From IDM 3.01.
Be sure to read the Script writers README
- Purpose Add a new group to a platform.
- Methodology Build a command to add the group named by TARGETGROUP, with the gid ASSOCIATEDGIDNUMBER. Return 0 for success, non-zero for failure.
- Purpose Add a new user to a platform.
- Methodology Build a command to add the user named by TARGETUSER, with the uid ASSOCIATEDUIDNUMBER. Set the gcos-field from any name related information that might be available in GIVENNAME or SURNAME. Return 0 for success, non-zero for failure.
- Purpose Add a user to a group.
- Methodology The methodology for this script varies from platform to platform. On Solaris, for example, there is no command to add a single user to a particular group, rather, an argument to the usermod command is available to specify a user's entire supplementary group affiliation. AIX, on the other hand, has a chgrpmem command that can add and delete users from specified groups.
- Return 0 for success, non-zero for failure.
In order to facilitate writing scripts in diverse environments, all the following environment variables are available:
- PGLIST - list of platform groups user is in.
- ASAMGLIST list of Census groups user is in.
- DELGLIST list of platform groups user should be deleted from.
- ADDGLIST list of platform groups user should be added to.
- TARGETGLIST list of platform groups user will ultimately be in.
- Purpose Remove a group from a platform.
- Methodology Build a command to delete the group named by TARGETGROUP.
- Return 0 for success, non-zero for failure.
- Purpose Delete a user from a platform.
- Methodology Build a command to delete the user named by TARGETUSER.
- Return 0 for success, non-zero for failure.
- Purpose Prevent a user from logging onto a platform.
- Methodology - Different for some platforms, and usually somewhat problematic. Read the script for your platform.
- Return 0 for success, non-zero for failure.
- Purpose Determine if a group exists on a platform.
- Methodology - Look in in /etc/group for TARGETGROUP.
- Return 1 for group exists, 0 for group does not exist.
- Purpose Determine if a user exists on a platform.
- Methodology Look in in /etc/passwd for TARGETUSER.
- Return 1 for user exists, 0 for user does not exist.
- Purpose Enable a user to log on to a platform.
- Methodology - Different for some platforms, and usually somewhat problematic. Read the script for your platform.
- Return 0 for success, non-zero for failure.
- Purpose Change attributes of a group.
- Methodology Build a command to change the gid of the group named by TARGETGROUP to ASSOCIATEDGIDNUMBER.
- Return 0 for success, non-zero for failure.
- Purpose Change attributes of a user.
- Methodology Build a command to change the uid of the user named by TARGETUSER to ASSOCIATEDUIDNUMBER, and/or reset gcos-field with name related information in GIVENNAME and/or SURNAME.
- Return 0 for success, non-zero for failure, or 254 for NOTHINGTODO. On AIX return 126 for NOTHINGTODO.
- Purpose Prepare a group for future deletion.
- Methodology The default script does nothing.
- Return 0 for success, non-zero for failure.
- Purpose Prepare a user for future deletion.
- Methodology Build a command to prevent the user from logging on.
- Return 0 for success, non-zero for failure.
- Purpose Record platform gid of TARGETGROUP in PARMFILE\
- Methodology Find the gid of TARGETGROUP in /etc/group and output three lines into PARMFILE. The Receiver uses this script to assure that the driver and the platform agree on TARGETGROUP's gid. Gid = -1 causes the Receiver to bypass gid checking.
- The first line is the groupname
- The second line is the gid.
- The third line is EOFMARKER.
- Return 0 for success, non-zero for failure.
- Purpose Record platform uid of TARGETUSER in PARMFILE
- Methodology Find the uid of TARGETUSER in /etc/passwd and output three lines into PARMFILE. The Receiver user this script to assure that the driver and the platform agree on TARGETUSER's uid. Uid = -1 causes the Receiver to bypass uid checking.
- The first line is the user name
- The second line is the uid.
- The third line is EOFMARKER.
- Return 0 for success, non-zero for failure.
- Purpose Record platform group-membership information about TARGETUSER.
- Methodology Use groups(1) to find TARGETUSER's group membership. Ignore primary group, focus only on supplementary groups. The Receiver uses this script to assure that the driver and the platform agree on the gids of the groups that TARGETUSER is a member of. GID = -1 causes the Receiver to bypass this check. Output TARGETUSER's groupmembership information (supplementary groupnames and gids) like this:
gname1,gnum1
gname2,gnum2
gname3,gnum3
...
gnameN,gnumN
EOFMARKER
- Purpose Record user names and uids of platform members of TARGETGROUP.
- Methodology grep for group members in /etc/group. Get uid for each groupmember from /etc/passwd. Record one user,uid pair per line.
Last line should be EOFMARKER. The Receiver uses this script to assure that the driver and the platform agree on the uids of the users who are members of TARGETGROUP. UID = -1 causes the Receiver to bypass this check.
- Purpose Check to see that the username or groupname in VERIFY is acceptable for the platform. Check length and character types. Map VERIFY to PlatformAssociation (PA).
- Methodology Reject names longer than MAXL. Make sure first character in name is alpha, except on AIX. Make sure that all characters in name are valid. Map uppercase
characters to lowercase, except on Linux. Output PlatformAssociation to PARMFILE.
- Return 0 for success, non-zero for failure.
PlatformAssociation is a mapping of EnterpriseUsername (or EnterpriseGroupname).
PlatformAssociation is very important, and is controlled in this script.
Examples:
| PlatformAssociation
|
eDir User| Solaris Linux AIX
________ | _______ _____ _____
|
joe|joe joe joe
Bob|bob Bob bob
7sam | (Rejected) (Rejected)7sam
LongUserName | (Rejected)LongUserName (Rejected)
|
You have the ability in this script to create algorithms to map names that would otherwise be rejected, if you need to support them, but there are many caveats. If you choose to map the user LongUserName to LongUser, then you would not be able to use the driver to authenticate LongUser. There would also be collision issues to consider.
- Purpose Populate a group, taking into account who might currently be in the group, who the driver thinks should be in the group, and who is managed.
- Methodology ASAMULIST, PULIST and MANAGED are supplied by the Receiver.
- ASAMULISTlist of Census users in TARGETGROUP.
- PULIST list of platform users in TARGETGROUP.
- MANAGED list of users from ASAMULIST and PULIST who are managed and not excluded.
TARGETULIST and DELETEULIST are calulated by populategroup.sh.
TARGETULIST list of users who should ultimately be in TARGETGROUP.
DELETEULIST list of platform users who need to be deleted from TARGETGROUP.
The methodology varies from platform to platform, depending on the native UNIX commands available. Here's one example:
is PULIST in MANAGED?
no ----> TARGETULIST
yes ---> in ASAMULIST?
no ----> DELETEULIST
is ASAMULIST in MANAGED?
yes ---> TARGETULIST
- Purpose remove TARGETUSER from group.
- Methodology There's no need for the default script to do anything.
- Return 0 for success, non-zero for failure.
- Purpose Rename a platform group.
- Methodology build a command that renames PLATFORMASSOCIATION to TARGETGROUP.
- Return 0 for success, non-zero for failure.
- Purpose Rename a platform user.
- Methodology Build a command to rename PLATFORMASSOCIATION to TARGETUSER. Rename user's home directory too.
- Return 0 for success, non-zero for failure.
If desired, you can modify the
Platform Receiver Scripts
There might be more information for this subject on one of the following: