The PAM driver is shipped with packages. When the driver is created with packages in Designer, a set of policies and rules are created suitable for synchronizing with PAM. If your requirements for the driver are different from the default policies, you need to modify the default policies to do what you want.
The filters, mappings, and policies of PAM driver control the data flow between Identity Vault and PAM.
The driver filter determines which classes and attributes are synchronized between PAM and the Identity Vault, and in which direction synchronization takes place.
The PAM Driver schema file, pum.sch contains the auxiliary class, DirXML-PUMCredential-Aux and DirXML-pumCredential class is used by default in the driver's schema mapping. This auxiliary class can be used to extend User class to represent the PAM credential object along with the corresponding changes in the driver policies.
Table 1-1 and Table 1-2 show the Privileged Account Domain and Credential attributes that are mapped to PAM AccountDomain and Credential objects and attributes.
The mappings listed in the tables are default mappings. You can remap same-type attributes.
Table 1-1 DirXML-PUMAccountDomain Class Attributes
Identity Vault Attribute |
PAM Attribute |
Description |
---|---|---|
OU |
name |
The name of the application type that the AccountDomain needs to have to follow the format <name>_<subType>, e.g. blr-srv1_sap, where blr-srv1 is the server name and sap is the subType of the application. |
DirXML-pumAccDomType |
DOM_TYPE |
Determines whether the AccountDomain type is SSH,LDAP, Application, or Database. |
DirXML-pumHost |
DOM_HOST |
DNS Hostname or IP address of the server. |
DirXML-pumPort |
DOM_PORT |
Port on which the server or application is listening. Default value is 22 for SSH and 389/636 for LDAP/LDAPS. For Oracle DB the default port is 1514 and for Application, no default ports because it depends on the type of application. |
DirXML-pumSSHPublicKey |
DOM_SSH_KEY |
PublicKey of the SSH server. |
DirXML-pumAccDomCredential |
DOM_CREDENTIAL |
Default Credential of the AccountDomain. |
DirXML-pumAccDomProfile |
DOM_LDAP_PROFILE |
Type of AccountDomain. NOTE:For SSH server, it is Generic UNIX (value=101). For Windows server, options can be either Windows ActiveDirectory (value=1) or NetIQ Directory (value=2). |
DirXML-pumAccDomSecure |
DOM_LDAP_SECURE |
Determines whether the LDAP AccountDomain access is over secure or non-secure channel. |
DirXML-pumAccDomBaseDN |
DOM_LDAP_BASEDN |
LDAP baseDN of the LDAP type AccountDomain. |
DirXML-pumAccDomScope |
DOM_LDAP_SCOPE |
LDAP scope for LDAP AccountDomain. NOTE:Valid values for this attribute are one (value=1) or subtree (value=2). |
Table 1-2 DirXML-PUMCredential Class Attributes
Identity Vault Attribute |
PAM Attribute |
Description |
---|---|---|
uniqueID |
name |
Account name or ID. |
nspmDistributionPassword |
CRED_PASSWD |
Password of the account. |
DirXML-pumSSHPrivateKey |
CRED_SSH_KEY |
SSH privateKey of the SSH account. |
DirXML-pumSSHPassPhrase |
CRED_SSH_PASSPHRASE |
SSH passPhrase of the SSH account. |
DirXML-pumLDAPUserDN |
CRED_LDAP_USERDN |
UserDN of the LDAP account. |
DirXML-pumAccDomName |
CRED_DOMAIN_NAME |
Name of the AccountDomain to which the Credential objects belong. The value of this attribute is set automatically by the driver based on the parent container name, which is the domain to which the Credential belongs. |
DirXML-pumAccDomType |
CRED_TYPE |
Determines whether the credential type is SSH, Application, Database, or LDAP. The value of this attribute is set automatically by the driver based on the parent container name, which is the domain to which the credential belongs. |
DirXML-pumReferenceObject |
No mapping |
This attribute is added for the Password Check-in feature. Populate this attribute with the DN of the user object corresponding to the target application account that are made available for password checkout. |
NOTE:DirXML-pumSSHPrivateKey and DirXML-pumSSHPassPhrase attributes are sensitive data. You can encrypt these attributes, to ensure that the values are not visible in the trace during synchronization. For more information about attribute encryption, see “Encrypting Data in eDirectory” in the NetIQ eDirectory 8.8 SP8 Administration Guide.