an issue due to a change in the format of /etc/passwd file.
The UNIX and Linux adapter is highly dependent on format of /etc/passwd file and does not support modifications to that format.
|
|
|
IZ53837 |
54256,033,000 Documentation defect. Some of the "OPTIONAL FEATURE" section information was missing in 2.1 version of the Developers Reference Guide (IM50-TDI-RMI-ADAPTER-DEVREF.PDF). The updated document is shipped with this adapter.
|
|
|
N/A |
Internal Defects:
· Adapter installer GetVersion bean failed on FP1 installation. The fixpack was applied each time, even when already installed. · Language properties file for Dispatcher/POSIX missing some properties. · Unable to modify the user LDAP home directory on AIX. · Spelling errors in logged messages. · Secondary groups were not getting reconciled with non-shadow script.
|
|
|
|
Items closed in the 5.1.2 release |
|
|
|
Corrections to the profile versions in the release notes. |
|
Internal# |
APAR# |
PMR# / Description |
|
|
|
Adding audit class value on AIX
During user add and user modify, if audit class attribute contains a valid value but some other attribute fails, then adapter returns failure instead of warning.
|
|
|
|
Deleting audit class value on AIX
Adapter returns success for deleting audit class value on AIX. But changes do not reflect on resource |
|
|
|
User add request with primary group value on Aix
Adapter returns failure status for useradd request if primary group contains value which does not exist on resource |
|
|
|
Changing primary group values on AIX
When primary group and secondary groups values are updated in the same useradd or usermod request, the primary group value is added to the secondary groups list without removing the previous primary group name from the list.
Example: Assume that a user is added with two attributes Primary group = gr01, Secondary Groups = gr02,gr03
Then User is modified for the two attributes Primary group = grp1, Secondary Groups = grp2,grp3
Result: The new secondary group values are: grp1,grp2,grp3,gr01.
|
|
|
|
Password change with using LDAP registry on AIX
Configuring multiple AIX services to use the same LDAP may cause errors. If LDAP is configured to use password history checking, and Tivoli Identity Manager is configured for password synchronization, any passwords changes initiated from Tivoli Identity Manager effectively cause Tivoli Identity Manager to send the same password to each AIX service. The result is a history violation.
|
|
|
|
Sudo privileges on the account request form.
The account request form allows sudo privileges to be specified for an account. The form field should be read-only. Privilege value updates in the form field are not provisioned for the account and are overwritten during account reconciliation.
|
|
|
|
faillog on RHEL 6.1
For the faillog command to work as expected on RHEL 6.1, the faillog file must exist in the /var/log directory.
|
|
pwdadm
process might be left running on AIX after root password change |
|
Internal# |
APAR# |
PMR# / Description |
|
|
Bugz1098 IV50269 RTC96617 |
erPosixForcePwdChange request not working when set to 0
On Linux, Solaris and HPUX, the 'force password change' feature cannot be toggled. You can only set the 'force password change' option to true. The OS does not support resetting it back to false. On AIX, the 'force password change' feature can be toggled between true and false.
|
|
|
Supported shells
Only shells that support setting environment variables via "envvar = xxx; export envvar;" are supported for the service admin user. csh and tcsh in particular do not work (others might not work as well). The sh and bash shell works for the admin user. Note that on many systems, sh is a symlink to another shell. |
See the IBM Tivoli Identity Manager UNIX and Linux Adapter Installation Guide for detailed instructions.
Note: This release does not support an upgrade installation. You must uninstall UnixLinux adapter before installing this version.
The following corrections to the Installation Guide apply to this release:
Customizing password prompt attributes
The UNIX and Linux Adapter does password changes by using an interactive Secure Shell (SSH) session. The adapter searches for the default password prompts on the managed resource to complete the transaction successfully. If the managed resource has customized password prompts, then you can specify the password prompts on the service form that the adapter must search for.
About this task
The password prompt attributes are:
· erPosixNewRegx - the new password prompt
· erPosixRetypeRegx - the retype password prompt
To customize these password prompt attributes on the service form, do the following steps from IBM Security Identity Manager. The customized password prompt attributes are displayed on the service form. The adapter does a case-insensitive match on these password prompts.
Procedure
1. Log on to IBM Security Identity Manager as an administrator.
2. In the My Work pane, expand Configure System and click Design Forms to display the Design Forms page.
3. From the applet, double-click Service to display the service form profiles.
4. Double-click the service form profile whose service form you want to customize. Select one of the following profiles:
POSIX AIX account
Select this option to customize the erPosixNewRegx and erPosixRetypeRegx attributes on the AIX service form. The default values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = "re-enter .* new password:"
POSIX HP-UX account
Select this option to customize the erPosixNewRegx and erPosixRetypeRegx attributes on the HP-UX service form. The default values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = ".*re-enter new password:$"
POSIX Linux account
Select this option to customize the erPosixNewRegx and erPosixRetypeRegx attributes on the Linux service form. The default values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = ".*re-enter new password:$"
POSIX Solaris account
Select this option to customize the erPosixNewRegx and erPosixRetypeRegx attributes on the Solaris service form. The default values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = ".*re-enter new password:$"
5. From the Attributes List window, double-click the erPosixNewRegx attribute to add it to the service form.
6. From the Attributes List window, double-click the erPosixRetypeRegx attribute to add it to the service form.
7. Click Save Form Template icon. After you customize the password prompt attributes, the following attributes are available on the service form:
· New Password Regular expression
· Retype Password Regular expression
Installing the adapter language pack
See the IBM Security Identity Manager Install library and search for
information about installing the adapter language pack.
RFE 31222: Request for support of following Login Shell other than /bin/sh by TIM 5.1
Remove the following statement from Table 3 (Prerequisites):
The Bourne shell /bin/sh must be the default login shell for the administrator account.
In step 1.a of "Creating a super user on an AIX operating system", change the mkuser command as follows:
mkuser home="/home/tdiuser" pgrp="security" shell="/usr/bin/ksh" tdiuser
In step 1.a of "Creating a super user on a Linux operating system", change the useradd command as follows:
useradd –d "/home/tdiuser" –s "/bin/bash" –m tdiuser
In step 1.a of "Creating a super user on a Solaris operating system", change the useradd command as follows:
useradd –d "/home/tdiuser" –s "sbin/sh" –m tdiuser
In step 1.a of "Creating a super user on an HP-UX Non-Trusted operating system", change the useradd command as follows:
useradd –d "/home/tdiuser" –s "/sbin/sh" –m tdiuser
In step 1.a of "Creating a super user on an HP-UX Trusted operating system", change the useradd command as follows:
useradd –d "/home/tdiuser" –s "/sbin/sh" –m tdiuser
PMR 72591,999,649: HPUX-Trusted recon is slow
Modify the following entry in Table 10 Account form attributes, object identifiers, descriptions, permissions, and applicable operating systems
|
Attribute |
Description |
Permissions |
Operating systems
|
|
erPosixLastAccessDate |
Specifies the date on which the account was last accessed. |
Read |
AIX Linux-NonShadow Linux-Shadow HP-UX-Trusted HP-UX-Nontrusted Solaris
|
Modify Appendix D Creating a super user on a Linux operating system:
The "/usr/bin/lastlog" commands must be included in the sudoers entry listed in Step 2.b.
Modify Appendix D Creating a super user on an HP-UX Non-Trusted operating system:
The "/usr/sbin/acct/fwtmp" command must be included in the sudoers entry listed in Step 2.b.
Modify Appendix D Creating a super user on an HP-UX Trusted operating system:
The "/usr/sbin/acct/fwtmp" and "/usr/bin/test" commands must be included in the sudoers entry listed in Step 2.b.
Add the following entries to Table 32. Sudo access command and file setup
|
Command |
Files used by the command |
Operation |
Operating System |
|
Lastlog |
/var/log/wtmp |
reconciliation |
Linux-NonShadow Linux-Shadow |
|
Fwtmp |
/var/adm/wtmp /var/adm/wtmps |
reconciliation |
HP-UX-Trusted HP-UX-Nontrusted |
Add the following entry to Table 10 Account form attributes, object identifiers, descriptions, permissions, and applicable operating systems
|
Attribute |
Description |
Permissions |
Operating systems
|
|
erPosixDelUserInUse |
Specifies whether to end user processes when processing a delete account request. |
Read and Write |
Linux-NonShadow Linux-Shadow |
Add Linux-NonShadow and Linux-Shadow to the Operating Systems column for the erPosixAT and erPosixCron attribute entries in Table 10 Account form attributes, object identifiers, descriptions, permissions, and applicable operating systems.
Modify Appendix D Creating a super user on a Linux operating system:
The "/bin/mkdir"and "/bin/rm"commands must be included in the sudoers entry listed in Step 2.b.
Add the following information to Table 32 Sudo access command and file setup:
|
Command |
Files used by the command |
Operation |
Operating System |
|
Cat |
/etc/at.allow |
useradd
|
Linux-NonShadow |
|
Tee |
/etc/at.allow |
useradd
|
Linux-NonShadow |
|
Ed |
/etc/at.allow |
useradd
|
Linux-NonShadow |
|
ls –al |
/etc/at.allow |
useradd
|
Linux-NonShadow |
|
Chmod |
/etc/at.allow |
useradd
|
Linux-NonShadow |
|
Mkdir |
Location of temporary files on resource. The default location is /tmp. |
useradd usermod userdel
|
Linux-NonShadow |
|
rm –rf |
Location of temporary files on resource. The default location is /tmp. |
useradd usermod userdel
|
Linux-NonShadow |
If the ssh used to create the RSA or DSA private key file uses the AES-128-CBC cipher, RXA cannot fetch the private key from the file, and key-based authentication does not work. To support key-based authentication take one of the following actions:
· Install an ssh that uses the DES-EDE3-CBC cipher.
· Install the RXA 2.3.0.9 package in your Tivoli Directory Integrator environment. RXA 2.3.0.9 supports the AES-128-CBC cipher. Note: RXA 2.3.0.9 is included in the base release of TDI 7.1.1, and is also available in TDI 7.0 FP8 and TDI 7.1 FP7.
When using RSA or DSA key-based authorization, ensure that the "no-pty" restriction does not exist in the authorized_keys file. Operations that require pty’s (such as account modify or password change) will fail if the no-pty restriction is present and key-based authorization is used.
See Appendix D of the UNIX and Linux Adapter Installation and Configuration Guide for more information on key-based authorization.
When using a super user for UNIX or Linux service administration, ensure that the sudoers file (/etc/sudoers on most systems) does not contain the following line:
Defaults requiretty
If this line exists or tty’s are required by default by your version of sudo, you might see an error like this when trying to execute an operation as the super user: "sudo: sorry, you must have a tty to run sudo".
Either remove the line, comment it out or create a Defaults entry that does not require the super user to have a tty. For example, if your adapter super user is "tdiuser", the line would look like this:
Defaults:tdiuser !requiretty
See Appendix C of the UNIX and Linux Adapter Installation and Configuration Guide for more information on creating administrative super users. See the documentation for your version of sudo and the sudoers file for default behavior and configuration.
An account is determined to be active or inactive based, in part, on whether the user has exceeded the maximum number of failed logins allowed for his account. The Linux platform has multiple commands that can be used to query the number of failed login attempts: faillog, faillock or pam_tally2. The command used depends upon what is available on the platform and which command has been configured to detect and tally failed login attempts and enforce account lockout. The configuration is done through the Linux PAM (Pluggable Authentication Module) mechanism.
PAM configuration can be quite complex and it is not possible for the adapter to accurately determine the command used to monitor failed logins or the maximum failed logins allowed. Therefore, three new fields have been added to the Linux service form:
|
Service Form Field |
Attribute Name |
Supported Platform |
Permissions |
Description |
|
Command used to query failed logins |
erPosixFailedLoginCmd |
Linux |
Write |
Specifies the system command used to detect and tally failed login attempts and enforce account lockout. This must be the command configured through the PAM mechanism. A blank value defaults to the faillog command, which is not available on some platforms, notably RHEL 6.1 and greater. |
|
File or directory where failed login records are found |
erPosixFailedLoginTallyLoc |
Linux |
Write |
Absolute path to the location of the failed login attempt datastore, if not the default. This field is applicable to faillock and pam_tally2 only; it is ignored when faillog is used. |
|
Maximum failed logins allowed |
erPosixMaxFailedLogins |
Linux |
Write |
The maximum number of failed logins allowed before an account is locked. This field is applicable to faillock and pam_tally2 only; it is ignored when faillog is used. To assign a maximum failed logins allowed value for accounts when faillog is used, set the erPosixLoginRetries attribute. This attribute must be manually added to the Linux account form using the Design Forms editor. The erPosixLoginRetries field is ignored when faillock or pam_tally2 is used. |
If a super-user account is used to administer the Linux service, make sure the following commands are available on the user’s path:
· /usr/bin/faillog
· /sbin/faillock
· /sbin/pam_tally2
Also make sure these commands are included in the user’s entry in the /etc/sudoers file as described in Appendix D Creating a super user on a Linux operating system.
The erPosixPrivateGroup attribute is specified by the "Do Not Create User Private Group" field on the Linux account form. This attribute controls whether a user-specific primary group is created when a user account is created. The SUSE Linux platform does not support creating private user groups and so this attribute is not applicable. When requesting accounts on SUSE Linux, do not select the "Do Not Create User Private Group" check box. If the box is selected, a warning will be returned from the operation with the message "Entry contains Attribute erPosixPrivateGroup which is not supported". If the box is not selected, the attribute will be ignored for SUSE Linux.
If you install the adapter using the installer binary executable, you must uninstall it using the uninstaller binary executable. If you install the adapter using the installer jar file, you must uninstall it using the uninstaller jar file. This holds true whether you install in interactive or silent mode.
You can install and uninstall the UnixLinux Adapter by using the silent mode. Silent installation suppresses the Wizard and the Launcher User Interfaces (UIs) and does not display any information or require interaction.
Installing the adapter in silent mode with default options using the binary installer
Run the following command from command line to install the Unix and Linux Adapter in silent mode using the defaults:
On Windows:
PosixAdapterInstall_win_70.exe –i silent –DLICENSE_ACCEPTED=TRUE
On UNIX or Linux:
PosixAdapterInstall_linux_70.bin –i silent –DLICENSE_ACCEPTED=TRUE
Installing the adapter in silent mode with default options using the installer jar file
java –jar PosixAdapterInstall_70.jar -i silent -DLICENSE_ACCEPTED=TRUE
When using the installer jar on UNIX or Linux, you must use the java executable from the Tivoli Directory Integrator installation into which you are installing. For example,
/opt/IBM/TDI/V7.0/jvm/jre/bin/java –jar PosixAdapterInstall_70.jar -i silent -DLICENSE_ACCEPTED=TRUE
Installing the adapter in silent mode with command line options
You can specify the listed installation options from the command line when you install the adapter using silent mode
java –jar PosixAdapterInstall_70.jar -i silent options
Where options are the following:
-DLICENSE_ACCEPTED={ true | false }
This option accepts the installation license agreement; the silent install will not continue unless the value is true. The default value is false.
-DUSER_INSTALL_DIR=absolute-path-to-TDI-install-director
This is the location of the Tivoli Directory Integrator installation directory. The default value is %SYSTEM_DRIVE_ROOT%\Program Files\IBM\TDI\V7.0 for Windows and /opt/IBM/TDI/V7.0 for UNIX/Linux.
-DFORCE_DISPATCHER_SERVICE_START_ONINSTALL={ yes | no }
This option indicates whether or not to restart the dispatcher when the adapter is installed. If not specified, the dispatcher will be restarted if it is running before the install operation; otherwise, it will not be started.
Do not add a space between –D and the option key. Any option value that contains a space must be wrapped in double quotes.
Uninstalling the adapter in silent mode
Change to the ITDI_HOME/PosixAdapterUninstall directory and run the following command from command line to uninstall the UNIX and Linux Adapter in silent mode.
On Windows:
PosixAdapterUninstall.exe -i silent
On UNIX or Linux:
PosixAdapterUninstall.bin –I silent
Specify the full path when you are not running the command from PosixAdapterUninstall directory in the installation directory of the adapter. For example,
"E:\Program Files\IBM\TDI\V7.0\PosixAdapterUninstall\PosixAdapterUninstall.exe" -i silent
If you installed the adapter using the installer jar file, then you must uninstall using the uninstaller jar file. For example, change to the ITDI_HOME/PosixAdapterUninstall directory and then execute
java –jar uninstaller.jar –I silent
There is one command-line option you can specify when uninstalling in silent mode:
-DFORCE_DISPATCHER_SERVICE_START_ONUNINSTALL={ yes | no }
This option indicates whether or not to restart the dispatcher when the adapter is uninstalled. If not specified, the dispatcher will be restarted if it is running before the uninstall operation; otherwise, it will not be started.
(This section replaces the "Setting up non-English locales" section in the Directory Integrator-Based UNIX and Linux Adapter Installation and Configuration Guide.)
By default, the adapter operates in the character encoding in effect for the administrative user the adapter runs as. That is, the adapter creates provisioning command strings in that encoding, and expects recon data to be returned in that encoding. You can override the default behavior by using the erPosixEncoding parameter. This should never be necessary except in those cases where the adapter admin user's locale differs from the system's default.
Procedure
1. Open the DESIGN FORMS feature of the Tivoli Identity Manager server. Click Configure System > Design Forms.
2. Click Service and select a POSIX Profile.
3. Add the attribute erposixencoding on the Service form from the Attribute List.
4. Save the form and close the Design Form window.
5. Create a service with following parameter:
Code Page to be used for data encoding (Default to UTF-8): Code page for data
Code page for data on the service form is the corresponding code page to the LOCALE in use. For example, the code page for the German locale is ISO-8859-1.
Code Page to be used for data encoding (Default to UTF-8): ISO-8859-1
If neither the erPosixEncoding nor the remote encoding is supported on the system hosting the adapter, the adapter will use UTF-8 encoding.
In summary, the character encoding used by the adapter is determined by
1. The erPosixEncoding parameter value, if defined
2. The character encoding in effect for the adapter admin user on the target system
3. UTF-8
Default shell on account form
The default account shell in the picklist is changed from /bin/csh to /bin/sh on the account form. Any accounts created using the adapter will have the /bin/sh shell unless a different shell is explicitly selected.
The following configuration notes apply to this release:
From this release, adapter will not copy LastAccessDateReader utility on resource to retrieve erlastacessdate attribute.
In fact, Adapter will now use fwtmp command internally to retrieve erlastaccessdate. This attribute is no more optional attribute.
Adapter will always reconcile value of this attribute and you don’t need to add this attribute from design form.
It is available on account form from this release.
Enabling RSA key-based authentication on UNIX and Linux operating systems using Tectia SSH
These instructions assume that the client user is allowed to log in to the remote host, where Tectia SSH server is running, and using password authentication
Make sure that public-key authentication is enabled in the ssh-broker-config.xml and ssh-server-config.xml file (it is enabled by default) For example:
<authentication-methods>
<auth-publickey />
...
</authentication-methods>
Keybased authentication can be done using keys generated on OpenSSH client or Tectia SSH client.
Keys generated on OpenSSH client:-
A. Generate a key on OpenSSH client as follows
a. Use the ssh-keygen tool to create a key pair.
i. Log in as the administrator user defined on the Tivoli Identity Manage service form.
ii. To start the ssh-keygen tool, issue the command:
mydesktop$ ssh-keygen -t rsa
iii. At the prompt accept the default or enter the file path where you want to save the key pair and press Enter
iv. At the next prompt accept the default or enter the passphrase and press Enter
v. At the next prompt confirm your passphrase selection and press Enter
b. This is a sample of the system response:
Your identification has been saved in /home/root/.ssh/id_rsa.
Your public key has been saved in /home/root/.ssh/id_rsa.pub.
The key fingerprint is:
2c:3f:a4:be:46:23:47:19:f7:dc:74:9b:69:24:4a:44 root@ps701
Note: Although the ssh-keygen tool accepts a blank passphrase, the passphrase is required on the Tivoli Identity Manager service form.
B. Validate that the keys were generated
a. Issue the commands:
mydesktop$ cd $HOME/.ssh
mydesktop$ ls –l
A sample system response is:
-rw------- 1 root root 883 Jan 21 11:52 id_rsa
-rw-r--r-- 1 root root 223 Jan 21 11:52 id_rsa.pub
b. Issue the command:
mydesktop$ cat id_rsa
A sample system response is:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7F4CF1E209817BA0
GuIQh4EdIp2DY1KfgB3eHic1InCG5VC9/dumHd7AqEnlo241fRuIo8zgO87GV+tk
cvKd/pPCGhmyCZy/are0wZt3KLYWUyoN7i+8H2Khk8LmaspD6Tx309VHTfCyoJsu
jtuR5c4HbcRtOYhMByHEqllEst1azzlIrO75Qj5cUG01K1MbdTeXq1xUGjo97s+V
gEOokMQ+JmaJD9lrbiMz4wjWRtREjHfc1VYTA+ZE1W3HT3PfrjCnHm9RKKFaA6kM
fPInefQgdzhCa0mCz+HOKJfkpfPh8ufGM9Jfb99VjZdI77LHeNN4VqeQ/VyPH7pn
wp7GbEJ8g6iX4BWUWpXUVStfYNQTV8Dis7ayZtr3g/o+AKnh/dGnk1SHHNFgUUFf/
+E0EXMokHSqqOzwf4t8xp4upnnS/7ag5MIVcU5/iWGW4sDEw7xfB25zD4lbvVK5
kSZeWLgm79wMipKP90iEELPqO6cS2yPXd+ADfHs7FWPQW0UYGFeMnHa/
tlglO5Pxo7ek2iR57mazmx33cofIX6E/ZI9XLysp5TR6Npq1x8KCv2Dk2x3QSH8F54EQmQ2+
5uDsPA9Hg1B+agkBh/1g3tfevT01cCtUkQGl2ubhrNGB2SiiyKgw9Ks0AL3TO0ul
D69D18r6Y6s3pHQ9LYAs6EIq3/5dqNYW8eLQ5eINUIlHBp9ep8+quyqSfB3qPCBW
Db+qI09pYhkTrGBD8l5eQqs1T1h2gJsY2yyYV/Cp2m4fI+uHItCgSlkPROnj27Xh
p6HAPaFA0zWOz1lmVNYhTbJZlbbwYyf/OKmYuOklSuQ=
-----END RSA PRIVATE KEY-----
c. Issue the command:
mydesktop$ cat id_rsa.pub
A sample system response is:
ssh-rsaAAB3NzaC1yc2EAAAABIwAAAIEA9xjGJ+8DLrxSQfVxXYUx4lc9copCG4HwD3TLO5i
fezBQx0e9UnIWNFi4Xan3S8mYd6L+TfCJkVZ+YplLAe367/vhc1nDzfNRPJ95YnATefj
YEa48lElu7uq1uofM+sZ/b0p7fIWvIRRbuEDWHHUmneoX8U/ptKFZzRpb/
vTE6nE= root@ps0701
C. Once the key is generated, you need to convert public key to use on Tectia SSH server
a. On local-host that is running OpenSSH, convert the OpenSSH public key to SSH2(Tectia) public key using ssh-keygen as shown below.
[local-host]$ ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub
b. Install the public-key on the remote-host that is running SSH2.
Create a new public key file on remote-host and copy paste the converted SSH2 key from the local-host.
[remote-host]$ vi ~/.ssh2/hostkey.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit RSA, converted from OpenSSH by root@tivsun12.persistent.co.in"
AAAAB3NzaC1yc2EAAAABIwAAAIEA4TsEMAH0l9dTreOwfFv6wzzZqL+AdmerDRfTEoTbPa
TS2XYYz/wpD9xmohYOvz3VDWqNoCOlPJ1fHaMqCYRwXi0oMiW2P+k1ZF64CELOVjn1sb6m
0bX/xneO5CTd6RBHJO9nMCTYpJNCJH6M9w4LPwIJtiXRRGFByQJ0jIAbdKs=
---- END SSH2 PUBLIC KEY ----
c. Add the above public key file name to the authorization file on the remote-host as shown below
[remote-host]$ vi ~/.ssh2/authorization
Key hostkey.pub
d. Copy the private key file (id_rsa) to the client workstation and set it ownership value to 600.
e. Rename the private key file to hostkey on client workstation.
Keys generated on Tectia SSH client:-
To generate keys on a Tectia SSH client on workstation using a UNIX or Linux operating system, perform the following:
A. Use the ssh-keygen-g3 tool to create a key pair.
a. To start the ssh-keygen tool, issue the command
[root@vmw009053116054]:\ # ssh-keygen-g3 -t rsa
This is sample of the response
Generating 2048-bit rsa key pair
3 o.oOo.oOo.oO
Key generated.
2048-bit rsa, root@vmw009053116054, Tue Feb 25 2014 21:49:43 -0600
b. At the next prompt accept the default or enter the passphrase and press Enter
c. At the next prompt confirm your passphrase selection and press Enter.
This is a sample of the system response:
Private key saved to //.ssh2/id_rsa_2048_a
Public key saved to //.ssh2/id_rsa_2048_a.pub
B. You need to convert private key created on Tectia client as follows
a. If the Tectia private key is passphrase protected you'll need to remove the passphrase first
i. Using Tectia keygen, issue the following command, give the name of the key file generated in previous step
$ ssh-keygen-g3 -e id_rsa_2048_a
ii. At the next prompt provide old passphrase
iii. At the next prompt, to edit the key, type yes and press enter
iv. At the next prompt, to edit key comment, type no and press enter
v. At the next prompt, to edit passphrase, type yes and press enter
vi. At the next prompt, for new passphrase, press enter
vii. At the next prompt, for re-entering new passphrase, press enter again
viii. At the next prompt, to continue editing the key, type no and press enter
ix. At the next prompt, to save key, type yes and press enter
b. Use the OpenSSH keygen to import
i. ssh-keygen -i -f id_rsa_2048_a > my_openssh_privatekey
ii. Encrypt the key again with a passphrase using OpenSSH keygen
ssh-keygen -p -f my_openssh_privatekey
iii. At the next prompt, accept the default or enter the passphrase and press Enter
iv. At the next prompt, confirm your passphrase selection and press Enter
v. Rename the private key file my_openssh_privatekey to id_rsa_2048_a and set its ownership value to 600.
C. Install the public-key on the remote-host that is running Tectia ssh
Create a new public key file on remote-host and copy paste the id_rsa_2048_a.pub
[remote-host]$ vi ~/.ssh2/ id_rsa_2048_a.pub
---- BEGIN SSH2 PUBLIC KEY ----
Subject: root
Comment: "2048-bit rsa, root@vmw009053116054, Tue Feb 25 2014 21:49:43\ -0600"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDMy7Q3Z0pxlYCiA9wdJPgRuBR7NQvX1ICIUXFbwx
uJD6xkqCnjC++JkZlG+6tRlty+T8dXQE/98czGK6dcg9bbHwQ1Wvxn5v9aSfZMZaNy8T+p
CIPV/0L/kbGoXkvg4amqlQkJnQhnwaJKdNm8WBMRcDkv/fj0LILDhUSWnEhPINdoeUV/EE
DxUhf2jRRHwxQihwXDEge/n0UgdSAkJaqTJTdF9HEkiPh25eeng0Ym2Yk0JHQzVhDJLSYz
WQ/Bg5Nzran63y0cRS40pY9CioAkgjI9J5P/tvPazLjoeMP8f+2ELp9suJ+VFMAULpqx9H
jwXK/4a4nWg7vEyaektoQp
---- END SSH2 PUBLIC KEY ----
D. Add the above public key file name to the authorization file on the remote-host as shown below.
[remote-host]$
vi ~/.ssh2/authorization
Key id_rsa_2048_a.pub
Enabling DSA key-based authentication on UNIX and Linux operating Systems using Tectia ssh
These instructions assume that the client user is allowed to log in to the remote host, where Tectia Server is running, and using password authentication
Make sure that public-key authentication is enabled in the ssh-broker-config.xml and ssh-server-config.xml file (it is enabled by default) For example:
<authentication-methods>
<auth-publickey />
...
</authentication-methods>
Key-based authentication can be done using keys generated on OpenSSH client or Tectia SSH client.
Keys generated on OpenSSH client:-
A. Generate a key on OpenSSH client as follows
a. Use the ssh-keygen tool to create a key pair.
i. Log in as the administrator user defined on the Tivoli Identity Manage service form.
ii. To start the ssh-keygen tool, issue the command:
mydesktop$ ssh-keygen -t dsa
iii. At the prompt accept the default or enter the file path where you want to save the key pair and press Enter
iv. At the next prompt accept the default or enter the passphrase and press Enter
v. At the next prompt confirm your passphrase selection and press Enter
b. This is a sample of the system response:
Your identification has been saved in /home/root/.ssh/id_dsa.
Your public key has been saved in /home/root/.ssh/id_dsa.pub.
The key fingerprint is:
9e:6c:0e:e3:d9:4f:37:f1:dd:34:fc:20:36:67:b2:94 root@ps2372.persistent.co.in
Note: Although the ssh-keygen tool accepts a blank passphrase, the passphrase is required on the Tivoli Identity Manager service form.
B. Validate that the keys were generated
a. Issue the commands:
mydesktop$ cd $HOME/.ssh
mydesktop$ ls –l
A sample system response is:
-rw------- 1 root root 883 Jan 21 11:52 id_dsa
-rw-r--r-- 1 root root 223 Jan 21 11:52 id_dsa.pub
b. Issue the command:
mydesktop$ cat id_dsa
A sample system response is:
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,32242D3525AEDC64
MOZ0m/BCLFNS+ujlcnQR3gOIb5w5hwu1jByw8/kyvTMIHqAx1ANgqV1gFBGX7F0
vdfmNQKnjLcH8cGueUYnmx4vSu9FnKK91abNW9Nd67MDtJEztHckahXDYy7oX1t
LNh3QtaZ32AgHro7QxxCGIHQeDaiGePg7WhVqH8EXo3c+/L/5sQpfx0eG30nrDjl
+cmXgmzU2uQsPL2ckP9NQTgRU4QgWYDBle0YhUXTAG8eW9XG9iCm9iFO4WLWtWd24
Q799A1w6UJReHKQq+vdrN76PgK32NMNmindOqzKVzFL4TsjLyGyWofImpG65oO
FSc4GXTsRkZ0OQxixakpKShRpJ5pW6V1PN4tR/RCRWmpW/yZTr4qtQzcw+AY6ONA
QEVtJQeN69LJncuy9MY/K2F7hn5lCYy/TOnM1OOD6/a1R6U4xoH6qkasLGchiTIP
/NIfrITQho49I7cIJ9HmW54Bmeqh2U9WiSD4aSyxL1Mm6vGoc81U2XjJmcUmQ9XHmhx
R4iWaATaz6RTsxBksNhn7jVx34DDvRDJ4MSjLaNpjnvAdYTM7YislsBulDTr8ZF6P9
Fa7VyFP4TyCjUM1w==
-----END DSA PRIVATE KEY-----
c. Issue the command:
mydesktop$ cat id_dsa.pub
ssh-dss
AAAAB3NzaC1kc3MAAACBAIHozHi6CHwvGDt7uEYkEmn4STOj2neOo5mPOZFpBjs
KzzWBqBuAxoMwMgHy3zZAIgmzMwIVQum4/uIHlhOx0Q4QDLJbveFShuXxBjm5BOU1
rCCSeqYCOPdub9hx3uzZaTNqfFIvO4/NTcjp7pgQqBdvWs0loyYViYVWpVQmMdif
AAAAFQDhaD9m//n07C+R+X46g5iTYFA9/QAAAIBVbBXXL3/+cHfbyKgCCe2CqjRESQ
i2nwiCPwyVzzwfHw4MyoYe5Nk8sfTiweY8Lus7YXXUZCPbnCMkashsbFVO9w
/q3xmbrKfBTS+QOjs6nebftnxwk/RrwPmb9MS/kdWMEigdCoum9MmyJlOw5fwGl
P1ufVHn+v9uTKWpPgr0egAAAIArKV4Yr3mFciTbzcGCicW+axekoCKq520Y68mQ
1xrI4HJVnTOb6J1SqvyK68eC2I5lo1kJ6aUixJt/D3d/GHnA+i5McbJgLsNuiDs
RI3Q6v3ygKeQaPtgITKS7UY4S0FBQlw9q7qjHVphSOPvo2VUHkG6hYiyaLvLrX
Jo7JPk6tQ== root@ps2372.persistent.co.in
C. Once the key is generated, you need to convert public key to use on Tectia SSH server.
a. On local-host that is running openSSH, convert the openSSH public key to SSH2(Tectia) public key using ssh-keygen as shown below.
[local-host]$ ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub
b. Install the public-key on the remote-host that is running SSH2.
Create a new public key file on remote-host and copy paste the converted SSH2 key from the local-host.
[remote-host]$ vi ~/.ssh2/hostkey.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted from OpenSSH by root@tivsun12.persistent.co.in"
AAAAB3NzaC1yc2EAAAABIwAAAIEA4TsEMAH0l9dTreOwfFv6wzzZqL+AdmerDRfTEoTbPa
TS2XYYz/wpD9xmohYOvz3VDWqNoCOlPJ1fHaMqCYRwXi0oMiW2P+k1ZF64CELOVjn1sb6m
0bX/xneO5CTd6RBHJO9nMCTYpJNCJH6M9w4LPwIJtiXRRGFByQJ0jIAbdKs=
---- END SSH2 PUBLIC KEY ----
c. Add the above public key file name to the authorization file on the remote-host as shown below
[remote-host]$
vi ~/.ssh2/authorization
Key hostkey.pub
d. Copy the private key file (id_dsa) to the client workstation and set it ownership value to 600
e. Rename the private key file to hostkey on client workstation.
Keys generated on Tectia SSH client:-
To generate key on Tectia SSH client on workstation using a UNIX or Linux operating system perform the following
A. Use the ssh-keygen-g3 tool to create a key pair.
a. To start the ssh-keygen tool, issue the command:
[root@vmw009053116054]:\ # ssh-keygen-g3 -t dsa
Generating 2048-bit dsa key pair
92 .oOo..oOo.oO
Key generated.
2048-bit dsa, root@vmw009053116054, Mon Mar 03 2014 01:57:28 -0600
b. At the next prompt, accept the default or enter the passphrase and press enter
c. At the next prompt, confirm your passphrase selection and press Enter
This is a sample of the system response:
Private key saved to //.ssh2/id_dsa_2048_a
Public key saved to //.ssh2/id_dsa_2048_a.pub
[root@vmw009053116054]:\ #
B. You need to convert private key created on Tectia client as follows
a. If the Tectia private key is passphrase protected you'll need to remove the passphrase first
i. Using Tectia keygen, issue the following command, give the name of the key file generated in previous step
$ ssh-keygen-g3 -e id_dsa_2048_a
ii. At the next prompt provide old passphrase
iii. At the next prompt, to edit the key, type yes and press enter
iv. At the next prompt, to edit key comment, type no and press enter
v. At the next prompt, to edit passphrase, type yes and press enter
vi. At the next prompt, for new passphrase, press enter
vii. At the next prompt, for re-entering new passphrase, press enter again
viii. At the next prompt, to continue editing the key, type no and press enter
ix. At the next prompt, to save key, type yes and press enter
b. Use the OpenSSH keygen to import
i. ssh-keygen -i -f id_dsa_2048_a > my_openssh_privatekey
ii. Encrypt the key again with a passphrase using OpenSSH keygen
ssh-keygen -p -f my_openssh_privatekey
iii. At the next prompt, accept the default or enter the passphrase and press Enter
iv. At the next prompt, confirm your passphrase selection and press Enter
v. Rename the private key file my_openssh_privatekey to id_dsa_2048_a and set it ownership value to 600.
C. Install the public-key on the remote-host that is running Tectia ssh.
Create a new public key file on remote-host and copy paste the id_dsa_2048_a.pub
[remote-host]$ vi ~/.ssh2/ id_dsa_2048_a.pub
---- BEGIN SSH2 PUBLIC KEY ----
Subject: root
Comment: "2048-bit dsa, root@vmw009053116054, Mon Mar 03 2014 21:49:43\ -0600"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDMy7Q3Z0pxlYCiA9wdJPgRuBR7NQvX1ICIUXFbwx
uJD6xkqCnjC++JkZlG+6tRlty+T8dXQE/98czGK6dcg9bbHwQ1Wvxn5v9aSfZMZaNy8T+p
CIPV/0L/kbGoXkvg4amqlQkJnQhnwaJKdNm8WBMRcDkv/fj0LILDhUSWnEhPINdoeUV/EE
DxUhf2jRRHwxQihwXDEge/n0UgdSAkJaqTJTdF9HEkiPh25eeng0Ym2Yk0JHQzVhDJLSYz
WQ/Bg5Nzran63y0cRS40pY9CioAkgjI9J5P/tvPazLjoeMP8f+2ELp9suJ+VFMAULpqx9H
jwXK/4a4nWg7vEyaektoQp
---- END SSH2 PUBLIC KEY ----
D. Add the above public key file name to the authorization file on the remote-host as shown below.
[remote-host]$
vi ~/.ssh2/authorization
Key id_dsa_2048_a.pub
You can limit the number of connections that can be made to a resource based on the service, service type and operation. You do that by modifying the service.def file in the service profile or by specifying a value for the Max Connection Count field on a resource's service form.
About this task
Limiting the number of concurrent connections to a resource can be useful if you see errors due to contention for files or other objects on the resource. For example, if there are many account add operations occurring at the same time, some might fail because they cannot get write access to the /etc/passwd file. In such a scenario, lowering the maximum connection count for the resource or the add operation could help reduce contention.
To set a default or an absolute maximum connection count for a service type, modify the service.def file. A default count can be overridden on a per-resource basis, an absolute count cannot.
Procedure
To change the service.def file, perform the following steps:
1. Extract the adapter profile JAR file. For example, PosixAIXProfile.jar.
jar -xvf PosixAixProfile.jar
2. Open the service.def file in a text editor.
3. A maximum connection count is defined for each operation type; for example, add (posixAdd) or modify (posixModify). Find the operation whose maximum connections to limit. For example, <operation cn="posixModify">.
4. Find the <dispatcherParameter name="MaxConnectionCnt"...> element under that operation.
5. Edit the dispatcherParameter to define a default value or an absolute value.
To define a default value, create an entry like the following:
<dispatcherParameter name="MaxConnectionCnt" source= "erPosixMaxConnectionCnt">
<default>value</default>
</dispatcherParameter>
In this example, this entry means that for any AIX resource, the maximum number of concurrent account modify operations defaults to value. This default value can be overridden for a particular AIX resource by specifying a different value in the Max Connection Count field on the Dispatcher Attributes tab of the resource's service form.
To define an absolute value, create an entry like the following:
<dispatcherParameter name="MaxConnectionCnt" >
<value>value</value>
</dispatcherParameter>
In this example, this entry means that for any AIX resource, the maximum number of concurrent account modify operations is value and cannot be overridden.
Notes:
· The maximum number of connections for search (recon) operations is always one, regardless of the settings in the service.def file or on the service form.
· If no maximum connection count is defined in the service.def file oron the service form, the connection count is unlimited.
6. Save the changes and create another adapter profile JAR file.
jar -cvf PosixAixProfile.jar PosixAixProfile
7. Import the modified profile JAR file into IBM Tivoli Identity Manager.
When you add either the erPosixUmask or the erPosixPerHomeDir attribute to an account form, you must select the Umask widget. This ensures that the umask or permission data is sent to the adapter in the proper format. Adding home directory permissions to the account form is described in the Directory Integrator-Based UNIX and Linux Adapter User Guide, Chapter 5 in the "Adding home directory permissions on the account form" section. The same instructions apply when you add the erPosixUmask attribute to the account form.
In the Directory Integrator-Based UNIX and Linux Adapter User Guide, Table 8Account form attributes the erPosixLastAccessDate entry should include HP-UX and Linux as supported operating systems.
Steps to apply to kill active user process to delete user forcefully:
1. Open DESIGN FORMS feature of the IBM Tivoli Identity Manager server (Under Configure System -> Design Forms)
2. Click on the Service and choose any POSIX Profile. Add the attribute "erPosixDelUserInUse" on the Service form from the "Attribute List" and also select checkbox for erPosixDelUserInUse, than save the form and close Design Form window.
3. Create a service with following parameters:
"Delete user account even when it is in use"
NOTE: "Delete user account even when it is in use" must not be used on systems that allow duplicate user IDs.
The Allow at jobs? and Allow cron jobs? account settings are used to affect the contents of the at.allow, at.deny, cron.allow and/or cron.deny files. In some cases, additional platform-specific configuration might be needed to enable a user to execute at or cron jobs. For example, on AIX, the user’s daemon attribute must also be set to true for a user to have permission to execute at or cron jobs.
The following note applies to Appendix D of the UNIX and Linux Adapter Installation Guide ("Key-based authentication for the UNIX and Linux Adapter").
If the installed SSH uses the AES-128-CBC cipher, RXA cannot fetch the private key from the file. RSA key based authentication does not work. To support RSA key based authentication, take one of the following actions:
· Install an SSH that uses the DES-EDE3-CBC cipher
· Install the RXA 2.3.0.9 package in your environment. RXA 2.3.0.9 supports the AES-128-CBC cipher. Note: RXA 2.3.0.9 is included in the base release of TDI 7.1.1, and is also available in TDI 7.0 FP8 and TDI 7.1 FP7.
Two types of end resource commands are executed when using the UNIX and Linux adapter:
· Commands which originate from the Posix connector
· Commands which originate internally from the Remote Access API (RXA) classes
This enhancement allows you to increase the timeout for the second type of command. The default timeout for internal RXA commands is 5000 milliseconds. You can increase this by specifying a value greater than 5000 in the RXA Internal Command TimeOut field of the service form. This property should be set only in the case where the adapter times out when executing internal commands initiated by RXA.
There is another timeout property associated with RXA. The session timeout property is used when RXA attempts to establish a remote session with a resource. The default value for this timeout is 30000 milliseconds. If the RXA Internal Command TimeOut field is set to a value greater than 30000, the connector will increase the session timeout value to the specified internal command timeout value.
This version of the UNIX and Linux Adapter is enhanced to support two new AIX attributes, hostsallowedlogin and hostsdeniedlogin. Refer to the AIX documentation for details on these attributes.
By default, several characters (`!&()|;'") are not allowed in these attribute values because they have special meaning to the shell. These characters are misinterpreted during the remote execution call which sets the attribute.
To prevent file corruption, the adapter creates a lock directory POSIXLCK under /tmp before editing at and cron files. If the user has specified different temp directory, the adapter will create the lock directory under the user-specified directory.
Please make sure that POSIXLCK directory does not exist under /tmp or the user-specified temp directory. If the POSIXLCK directory already exists, then adapter will fail to set at and cron attribute values.
This version of the adapter no longer hangs when executing an account add or modify operation when a group name or AUTH1 or AUTH2 attribute value contains ().
Note: The fix is provided for multi-value attribute, but single value attribute might need a fix.
Specifying the location of the adapter scripts
The adapter provides an option for users to change the default location where the adapter script will get copied. Users can enter any valid path on the target/managed system where adapter scripts should be copied.
Note: This option is configurable per service. By default, this option will not be on the service form. However, user can choose this option from DESIGN FORMS editor.
The attribute that represents this option is erposixcopyadpfilesto. The default value for this attribute is the /tmp folder on the target system but can be changed. The administrative user must have read and write permission to this directory.
To use this feature requires the following additional installation steps:
a. Open DESIGN FORMS feature of the ITIM server (Under Configure System -> Design Forms)
b. Click on the Service and choose any POSIX Profile. Add the attribute erPosixReconScriptLocation on the service form from the Attribute List and then save the form and close Design Form window.
SUSE Linux and Solaris platforms do not support assigning a user's primary group to the user's secondary group set. Therefore, the Posix adapter cannot support that function on those platforms. The command used to set the secondary group will not return an error even though the primary group was not added.
IBM Tivoli Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
· IBM Tivoli Identity Manager administration
· Tivoli Directory Integrator management
· Tivoli Directory Integrator Assembly Line development
· LDAP schema management
· Working knowledge of Java scripting language
· Working knowledge of LDAP object classes and attributes
· Working knowledge of XML document structure
Note: If the customization requires a new Tivoli Directory Integrator connector, the developer must also be familiar with Tivoli Directory Integrator connector development and working knowledge of Java programming language.
IBM Tivoli Identity Manager Resources:
Check the Learn section of the Tivoli Identity Manager Support web site for links to training, publications, and demos.
Tivoli Directory Integrator Resources:
Check the Learn section of the Tivoli Directory Integrator Support web site for links to training, publications, and demos.
IBM Tivoli Identity Manager Adapter Development:
Adapter Development Tool
The Adapter Development Tool, ADT, is a tool used by IBM Tivoli Identity Manager customers and consultants to create custom IBM Tivoli Identity Manager adapters. It reduces adapter delivery time by about 50% and it helps in the development of custom adapters. The Adapter development tool is available on the IBM Open Process Automation Library (OPAL).
The integration to the Identity Manager server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The IBM Tivoli Identity Manager UNIX and Linux Adapter was built and tested on the following product versions.
The IBM Tivoli Identity Manager Adapter was built and tested on the following product versions.
This adapter installs into Tivoli Directory Integrator (TDI) and may be installed on any platform supported by the TDI product and supported by the target system libraries or client, where applicable. IBM recommends installing TDI on each node of the ITIM WAS Cluster and then installing this adapter on each instance of TDI. Supported TDI versions include:
Adapter Installation Platform:
Tivoli Directory Integrator v7.0 with Fix Pack 3 or higher
Tivoli Directory Integrator v7.0 with Fix Pack 5 or higher to take advantage of the "run profile" feature on HP-UX systems
Tivoli Directory Integrator v7.1 with Fix Pack 5 or higher
Tivoli Directory Integrator v7.1.1 with Fix Pack 1 and Interim Fix 7.1.1-TIV-TDI-LA0001 or higher
Managed Resource:
AIX
AIX 6.1
AIX 7.1
HP-UX
HP-UX 11i
HP-UX 11i v2
HP-UX 11i v3
Supported operating system modes:
non-trusted, trusted non-secure
Solaris
Solaris 10
Solaris 11
Oracle Linux
Linux 6.3
Red Hat Linux
At the time of the adapter 5.1.32 release, the most recent Red Hat Linux Enterprise Server releases and upgrades were:
Red Hat Linux Enterprise Server 5.7
Red Hat Linux Enterprise Server 5.9
Red Hat Linux Enterprise Server 5.10
Red Hat Linux Enterprise Server 6.4
Red Hat Linux Enterprise Server 6.5
Red Hat Linux Enterprise Server 7
Red Hat Linux Enterprise Server AS 5.7
Red Hat Linux Enterprise Server AS 5.9
Red Hat Linux Enterprise Server AS 5.10
Red Hat Linux Enterprise Server AS 6.4
Red Hat Linux Enterprise Server AS 6.5
· Red Hat Enterprise Server supported operating system modes are standard and SE Linux
· Red Hat Linux Enterprise Server release updates, i.e., 5.x / 6.x, have a limited support life. See the RedHat Enterprise Linux Life Cycle page for more information. At any given time the range of release updates supported by Red Hat is also the range of release updates supported by the adapter. Any exceptions are documented in these release notes.
· Red Hat Linux Enterprise Server release updates may introduce changes and/or features that are not supported by the adapter. In such a case, support for the changes or features will be added in a future release of the adapter.
SUSE Enterprise Linux Server
SUSE SLES 11
SUSE SLES 11 on zSeries
IBM Tivoli Identity Manager:
IBM Tivoli Identity Manager v5.1 with Fix Pack 3 or above
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
End of Release Notes