cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

7.1 IDM support for UNIX

Former Member

on ‎06-18-2009 6:18 AM

0 Kudos

All,

I'm a novice to SAP IDM. I would really appreciate if any of you could help me answer the following questions from my client:

1. How would IDM connect to the Unix box? Using SSH, telnet.. ?

2. Can IDm create users and setpassword using sudo instead of having root access?

Also, I could find any way to configure the unix repository. Do I need to use any generic repository?

Thanks in advance.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎06-19-2009 6:18 PM
0 Kudos

In general, IDM 7.1 requires a Windows box that can run the MMC console to allow system access. (The same as previous versions) So while the database (oracle), engines and interface can all run on *NIX, there must be at least one Windows box for Task/Workflow configuration.

This is supposed to change some time in the future, just not sure when.

As far as User account creation goes, it all depends on how you create your accounts. You can certainly interface with something like Vintela's user manager or if you use scripts you can create any kind of user you need from IDM. The same applies if you use LDAP as a base.

Cheers,

Matt

Edited by: Matthew Pollicove on Jun 19, 2009 7:18 PM

Show replies
Show replies
Former Member
‎06-19-2009 8:17 PM
0 Kudos

Thanks Matthew

Former Member
‎06-22-2009 6:02 AM
0 Kudos

Matt,

I appreciate your help. The IDM is running on windows box. the client wants to manage the accounts in three Unix hosts that do not use NIS or ldap or user manager. So accounts need to be created at the OS level.

I have experience with other IdM products and they all use SSH or telnet to connect to the unix boxes and they can create users with either root access or sudo. (We have to configure the adapter with the host name and credentials to connect to) However, the SAP IDM documents I have seen so far do not say anything about these.

- Do you have any idea about these?

- Are there any other documents i can refer to?

Thanks,

Biju.

Former Member
‎06-22-2009 2:34 PM
0 Kudos

Hmmm.... I'll have to do some research on that one. What UNIX are you using? Normally, I'd reccomend using something like Quest's Vintela. However, I'm sure it's been done in the past.

Matt

Former Member
‎06-22-2009 3:03 PM
0 Kudos

I have Solaris and AIX. In one of the decks SAP claims it supports UNIX out of the box. That is what got me into trouble.

I would really appreciate if you could provide any pointers.

Thanks,

Biju.

Former Member
‎06-22-2009 5:01 PM
0 Kudos

Did some quick looking.

If you create a new task, click new -> action task -> run wizard and select the jobs folder. Scroll down to the end.

There's a UNIX/Linux wizard there.

I'll be trying with ubuntu as soon as I get a chance...

HTH,

Matt

Former Member
‎06-23-2009 6:14 AM
0 Kudos

Matt,

In fact I've already seen that task. If you look you can see that it runs adduser command to create user.

What confuses me is that if you try new repository, Unix is not available there. And this task requires a repository.

Former Member
‎06-23-2009 4:37 PM
0 Kudos

Not too sure what you're referring to about a new repository, but I'm hoping to work with it today.

What other methodology would you want to use to provision the user to UNIX?

Matt

Former Member
‎07-06-2009 9:26 PM
0 Kudos

I've had this same conversation with SAP and I understand your confusion as I had the same. It's one thing to create a task with a shell command, it's another thing altogether to set up provisioning for this task and make a connection to the unix environment for user management (without using an intermediary like Vintella).

I haven't had the time to implement this yet myself, but here's an outline as I understand it works:

You must install the java runtime environment on any servers where you wish to provision users.

The way I understand it is that you create a dispatcher for the UNIX system and install that using the shell script generated. Make sure this is the only dispatcher assigned to the task you are putting on the unix box.

You then create the provisioning tasks and export them as .dse files (make sure you are exporting the task, not the job)

Put the provisioning task on the Unix box and update the java runtime dse to point to the task.

The dispatcher is the 'link' between the UNIX box and the IdM environment. You can create an 'empty' repository for the UNIX box just to specify the provisioning tasks (if this is how you trigger provisioning).

Here is the installation documentation we have:

========================================================

Installing and using the DSE Java runtime engine on Unix

========================================================

The Data Synchronization Engine may be implemented in a variety of

environments, independent of operating systems, directory servers and

databases. The connectors included makes it a flexible and modular

tool that can be used to read from or write to virtually any data

repository, like directory servers, databases, structured files or

application data repositories and even old legacy systems.

What is important to emphasize is that the Data Synchronization Engine

does not require any modifications to the data sources it is

configured to read or update.

The configuration user interface is a snap-in to the Microsoft

Management Console. The runtime engine(s) can be installed on any

computer where a Java Virtual Machine is installed in addition to any

Microsoft Windows platform.

-

-

Prerequisites

-

-

The DSE Java runtime engine has the following requirements:

  • A Java Virtual Machine, supporting Java2, must be correctly

installed and configured. If you don't already have it installed you

can download one from e.g. http://java.sun.com. The Java runtime

engine must be included in PATH.

  • A database system that can be referenced by a JDBC URL.

  • A JDBC driver for the database system in question. Sun Microsystems,

Inc maintains a list of JDBC drivers. A JDBC-ODBC bridge is included

in the Java 2 Platform, Standard Edition from Sun Microsystems. This

allows access to all ODBC databases.

  • The files DSE.jar, js.jar, ldapbp.jar and xerces.jar must be

included in the class path. Additionally, all Java classes that you

may be using must be included in the class path, for instance any JDBC

drivers that you are using.

  • When running the job from the command line, make sure that the class

path contains the necessary references on the computer where the

runtime engine is installed.

  • /bin/sh must be installed on the computer. The included shell

scripts are written for Bourne Shell (/bin/sh)

-

-

Installing the Java runtime engine

-

-

The Data Synchronization Engine installation directory contains a sub-

directory called Java. Copy the following files from this directory to

a directory on the computer where you want to install the runtime

engine:

  • DSE.jar

  • xerces.jar

  • js.jar

  • ldapbp.jar

  • runjob

-

-

Modifying the runjob shell script

-

-

The runjob file is a shell script that are used to run the jobs. Open

the file and modify the settings DSEPATH, DSEDRIVERS and CLASSPATH to

adjust the values to your system. The shell script has one parameter,

the job file name.

  • DSEPATH

Contains a reference to the directory where DSE.jar is installed.

  • DSEDRIVERS

Contains a list of JDBC Drivers.

  • CLASSPATH

Contains references to all necessary files for the DSE Java runtime

engine, including the JDBC drivers.

-

-

Running the job

-

-

Copy the job configuration file

-

-

The command line syntax

-

-

The contents of the runjob file are based on the generic syntax for

starting the Java runtime engine from the command line:

As the Java runtime engine can run on a number of platforms and under

different Java Virtual Machines, the syntax of the first two elements

may vary.

Command line parameters

-

-

The DSE Java runtime engine has the following command line parameters:

  • -D

  • <Properties>

  • <Commands>

-D

--

You can use the -D parameter to specify a value for a job constant on

the command line. The value specified on the command line will

override the constant's current value.

-D

-

-

Any or all of these parameters can be present:

Property Value

-

-

-

-

Drivers List of JDBCdrivers separated by : (colon).

File Read job from this file.

LogFile Initial log file name.

LogLevel Log levels:

0 = none

1 = error

2 = warning

3 = normal (default)

4 = extended

5 = trace

6 = debug

StackTrace Stack trace flag when handling exceptions:

0 = none

1 = show only the topmost entry (default)

2 = show full stack trace

CBInt Show progress for every n entries.

-

-

The following commands are defined:

Command Description

-

-

-

-

run Execute job.

help List parameter information.

showlog Dump contents of log to System.out

Note: The properties of a command must precede the command.

When running a job from the user interface, the job is run using the

following command line:

java.exe -cp " run

© Copyright 2007 SAP AG. All rights reserved.

Hope this helps.

-Geoff

Former Member
‎07-07-2009 11:18 AM
0 Kudos

Thank you so much for the detailed explanation, Geoff.

Former Member
‎11-04-2009 7:04 PM
0 Kudos

My colleague has now published a How To guide for this: [How to Setting Up an Identity Management Dispatcher on a UNIX Host Flavor |http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00e7da17-26a1-2c10-c5a7-b9886cbc2a14].

Best Regards,

Matt

Former Member
‎11-04-2009 7:04 PM
0 Kudos

My colleague has now published a How To guide for this: [How to Setting Up an Identity Management Dispatcher on a UNIX Host Flavor |http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00e7da17-26a1-2c10-c5a7-b9886cbc2a14].

Best Regards,

Matt

Former Member
‎12-01-2010 3:20 PM
0 Kudos

Hi Folks,

Is it mandatory to run Dispatcher on Windows box where IdM MMC resides to access local ascii files on windows box?

Please clarify my doubt.

Thanking you.

Best Regards,

Nagaraju

Former Member
‎06-18-2009 5:21 PM
0 Kudos

Hi

below links would help you

https://www.sdn.sap.com/irj/sdn/nw-identitymanagement

https://www.sdn.sap.com/irj/scn/advancedsearch?query=idminunix&cat=sdn_all

regards

nag

Show replies
Show replies
Former Member
‎06-19-2009 5:45 AM
0 Kudos

Thanks, Nag.

I've searched SDN before posting and those threads won't tell anything about the connection mechanism used by idm.

- If it supports ssh and telnet

- can we create users in Unix boxes with sudo privilege instead of root access

If anybody can share their experience, that would be much appreciated.

Former Member
‎06-19-2009 3:59 PM
0 Kudos

Hi bchacko,

your point is correct. currently SAP is not come up with details/documents on IDM 7.1.

Hope you might have to wait for time.

All the best

regards

nag

Ask a Question