IBM Security Privileged Identity Manager, Version 2.0.2

POSIX_LINUX subtype

Know about the identity provider column headers for bulk loading POSIX_LINUX identity providers.

Attribute column header Description Required
ORG_PDN
ORG_PDN is a query string for the system to search for qualified admin domains. The following pseudo BNF notation represents the syntax for ORG_PDN:
orgDn ::= orgRdn | orgRdn "," orgDn
orgRdn ::= orgAttr '=' value
orgAttr::= string (Must be a valid attribute name of the organizational
container.)

You must specify an ORG_PDN which can uniquely identify an admin domain. If the specified ORG_PDN resolves to multiple results IBM® Security Privileged Identity Manager treats it as invalid input.

It is suggested that you use the full path of the admin domain. For example, if you have an admin domain named Valerie Workspace that belongs to the Organization Unit HR, with location China, for organization IBM, use "ou=Valerie Workspace, ou=HR, l=China, o=IBM".
You can find the admin domain name in the top left corner of the Service Center. The rest of the pseudo DN is the path of the admin domain. In the path, you can use the following elements: 
o=<Organization Name>
l=<Location Name>
ou=<Organization Unit>
You can find the path of an admin domain in the administrative console, under Manage Organization Structure.
 Required. See note.

You must specify either ORG_URI or ORG_PDN when you create an identity provider. Specifying these attributes is optional when you update the identity provider.
ORG_URI Specify the organizational container under which the identity provider must be created. The organizational container might be an admin domain, organizational unit, or location, for example. However, if the ORG_URI value is not specified but the ORG_PDN value is provided, then IBM Security Privileged Identity Manager uses the ORG_PDN attribute value. If neither of the attributes are provided or if the ORG_URI or ORG_PDN value is incorrect, then the entry is invalid.

This attribute specifies the Uniform Resource Identifier. You can add this field by adding the eruri attribute to the container form template when you design forms.

You must specify either ORG_URI or ORG_PDN when you create an identity provider. Specifying these attributes is optional when you update the identity provider.

 Required. See note.

You must specify either ORG_URI or ORG_PDN when you create an identity provider. Specifying these attributes is optional when you update the identity provider.
IDENTITY_PROVIDER_PDN IDENTITY_PROVIDER_PDN is a query string for the system to search for qualified identity providers.
The following pseudo Backus-Naur Form (BNF) notation represents the syntax for IDENTITY_PROVIDER_PDN:
servicePDN ::= serviceAttr '=' value ',' orgDn
orgDn ::= orgRdn | orgRdn "," orgDn
orgRdn ::= orgAttr '=' value
serviceAttr::= string (Must be a valid attribute name of the service.)
orgAttr::= string (Must be a valid attribute name of the organizational container.)
value ::=string

You must specify an IDENTITY_PROVIDER_PDN which can uniquely identify an identity provider. If the specified IDENTITY_PROVIDER_PDN resolves to multiple results, IBM Security Privileged Identity Manager treats it as invalid input.

For example: 
erservicename=DB2 Service, ou=Valerie Workspace, ou=HR, l=China, o=IBM
where <idp attribute>=<value>,<full path of the admin domain>
Note: The values are space character-sensitive. Unnecessary spaces in the value may cause failure of PDN resolution.

Required only when you are updating an identity provider.
SERVICEUID An identifier used to uniquely identify a user of an identity provider. Required.
SERVICENAME Name to display on the user interface. Required.
DESCRIPTION Describe the service. Required.
ITDIURL Specify the URL for the Tivoli® Directory Integrator instance. Valid syntax isrmi://ip-address:port/ITDIDispatcher, where ip-address is the Tivoli Directory Integrator host, and port is the port number for the RMI Dispatcher. For example, you might specify the URL as rmi://localhost:16231/ITDIDispatcher. Required.
TEST_CONNECTION Value true or false. Specify whether to test the connection before creating or updating the identity provider. If set to true, an identity provider is created or updated only if a connection test is successful. If false, the identity provider is created or updated without a connection test. Optional.
AUTHENTICATEMODE If the authentication mode is set to Self, the administrator name or password is not required before you test the connection. If the authentication mode is set to Admin, you must specify the administrator name and password. Optional.
POSIXLINUXURL Specify the host name or IP address for the resource. For IPv6 addresses, enter the address value in brackets. An example of a URL using IPv6 would be http://[address]:port number. Optional.
OWNER Specify the owner of the resource. Optional.
PREREQUISITE Specify an IBM Security Privileged Identity Manager service that is prerequisite to this service. Optional.
URL URL of the data source. Supported protocols include: http, and https. This attribute is required. Optional.
POSIXUSESUDO Specify if the administrator has sudo capability on the Linux server. Values: true or false. Optional.
POSIXEXECUTEUSRPROFILE Specify the existing user ID of the service owner that administers the Linux service instance. Optional.
POSIXAUTHMETHOD Select the authentication method.
Password Based Authentication uses a password to authenticate users.
Key Based Authentication requires the use of a passphrase and private key file to authenticate users.		 Optional.
PASSWORD A password used to authenticate a user. Optional.
POSIXPASSPHRASE Enter the passphrase to use for key based authentication. Required for key based authentication. Optional.
POSIXPKFILE Specify the full path and file name of the keystore containing the private key of the client. This keystore must be on the machine running the Tivoli Directory Integrator server. Optional.
POSIXALFILESYSTEMPATH Specify the file path from where the dispatcher loads the assembly lines. If you do not specify a file path, the dispatcher loads the assembly lines that are received from IBM Security Privileged Identity Manager. You can specify the following file path to load the assembly lines from the profiles directory of the Windows operating system: c:\Files\IBM\TDI\V7.1\profiles. Alternatively, you can specify the following file path to load the assembly lines from the profiles directory of the UNIX and Linux operating system: system: /opt/IBM/TDI/V7.1/profiles. Optional.
POSIXMAXCONNECTIONCNT Specify the maximum number of assembly lines that the dispatcher can run simultaneously for the service. Enter 10 if you want the dispatcher to run a maximum of 10 assembly lines simultaneously for the service. If you enter 0, the dispatcher does not limit the number of assembly lines that are run simultaneously for the service. Optional.
POSIXDISABLEALCACHE Specify true to disable the assembly line caching in the dispatcher for the service. The assembly lines for the add, modify, delete, and test operations are not cached. Optional.
POSIXHOMEDIRREMOVE Specify whether to delete the home directory of the user on the Linux server when the account is deleted. Values: true or false Optional.
POSIXUSESHADOW

Specify whether shadow passwords are enabled on the managed resource. This field applies to service forms only when you use the Linux or HP-UX identity providers. Values: true or false.

For Linux operating systems, shadow passwords are enabled by default. When you create a service for HP-UX, by default the field is enabled. If the HP-UX system you are connecting to is an HP-UX trusted system, then the field is irrelevant and the adapter ignores the field.

 Optional.
POSIXRETURNSUDOPRIVILEGES If enabled, the adapter returns the sudo privileges granted to users and groups during reconciliation. Values: true or false. Optional.
POSIXSUDOERSPATH If it is not the default location /etc/sudoers on the resource, enter the directory path to the sudoers file. Optional.
POSIXFAILEDLOGINCMD
Specify the system command that is used to detect and tally failed login attempts and enforce account lockout. This command must be configured through the PAM mechanism. If no value is specified, the default faillog command is used.
Note: This command is not available on some operating systems, such as RHEL 6.1 and later versions, and might cause connection attempts to fail. Therefore, specify a proper failed login command that exists on the strain of Linux installed at the target system.
 Optional.
POSIXFAILEDLOGINTALLYLOC

Specify the absolute path to the location of the failed login attempt datastore, if it is not the default datastore. This field applies to faillock and pam_tally2 only. The field is ignored when faillog is used.

If you use faillock, specify the directory that contains the login record files for individual users. If you use pam_tally2, specify the full path of the file that contains the login record data for all users.

 Optional.
POSIXMAXFAILEDLOGINS Specify the maximum number of failed logins that can occur before an account is locked. This field applies to faillock and pam_tally2 only. The field is ignored when faillog is used. Optional.

Example 1 - adding an entry

#IdentityProviders,POSIX_LINUX
SERVICENAME, DESCRIPTION, URL, SERVICEUID, PASSWORD,POSIXUSESHADOW,AUTHENTICATEMODE,POSIXHOMEDIRREMOVE,ORG_PDN
DB2Linux,"DB2 server on Linux", 192.0.0.4, root, no_secret,false,0,false, "ou=Valerie Workspace, ou=HR, l=China, o=IBM"

Example 2- updating an entry

#IdentityProviders, POSIX_LINUX
IDENTITY_PROVIDER_PDN, SERVICENAME, DESCRIPTION
"erservicename= DB2Linux, ou=Valerie Workspace, ou=HR, l=China, o=IBM" ," DB2Linux ", “This is an update.”
Parent topic: #IdentityProviders type identifier column headers

Feedback