on 06-18-2009 6:18 AM
All,
I'm a novice to SAP IDM. I would really appreciate if any of you could help me answer the following questions from my client:
1. How would IDM connect to the Unix box? Using SSH, telnet.. ?
2. Can IDm create users and setpassword using sudo instead of having root access?
Also, I could find any way to configure the unix repository. Do I need to use any generic repository?
Thanks in advance.
In general, IDM 7.1 requires a Windows box that can run the MMC console to allow system access. (The same as previous versions) So while the database (oracle), engines and interface can all run on *NIX, there must be at least one Windows box for Task/Workflow configuration.
This is supposed to change some time in the future, just not sure when.
As far as User account creation goes, it all depends on how you create your accounts. You can certainly interface with something like Vintela's user manager or if you use scripts you can create any kind of user you need from IDM. The same applies if you use LDAP as a base.
Cheers,
Matt
Edited by: Matthew Pollicove on Jun 19, 2009 7:18 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Matt,
I appreciate your help. The IDM is running on windows box. the client wants to manage the accounts in three Unix hosts that do not use NIS or ldap or user manager. So accounts need to be created at the OS level.
I have experience with other IdM products and they all use SSH or telnet to connect to the unix boxes and they can create users with either root access or sudo. (We have to configure the adapter with the host name and credentials to connect to) However, the SAP IDM documents I have seen so far do not say anything about these.
- Do you have any idea about these?
- Are there any other documents i can refer to?
Thanks,
Biju.
I've had this same conversation with SAP and I understand your confusion as I had the same. It's one thing to create a task with a shell command, it's another thing altogether to set up provisioning for this task and make a connection to the unix environment for user management (without using an intermediary like Vintella).
I haven't had the time to implement this yet myself, but here's an outline as I understand it works:
You must install the java runtime environment on any servers where you wish to provision users.
The way I understand it is that you create a dispatcher for the UNIX system and install that using the shell script generated. Make sure this is the only dispatcher assigned to the task you are putting on the unix box.
You then create the provisioning tasks and export them as .dse files (make sure you are exporting the task, not the job)
Put the provisioning task on the Unix box and update the java runtime dse to point to the task.
The dispatcher is the 'link' between the UNIX box and the IdM environment. You can create an 'empty' repository for the UNIX box just to specify the provisioning tasks (if this is how you trigger provisioning).
Here is the installation documentation we have:
========================================================
Installing and using the DSE Java runtime engine on Unix
========================================================
The Data Synchronization Engine may be implemented in a variety of
environments, independent of operating systems, directory servers and
databases. The connectors included makes it a flexible and modular
tool that can be used to read from or write to virtually any data
repository, like directory servers, databases, structured files or
application data repositories and even old legacy systems.
What is important to emphasize is that the Data Synchronization Engine
does not require any modifications to the data sources it is
configured to read or update.
The configuration user interface is a snap-in to the Microsoft
Management Console. The runtime engine(s) can be installed on any
computer where a Java Virtual Machine is installed in addition to any
Microsoft Windows platform.
-
-
Prerequisites
-
-
The DSE Java runtime engine has the following requirements:
A Java Virtual Machine, supporting Java2, must be correctly
installed and configured. If you don't already have it installed you
can download one from e.g. http://java.sun.com. The Java runtime
engine must be included in PATH.
A database system that can be referenced by a JDBC URL.
A JDBC driver for the database system in question. Sun Microsystems,
Inc maintains a list of JDBC drivers. A JDBC-ODBC bridge is included
in the Java 2 Platform, Standard Edition from Sun Microsystems. This
allows access to all ODBC databases.
The files DSE.jar, js.jar, ldapbp.jar and xerces.jar must be
included in the class path. Additionally, all Java classes that you
may be using must be included in the class path, for instance any JDBC
drivers that you are using.
When running the job from the command line, make sure that the class
path contains the necessary references on the computer where the
runtime engine is installed.
/bin/sh must be installed on the computer. The included shell
scripts are written for Bourne Shell (/bin/sh)
-
-
Installing the Java runtime engine
-
-
The Data Synchronization Engine installation directory contains a sub-
directory called Java. Copy the following files from this directory to
a directory on the computer where you want to install the runtime
engine:
DSE.jar
xerces.jar
js.jar
ldapbp.jar
runjob
-
-
Modifying the runjob shell script
-
-
The runjob file is a shell script that are used to run the jobs. Open
the file and modify the settings DSEPATH, DSEDRIVERS and CLASSPATH to
adjust the values to your system. The shell script has one parameter,
the job file name.
DSEPATH
Contains a reference to the directory where DSE.jar is installed.
DSEDRIVERS
Contains a list of JDBC Drivers.
CLASSPATH
Contains references to all necessary files for the DSE Java runtime
engine, including the JDBC drivers.
-
-
Running the job
-
-
Copy the job configuration file
-
-
The command line syntax
-
-
The contents of the runjob file are based on the generic syntax for
starting the Java runtime engine from the command line:
As the Java runtime engine can run on a number of platforms and under
different Java Virtual Machines, the syntax of the first two elements
may vary.
Command line parameters
-
-
The DSE Java runtime engine has the following command line parameters:
-D
<Properties>
<Commands>
-D
--
You can use the -D parameter to specify a value for a job constant on
the command line. The value specified on the command line will
override the constant's current value.
-D
-
-
Any or all of these parameters can be present:
Property Value
-
-
-
-
Drivers List of JDBCdrivers separated by : (colon).
File Read job from this file.
LogFile Initial log file name.
LogLevel Log levels:
0 = none
1 = error
2 = warning
3 = normal (default)
4 = extended
5 = trace
6 = debug
StackTrace Stack trace flag when handling exceptions:
0 = none
1 = show only the topmost entry (default)
2 = show full stack trace
CBInt Show progress for every n entries.
-
-
The following commands are defined:
Command Description
-
-
-
-
run Execute job.
help List parameter information.
showlog Dump contents of log to System.out
Note: The properties of a command must precede the command.
When running a job from the user interface, the job is run using the
following command line:
java.exe -cp " run
© Copyright 2007 SAP AG. All rights reserved.
Hope this helps.
-Geoff
Hi
below links would help you
https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
https://www.sdn.sap.com/irj/scn/advancedsearch?query=idminunix&cat=sdn_all
regards
nag
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, Nag.
I've searched SDN before posting and those threads won't tell anything about the connection mechanism used by idm.
- If it supports ssh and telnet
- can we create users in Unix boxes with sudo privilege instead of root access
If anybody can share their experience, that would be much appreciated.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.