Symantec IGA

  • Private Community

  • 1.  User Provisioning on Unix/Linux Endpoints

    Posted Dec 21, 2015 01:35 AM

    Hi,

     

    We are using CA IdentityMinder R12.6 SP3 in our environment.

     

    Currently as per the account creation process, we create the group first with group name as user name on Linux NFS server manually using Provisioning Manager client and will note down the GID value. We then create the user on this NFS server with UID same as GID value. Finally, any account on other Linux/Unix endpoints will be created using same UID and GID values that are being set on the Linux NFS server.

     

    I went through the account templates, but can’t think of how group creation, user creation & assignment of created group as member of for this user can be completed using single account template on NFS server and how the UID/GID values set on NFS server can be used in another template for creating users on other Linux/Unix endpoints?

     

    Please provide some inputs.

     

     

    Thanks,

    Chenna



  • 2.  Re: User Provisioning on Unix/Linux Endpoints

    Posted Jan 04, 2016 06:38 AM

    Hi Chenna

     

    Long time since I have been playing with this.

    Not sure if you are utilizing IM or Provisioning or a combination.

    Maybe something like below is possible?

    Use PX policy (in IM) or program exit (in prov) and create the group and get the GID.

    Put those two values in as custom field for the user.

    Now you may be able to use the custom fields in the account templates

     

    Cheers, Atle



  • 3.  Re: User Provisioning on Unix/Linux Endpoints

    Posted Jan 12, 2016 08:00 AM

    Hi Atle,

     

    The problem we are facing is creating groups from the user console using PX or otherwise. These are dynamic groups and each group will have only one user. So for each user we need a group. Lets say we have a user having userid 1234. Then we have to create the a group with the name as 1234 and GID lets say 50001. Now after that we will create a user with username as 1234 and UID as 50001. This will be repeated for all the users. Currently we have this as a manual process where admins use provisioning manager to achieve the task. We want to automate it so that when the user is granted access to the Linux NFS server the group and user is created. We are able to achieve the user creation using account templates, provisioning roles and PX. But we are not able to create groups in the Linux NFS endpoint. Will be glad if you can offer a solution to this.

     

     

    Thanks

    Saurabh



  • 4.  Re: User Provisioning on Unix/Linux Endpoints

    Posted Jan 18, 2016 06:53 AM

    Hi Saurabh

     

    Haven't been able to work on this. Do you have any support issue open for this?

    But here is an idea.

    If you know the GID and UID when you are supposed to create the user, add UID into customfield1 and GUID into customfield2.

    On template, use set and use rulestring %UCU01% for UID and for Primary Group set it to %UCU02%

    Then on the endpoint, utilize ExitSetup.ini located in /opt/CA/IdentityManager/ProvisioningUnixAgent/etc and add a PreExit script that will take the GUID coming from Prov Server and add the group. But only do this if it is a create command.

    Also add a post exit script that will delete the GUID if this is a delete command

     

    Cheers, Atle