BigAdmin Feature Article: Using Sun Java System Identity Manager With RBAC Profiles in the Solaris OS

Skip to Content Java Solaris Communities About Sun How to Buy My Sun Connection Cart United States Worldwide

BigAdmin System Administration Portal

Feature Article

Print-friendly Version

Submit Content | Check BigAdmin Bucks

Using Sun Java System Identity Manager With RBAC Profiles in the Solaris OS

Scott Fehrman, August 2005

Overview

The Sun Java System Identity Manager utilizes Resource Adapters to create, modify and delete accounts on systems running the Solaris Operating System. The Identity Manager Resource Adapter needs to be configured with a user that has access to perform user management tasks. The Resource Adapter for the Solaris OS can use the root account, the sudo utility, or a "privileged" user account.

Most customers will not allow Identity Manager to manage users with the root account. The use of the sudo facility requires installation and configuration on the Solaris OS. (sudo is a utility on the Companion CD that is not supported by Sun.) The creation of a "proxy" or "privileged" account is a secure way to grant fine-grained access to specific users. The Solaris OS has a built-in mechanism for delegating privileged commands to individual users or roles.

This document explains how to configure the Solaris OS (releases 9 and 10) with Identity Manager to use a privileged profile for the creation, modification, and deletion of user accounts via the Identity Manager Resource Adapter for the Solaris OS.

RBAC and Profiles

The Solaris OS provides Role Based Access Control (RBAC) for the delegation of administrative tasks. RBAC can be used as an alternative to using the root account for user management. RBAC is also a replacement for the sudo utility, which is not supported as a Solaris feature. This paper covers a component of RBAC called profiles. A given profile defines what privileged commands can be executed. A profile can be assigned to users and/or roles.

Profiles in the Solaris OS are enabled by having a user either su into a role or execute privileged commands in a "profile shell." The Solaris OS provides three different profile shells:

/usr/bin/pfsh
/usr/bin/pfcsh
/usr/bin/pfksh

Using Profiles

There are two ways to execute privileged commands in a profile shell.

The user or role is automatically placed in the profile shell by assigning one of the profile shells as the default login shell in /etc/passwd. The example below indicates that the user idmadm can automatically execute privileged commands because it has the /usr/bin/pfksh shell.

$ grep idmadm /etc/passwd
idmadm:x:23734:1:IdMgr Admin:/export/home/idmadm:/usr/bin/pfksh

A user that is allowed to run privileged commands in his or her profile can use a non-profile shell (csh, ksh, bash, and so on). The profile commands are executed with the pfexec command:

-bash-3.00$ pfexec useradd johndoe ...

This document explains how to create a proxy (or privileged) user that will be allowed to manage user accounts. The proxy user, idmadm, will be assigned to a custom Solaris profile called "Identity Management," which can execute the commands needed by the Identity Manager's Resource Adapter.

Set Up a RBAC Profile

Set up a profile that has the ability to execute commands that are needed by the Identity Manager's Resource Adapter. The creation of a new profile requires root access.

Create a name for the profile that does not already exist in the /etc/security/prof_attr file. This example will use a Profile named "Identity Management". Make a copy of the original files exec_attr and prof_attr before making changes. As root, use the following commands:

# cp /etc/security/exec_attr /etc/security/exec_attr.orig
# cp /etc/security/prof_attr /etc/security/prof_attr.orig

As root, add the following line to the end of the /etc/security/prof_attr file:

Identity Management:::Sun Identity Manager Profile:

Adding this line defines a new profile called "Identity Management". Fields two and three are reserved, and the fourth field is a comment. The last field supports options. As root, add the following lines to the end of the /etc/security/exec_attr file.

Note: The second field, in the file entries, is different between the Solaris 9 OS and the Solaris 10 OS. The second field defines the policy associated to the profile. In the Solaris 9 OS, the only available policy is suser. For the Solaris 10 OS, this policy needs to be solaris.

For the Solaris 9 OS, use these entries:

Identity Management:suser:cmd:::/usr/sbin/useradd:uid=0
Identity Management:suser:cmd:::/usr/sbin/userdel:uid=0
Identity Management:suser:cmd:::/usr/sbin/usermod:uid=0
Identity Management:suser:cmd:::/usr/sbin/groupadd:uid=0
Identity Management:suser:cmd:::/usr/sbin/groupdel:uid=0
Identity Management:suser:cmd:::/usr/sbin/groupmod:uid=0
Identity Management:suser:cmd:::/usr/bin/logins:uid=0;gid=bin
Identity Management:suser:cmd:::/usr/bin/which:uid=0;gid=bin
Identity Management:suser:cmd:::/usr/bin/passwd:uid=0
Identity Management:suser:cmd:::/usr/ccs/bin/make:uid=0
Identity Management:suser:cmd:::/usr/bin/yppasswd:uid=0
Identity Management:suser:cmd:::/usr/bin/chmod:uid=0
Identity Management:suser:cmd:::/usr/bin/chown:uid=0
Identity Management:suser:cmd:::/usr/bin/cp:uid=0
Identity Management:suser:cmd:::/usr/bin/mv:uid=0
Identity Management:suser:cmd:::/usr/bin/rm:uid=0
Identity Management:suser:cmd:::/usr/bin/sed:uid=0
Identity Management:suser:cmd:::/usr/bin/touch:uid=0

For the Solaris 10 OS, use these entries:

Identity Management:solaris:cmd:::/usr/sbin/useradd:uid=0
Identity Management:solaris:cmd:::/usr/sbin/userdel:uid=0
Identity Management:solaris:cmd:::/usr/sbin/usermod:uid=0
Identity Management:solaris:cmd:::/usr/sbin/groupadd:uid=0
Identity Management:solaris:cmd:::/usr/sbin/groupdel:uid=0
Identity Management:solaris:cmd:::/usr/sbin/groupmod:uid=0
Identity Management:solaris:cmd:::/usr/bin/logins:uid=0;gid=bin
Identity Management:solaris:cmd:::/usr/bin/which:uid=0;gid=bin
Identity Management:solaris:cmd:::/usr/bin/passwd:uid=0
Identity Management:solaris:cmd:::/usr/ccs/bin/make:uid=0
Identity Management:solaris:cmd:::/usr/bin/yppasswd:uid=0
Identity Management:solaris:cmd:::/usr/bin/chmod:uid=0
Identity Management:solaris:cmd:::/usr/bin/chown:uid=0
Identity Management:solaris:cmd:::/usr/bin/cp:uid=0
Identity Management:solaris:cmd:::/usr/bin/mv:uid=0
Identity Management:solaris:cmd:::/usr/bin/rm:uid=0
Identity Management:solaris:cmd:::/usr/bin/sed:uid=0
Identity Management:solaris:cmd:::/usr/bin/touch:uid=0

The table below (Table 1) shows the Solaris commands that are needed by the Solaris Resource Adapter in Identity Manager. All of these commands must be executable by the Identity Manager Proxy User, without having any permission errors.

Solaris Commands Needed by the Solaris Resource Adapter

Command	Description
`useradd`	Administer a new user login
`userdel`	Delete a user's login
`usermod`	Modify a user's login information
`groupadd`	Add (create) a new group definition
`groupdel`	Delete a group definition
`groupmod`	Modify a group definition
`logins`	List user and system login information
`which`	Locate a command; display pathname or alias
`passwd`	Change login password and password attributes
`make`	Maintain, update, and regenerate related programs and files
`yppasswd`	Change your network password in the NIS database
`chmod`	Change the mode (permissions) of a file
`chown`	Change the owner of a file
`cp`	Copy file(s)
`mv`	Rename a file or move to another directory
`rm`	Remove a file
`sed`	Stream editor
`touch`	Update the time/date stamp of a file

Note: Some of the commands listed in the table above (and in the profile) should not have to be added to the profile. They're included in the "Identity Management" profile because they access files that require extra privileges or because of a known access issue. These commands include logins and which.

Other commands are used by Identity Manager's Resource Adapter proxy user. These commands don't require special privileges and don't need to be added to the profile. For security reasons, it is advised to only add privileged commands to the profile. For reference purposes, these (non-privileged) commands are listed in the following table (Table 2).

Non-Privileged Commands

Command	Description
`auths`	Print authorizations granted to a user
`last`	Display login and logout information about users
`listusers`	List user login information
`profiles`	Print execution profiles for a user
`roles`	Print roles granted to a user
`ypcat`	Print values in a NIS database
`ypmatch`	Print the value of one or more keys from a NIS map
`awk`	Pattern scanning and processing language
`cat`	Concatenate and display files
`cut`	Cut out selected fields of each line of a file
`diff`	Compare two files
`echo`	Echo arguments
`grep`	Search a file for a pattern
`ls`	List contents of directory
`sleep`	Suspend execution for an interval
`sort`	Sort, merge, or sequence check text files
`tail`	Deliver the last part of a file

Create a Proxy User

Create the proxy or privileged user that will be used by Identity Manager. Log in to the Solaris system as the root user. Create the idmadm account and set its password. Modify the "Home Directory" pathname as necessary to match your environment.

login: root
password: ******
# useradd -c "Identity Manager proxy user" -d /export/home/idmadm
-m -s /usr/bin/pfksh -P "Identity Management" idmadm

# passwd idmadm
New Password: idmadm
Re-enter new password: idmadm
passwd: password successfully changed for idmadm

Create the following files in the home directory for the idmadm user:

$ vi /export/home/idmadm/.profile

	EDITOR=emacs; export EDITOR
	PATH=/usr/bin:/usr/sbin; export PATH

Test the Proxy User

Test the privileged user account. Log in to the system and interactively create a test user.

login: idmadm
password: ******

$ which logins
/usr/bin/logins

$ logins
root        0       root        0       Super-User
daemon      1       other       1       
bin         2       bin         2       
sys         3       sys         3       
adm         4       adm         4       Admin
uucp        5       uucp        5       uucp Admin
nuucp       9       nuucp       9       uucp Admin
smmsp       25      smmsp       25      SendMail Program
listen      37      adm         4       Network Admin
gdm         50      gdm         50      GDM Reserved UID
lp          71      lp          8       Line Printer Admin
webservd    80      webservd    80      WebServer Reserved UID
mysql       23732   mysql       100     MySQL
idmadm      23739   other       1       Identity Manager proxy user
nobody      60001   nobody      60001   NFS Anonymous Access User
noaccess    60002   noaccess    60002   No Access User
nobody4     65534   nogroup     65534   SunOS 4.x NFS Anon Access User

$ groupadd idmgrp

$ grep idmgrp /etc/group
idmgrp::101:

$ useradd -c "test user 1" -d /export/home/user1 -g idmgrp
-m -s /usr/bin/csh  user1


$ grep user1 /etc/passwd
user1:x:23734:1:user1:/export/home/user1:/usr/bin/csh

$ ls -l /export/home/user1
total 4
drwxr-xr-x   2 user1    other        512 Feb 26 09:31 .
drwxr-xr-x   8 root     root         512 Feb 28 15:38 ..

$ usermod -s /usr/bin/bash user1
$ grep user1 /etc/passwd
user1:x:23734:1:user1:/export/home/user1:/usr/bin/bash

$ passwd user1
New Password: password 
Re-enter new Password: password 
passwd: password successfully changed for user1

$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
login: user1
Password: password 
Sun Microsystems Inc.   SunOS 5.10      s10_74  December 2004
-bash-3.00$ id
uid=23735(user1) gid=101(idmgrp)
-bash-3.00$ exit

$ userdel user1
$ grep user1 /etc/passwd

$ groupdel idmgrp
$ grep idmgrp /etc/group

Configure the Identity Manager Resource Adapter

Set up Identity Manager's Solaris Resource Adapter to use the proxy (privileged) user. Log in to Identity Manager as "configurator" or as another user that has the capabilities to configure resource adapters.

Select the Configure -> Manage Resources tab to ensure that the Solaris Resource Type is selected. If not, select it and press Save.

Select the Resources tab. Select the drop-down button labeled New Resource ..., and pick the Solaris option. Select the Next button to continue. In this example, Telnet is used to communicate with the Solaris OS. SSH can be configured for secure communications between the Solaris OS and Identity Manager.

Fill out the first page of the Create Solaris Resource Wizard. Use the options shown in Table 3 below.

Create Solaris Resource Wizard (Page 1)

Field	Value
Host:	`localhost`
Login User:	`idmadm`
password:	`idmadm`
Login Shell Prompt:	`$`
Make Directory:	`TRUE`

After entering the information into the form, Select the Test Connection button to make sure Identity Manager can communicate with the Solaris OS. If the test is successful, the page will refresh and a status message will be displayed (see Figure 1 below).

(Click to enlarge)
Figure 1: Resource Parameters (page 1 of 4)

If the "Test Connection" fails (which is shown in red text), make sure that all of the commands (from the "Test the Proxy User" section of this document) completed without errors. Then re-check the values entered into the form.

Press the Next button at the bottom of the page.

The second page of the Create Solaris Resource Wizard (page 2 of 4) defines the account attributes that are mapped between Identity Manager and the Solaris OS. In this example, we removed the Authorizations attribute (see Figure 2).

(Click to enlarge)
Figure 2: Account Attributes (page 2 of 4)

Press the Next button at the bottom of the page to continue.

The third page of the Create Solaris Resource Wizard (page 3 of 4) defines the Identity Template. In this example, no modifications need to be made (see Figure 3).

(Click to enlarge)
Figure 3: Identity Template (page 3 of 4)

Press the Next button at the bottom of the page to continue.

The last page of the Create Solaris Resource Wizard (page 4 of 4) defines the Identity Manager Parameters. Use the options shown in the following table.

Create Solaris Resource Wizard (Page 4)

Field	Value
Resource Name:	`<<Unique Name>>`
Display Name:	`Description`
Exclude Accounts Rule:	`Unix Exclude Resource Accounts`

See Figure 4 for an example.

(Click to enlarge)
Figure 4: Account Attributes (page 4 of 4)

Select the Save button to finish the Resource Wizard. The Solaris Resource is now ready for use. Test the Resource by creating a new user via the Administrative Interface.

Create an Identity Manager Reconciliation Policy for the new Solaris Resource. Run a full reconciliation on the resource to synchronize identities between the Solaris system and Identity Manager.

About the Author

Scott Fehrman is a Systems Engineer in the Identity Management Practice at Sun Microsystems, Inc.

Discuss and comment on this resource in the BigAdmin Wiki

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.

Search BigAdmin

» Search the HCL

BigAdmin Wiki
Discuss and comment on this resource in the wiki.

BigAdmin Subscriptions
»	BigAdmin Newsletter
»	BigAdmin Blog
»	BigAdmin Wiki
»	RSS Feeds
BigAdmin Areas
»	All Topics/Sections
»	Articles and FAQs
»	Blogs and Wikis
»	Discussions
»	Documentation
»	Features
»	HCL
»	Multilingual
»	Patches
»	Products and Tech
»	Resources
»	Scripts
»	Software/Tools
»	Solaris 10 Apps
»	ShellCmds
»	Submit Content
»	Suggestions
»	SysAdmin Jobs
»	SysAdmin Topics
»	Tech Tips
BigAdmin Sun Center
»	Register Your System
»	Solaris Developer Center
»	Support Center
»	Sun Doc Highlights
»	Sun Tech Days
»	Sun Advisory Panel for System Admins
»	Training and Certification
BigAdmin Topics
»	DST
»	DTrace
»	Interoperability
»	Networking
»	Predictive Self-Healing
»	ZFS
»	Zones

Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc.