Lieutenant Commander
Lieutenant Commander
949 views

How to create users in Redhat Server 7.4 from IDM

I am new to IDM.  I want to learn how to create users in Redhat linux from IDM through designer.

Thanks,

V.Satakopan

 

 

16 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

1. What are the files that needs to be created after creating driverset. Why it is not creating automatically.

Designer is a tool that manages objects stored in eDirectory.  So all the objects are objects you can see via LDAP or NCP (iManager).  Designer is an offline tool.  Stays local until you deploy to the directory.

2. Whether we can create policies with any name or we need to create based on file names generated by project checker ?

You can name your policy objects anything that matches eDir syntax for the CN attribute (Basically 64 char limit on name).  Ignore Project Checker for the most part.


3. Why the files names are hard quoted ?

Because they have to follow the LDAP/NCP/eDir standards for naming.  Spaces are fine (Avoid space as first/last char though, an eDir particularism) and most other chars are fine, but avoid specials just to make life simple.


4. What is model object ?

Not sure?  The Modeler view in Designer is where you set up an Identity Vault (representing an eDir tree), with a Driverset (object in directory), that holds drivers (object in eDir) with all sorts of objects under it (Policies, schema maps, filter info, and more),

5. What is the type that i should select for each and every GCV that i am creating (the screenshot that i shared already) and please explain how to identify the variable type while creating GCV ?

 

One thing you may not be aware of is that originally drivers were distributed as XML files with everything in one file. With IDM 4.x they introduced the idea of Packages. I can now make a Driver Base package, that requires a series of child packages.  This allows me to layer functionality and make some mandatory, some optional.

So the GCVs are delivered by the Package and present you a UI to specify values.

If you want a discussion of GCV types, try this article:

http://www.novell.com/communities/node/11344/explaining-gcvs-part-1
http://www.novell.com/communities/node/11471/explaining-gcvs-part-2

https://community.microfocus.com/t5/Identity-Manager-Tips/Structured-Global-Configuration-Values-in-IDM/ta-p/1772443

 

Do you have any manual for Developer ?

 

No, but I have a series of articles on things newcomers should know about IDM...  Check out my collection of articles (Alas they killed the Wiki it was on) but is less well formatted for now here:

https://community.microfocus.com/t5/Identity-Manager-Tips/Geoffrey-Carman-s-Personal-Collection-of-Articles/ta-p/1764056

 

Specific articles on newcomers articles:

https://www.netiq.com/communities/cool-solutions/common-mistakes-newcomers-idm-make-part-1/
http://www.novell.com/communities/node/13057/common-mistakes-newcomers-idm-make-part-2
http://www.novell.com/communities/node/13058/common-mistakes-newcomers-idm-make-part-3
http://www.novell.com/communities/node/13125/common-mistakes-newcomers-idm-make-part-4
http://www.novell.com/communities/node/13126/common-mistakes-newcomers-idm-make-part-5
http://www.novell.com/communities/node/13302/common-mistakes-newcomers-idm-make-part-6
http://www.novell.com/communities/node/13316/common-mistakes-newcomers-idm-make-part-7
http://www.novell.com/communities/node/13347/common-mistakes-newcomers-idm-make-part-8
http://www.novell.com/communities/node/13383/common-mistakes-newcomers-idm-make-part-9
http://www.novell.com/communities/node/13486/common-mistakes-newcomers-idm-make-part-10
http://www.netiq.com/communities/coolsolutions/common-mistakes-newcomers-to-idm-make-part-11/

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Also, as you get started here is a good set of articles to read as well:

These two by Aaron (A-aron) B are probably a good start on steps to setup a driver for a beginner.

Aaron Burgemeisters AD driver series:
http://www.novell.com/communities/node/1450/active-directory-driver-basics
http://www.novell.com/communities/node/5586/3-active-directory-driver-basics

 

 

David Gersic Excellent series that walks through the policy flows (Explains what that fishbone view of the driver means):


http://www.novell.com/communities/node/6679/guided-tour-novell-identity-manager
http://www.novell.com/communities/node/6696/guided-tour-novell-identity-manager
http://www.novell.com/communities/node/6697/guided-tour-novell-identity-manager

 

Fernando Freitas An amazing article on how to read and use Dstrace
http://www.novell.com/communities/node/5681/capturing-and-reading-novell-identity-manager-traces Another series on trace
http://www.novell.com/communities/node/9677/comprehending-idm-traces-part-1
http://www.novell.com/communities/node/11166/comprehending-idm-traces-part-2

 

So much written, so much to read, so little time.

Vice Admiral
Vice Admiral

Before diving too deep into your solution, you may want to re-evaluate your requirements.  Servers, such as redhat, while they CAN have local /etc/passwd users provisioned using a connector from IDM, may be a better fit for a tool such as PAM (https://www.microfocus.com/en-us/products/netiq-privileged-account-manager/overview).

One of the features you can use in PAM is the ability to bridge AD users with the Linux operating system.   This is also significantly more scalable than deploying unix/linux drivers to each of your servers.  PAM also grants far more granular control over what can be done on the server, as well as some great auditing capabilities. 

The end result with PAM is you provision a user in your primary directory (such as Active Directory) and grant them group memberships.  The user then logs into the Linux machine (if they are authorized) with their AD account.  Once on the machine, PAM determines what commands the user is authorized to execute (via AD groups if you'd like).  It can also audit the entire process by keylogging every single keystroke.

Candidly, depending on your requirements and the number of Linux servers, the license and implementation cost of PAM may be less than just the cost (read: effort required) to do the connectors from IDM.

You do have the ability to do this either way, but I encourage you to evaluate your requirements through the lens of PAM. 

Robert Ivey
GCA Technology Services
https://www.gca.net
Knowledge Partner Knowledge Partner
Knowledge Partner

Do you even need PAM (the MF Product for Privleged Access) vs  Linux PAM modules (redirectors of login against LDAP/AD/file/etc) for this task? 

0 Likes
Vice Admiral
Vice Admiral


@geoffc wrote:

Do you even need PAM (the MF Product for Privleged Access) vs  Linux PAM modules (redirectors of login against LDAP/AD/file/etc) for this task? 


Technically, no.  Linux PAM can do AD bridging by itself, however, depending on the size of the organization, the central policy management, auditing and MFA integration are a few of the more advanced features that can be helpful.

Robert Ivey
GCA Technology Services
https://www.gca.net
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.