You can control the operation of the Linux and UNIX driver by modifying the properties described in the following sections.
IMPORTANT:Changing these values requires a restart of the driver.
To change import-only properties, you must re-import the driver configuration file LinuxUnix-IDM3_5_0-V2.xml over the existing driver. For details, see Creating the Driver in Designer.
To edit the properties shown on the Driver Configuration page and the Global Configuration Values page:
In iManager, select Identity Manager Overview from the Identity Manager task list on the left side of the window.
Navigate to your Driver Set by searching the tree or by entering its name.
Click the driver to open its overview.
Click the driver icon.
Select Driver Configuration or Global Config Values as appropriate.
Edit the property values as desired, then click OK.
Table 5-1 Driver Configuration Page
Property Name |
Values or Format |
---|---|
Driver Module |
Connect to Remote Loader must be selected. |
Text Value |
|
Authentication ID |
Not used by the Linux and UNIX driver. |
Authentication Context |
Not used by the Linux and UNIX driver. |
Host name or IP address and port number of the driver shim on the connected system, and the RDN of the object with server certificate |
|
Driver Cache Limit |
The recommended value is 0 (zero). |
Application Password |
Not used by the Linux and UNIX driver. |
Text Value |
|
Startup Option |
|
|
|
|
|
|
|
|
|
|
|
|
|
Number of seconds |
|
Number of seconds |
|
|
The Driver object password is used by the driver shim (embedded Remote Loader) to authenticate itself to the Metadirectory engine. This must be the same password that is specified as the Driver object password on the connected system driver shim.
The Remote Loader Connection Parameters option specifies information that the driver uses for Secure Sockets Layer (SSL) communication with the connected system.
Table 5-2 Remote Loader Connection Parameters
Parameter |
Description |
---|---|
host=hostName |
Connected system host name or IP address. |
port=portNumber |
Connected system TCP port number. The default is 8090. |
kmo=objectRDN |
The RDN of the object with the server certificate signed by the tree’s certificate authority. Enclose the RDN in double quotes (") if the name contains spaces. |
The following is an example Remote Loader connection parameter string:
hostname=192.168.17.41 port=8090 kmo="SSL CertificateDNS"
The Remote Loader password is used to control access to the driver shim (embedded Remote Loader). This must be the same password that is specified as the Remote Loader password on the connected system driver shim.
Database Type specifies the type of account management database that you use for your network-wide information storage.
Files: Local file-based storage (/etc/passwd)
NIS: Map-based storage
NIS+: Hierarchical domain-based storage.
Specifies whether the driver shim discards events that would cause loopback conditions. This function supplements the loopback detection provided by the Metadirectory engine.
Specifies whether the driver automatically removes home directories from the file system when users are deleted.
This option has no effect on AIX systems.
Specifies whether the driver automatically creates home directories in the file system when users are created.
This option has no effect on AIX systems. On AIX, the add-user.sh script uses the native AIX mkuser command. By default, this command creates a home directory. This setting is governed by /usr/lib/security/mkuser.default and /etc/security/login.cfg.
Specifies whether the driver allows duplicate UIDs on the connected Linux or UNIX system.
AIX does not allow duplicate UIDs. Select No for AIX connected systems.
Specifies whether the driver allows duplicate GIDs on the connected Linux or UNIX system.
AIX does not allow duplicate GIDs. Select No for AIX connected systems.
Specifies the number of seconds that the Publisher shim waits after running the polling script and sending events from the change log to the Metadirectory engine. The default interval is 60 seconds.
Specifies whether the Publisher shim is active.
Select Yes if you are using Identity Vault to Application (one-way) data flow. This saves processing time.
Specifies how often, in seconds, the driver shim contacts the Metadirectory engine to verify connectivity. Specify 0 to disable the heartbeat.
Table 5-3 Global Configuration Values
Property Name |
Values or Format |
---|---|
Text Value |
|
|
|
|
|
|
|
|
|
|
|
The Linux or UNIX Connected System Accepts Passwords from the Identity Vault |
|
The Identity Vault Accepts Passwords from the Linux or UNIX Connected System |
|
The Identity Vault Accepts Administrative Password Resets from the Linux or UNIX Connected System |
|
|
|
|
|
Require Password Policy Validation before Publishing Passwords |
|
Reset User’s External System Password to the Identity Manager Password on Failure |
|
Notify the User of Password Synchronization Failure via E-Mail |
|
Identity Vault Container object |
|
Identity Vault Container object |
To view and edit Password Management GCVs, select Show for Show Password Management Policy.
To view and edit User and Group Placement GCVs, select Show for Show User and Group Placements.
Specifies the name of the driver. This value is used by the e-mail notification templates.
This option does not apply if the POSIX Management Mode is set to Manage Local. When it does apply, it has the following effect:
It specifies whether the driver synchronizes the Group Membership attribute of a corresponding Group object in the Identity Vault (if one exists with that GID).
The driver always synchronizes a user’s GID number (primary group identification) to the RFC 2307 gidNumber attribute of the corresponding User object in the Identity Vault.
Specifies whether the driver excludes events for users and groups with a uidNumber or gidNumber less than 100.
This option does not apply if the POSIX Management Mode is set to Manage Local. When it does apply, it specifies whether the driver requires users and groups from the Identity Vault to have RFC 2307 information, such as uidNumber, gidNumber, and homeDirectory, before it provisions them to the connected Linux or UNIX system.
Specifies whether the driver creates the user gecos field from the First Name and Last Name attributes of the User object in the Identity Vault for subscribed events.
Specifies whether the driver uses lowercase for the CN of User and Group objects it receives in events from the Metadirectory engine.
Linux and UNIX user and group names are usually lowercase.
Specifies whether the driver allows passwords to flow from the Identity Vault to the connected Linux or UNIX system.
Specifies whether the driver allows passwords to flow from the connected Linux or UNIX system to the Identity Vault.
Specifies whether the driver allows passwords to be reset from the connected Linux or UNIX system in the Identity Vault. The root user can use the passwd command to set another user’s password.
Specifies whether the driver uses passwords from the connected Linux or UNIX system to set non-reversible NDS® passwords in the Identity Vault.
Specifies whether the driver uses passwords from the connected Linux or UNIX system to set NMAS™ Distribution Passwords, which are used for Identity Manager password synchronization.
Specifies whether the driver applies NMAS password policies to published passwords. If so, a password is not written to the Identity Vault if it does not conform.
Specifies whether, on a publish Distribution Password failure, the driver attempts to reset the password on the connected Linux or UNIX system using the Distribution Password from the Identity Vault.
Specifies whether the driver sends an e-mail to a user if the password cannot be synchronized.
Specifies the base container object in the Identity Vault for user synchronization. This container is used in the Subscriber channel Event Transformation policy to limit the Identity Vault objects being synchronized. This container is used in the Publisher channel Placement policy as the destination for adding objects to the Identity Vault. Use a value similar to the following:
users.myorg
Specifies the base container object in the Identity Vault for group synchronization. This container is used in the Subscriber channel Event Transformation policy to limit the Identity Vault objects being synchronized. This container is used in the Publisher channel Placement policy as the destination when adding objects to the Identity Vault. Use a value similar to the following:
groups.myorg