How to create users in Redhat Server 7.4 from IDM
I am new to IDM. I want to learn how to create users in Redhat linux from IDM through designer.
1. What are the files that needs to be created after creating driverset. Why it is not creating automatically.
Designer is a tool that manages objects stored in eDirectory. So all the objects are objects you can see via LDAP or NCP (iManager). Designer is an offline tool. Stays local until you deploy to the directory.
2. Whether we can create policies with any name or we need to create based on file names generated by project checker ?
You can name your policy objects anything that matches eDir syntax for the CN attribute (Basically 64 char limit on name). Ignore Project Checker for the most part.
3. Why the files names are hard quoted ?
Because they have to follow the LDAP/NCP/eDir standards for naming. Spaces are fine (Avoid space as first/last char though, an eDir particularism) and most other chars are fine, but avoid specials just to make life simple.
4. What is model object ?
Not sure? The Modeler view in Designer is where you set up an Identity Vault (representing an eDir tree), with a Driverset (object in directory), that holds drivers (object in eDir) with all sorts of objects under it (Policies, schema maps, filter info, and more),
5. What is the type that i should select for each and every GCV that i am creating (the screenshot that i shared already) and please explain how to identify the variable type while creating GCV ?
One thing you may not be aware of is that originally drivers were distributed as XML files with everything in one file. With IDM 4.x they introduced the idea of Packages. I can now make a Driver Base package, that requires a series of child packages. This allows me to layer functionality and make some mandatory, some optional.
So the GCVs are delivered by the Package and present you a UI to specify values.
If you want a discussion of GCV types, try this article:
Do you have any manual for Developer ?
No, but I have a series of articles on things newcomers should know about IDM... Check out my collection of articles (Alas they killed the Wiki it was on) but is less well formatted for now here:
Specific articles on newcomers articles:
Also, as you get started here is a good set of articles to read as well:
These two by Aaron (A-aron) B are probably a good start on steps to setup a driver for a beginner.
David Gersic Excellent series that walks through the policy flows (Explains what that fishbone view of the driver means):
Fernando Freitas An amazing article on how to read and use Dstrace
http://www.novell.com/communities/node/5681/capturing-and-reading-novell-identity-manager-traces Another series on trace
So much written, so much to read, so little time.
Before diving too deep into your solution, you may want to re-evaluate your requirements. Servers, such as redhat, while they CAN have local /etc/passwd users provisioned using a connector from IDM, may be a better fit for a tool such as PAM (https://www.microfocus.com/en-us/products/netiq-privileged-account-manager/overview).
One of the features you can use in PAM is the ability to bridge AD users with the Linux operating system. This is also significantly more scalable than deploying unix/linux drivers to each of your servers. PAM also grants far more granular control over what can be done on the server, as well as some great auditing capabilities.
The end result with PAM is you provision a user in your primary directory (such as Active Directory) and grant them group memberships. The user then logs into the Linux machine (if they are authorized) with their AD account. Once on the machine, PAM determines what commands the user is authorized to execute (via AD groups if you'd like). It can also audit the entire process by keylogging every single keystroke.
Candidly, depending on your requirements and the number of Linux servers, the license and implementation cost of PAM may be less than just the cost (read: effort required) to do the connectors from IDM.
You do have the ability to do this either way, but I encourage you to evaluate your requirements through the lens of PAM.
GCA Technology Services
Do you even need PAM (the MF Product for Privleged Access) vs Linux PAM modules (redirectors of login against LDAP/AD/file/etc) for this task?
Technically, no. Linux PAM can do AD bridging by itself, however, depending on the size of the organization, the central policy management, auditing and MFA integration are a few of the more advanced features that can be helpful.
GCA Technology Services