Management of local users on linux operating systems using the fanout driver

prasenjitmass · ‎2019-10-23

Hi,

I have deployed the fanout driver for provisioning and de-provisioning of system users on linux.

I need to configure the driver so that

(a) if a local user is created by a root user, the same can be reset or deleted by the fanout driver

(b) if a local user is created by a root user, the password of the same can be reset by the system immediately whenever the password is locally set.

Zygomax · ‎2019-10-24

For (a) you might look at a different Driver, the Bidirectional Linux/UNIX Driver: https://www.netiq.com/documentation/identity-manager-47-drivers/bi_impl_nx/data/bi_impl_nx.html. The reason is that accounts created on Platforms are not synchronized to the Fan-Out Driver, but the Bidirectional Driver can do that.
The Bidirectional Driver may also have functionality for (b) by leveraging PAM.

Regards,
Sam

rivey · ‎2019-10-24

I would highly recommend looking at a PAM solution, specifically an AD bridging feature. This will allow your end-users to login using their primary LDAP credential. It can also extend the use of AD groups for rights and provide a sudo-like tool for privilege escalation.

As much as I love IDM, the IDM fanout and bidirectional features are not as good a solution as PAM for these types of use cases.

Robert Ivey
GCA Technology Services
https://www.gca.net

Engine-Drivers