i5/OS problems with any application that uses Adopted Authority

  • 7011517
  • 13-Dec-2012
  • 13-Dec-2012

Environment

NetIQ Identity Manager
NetIQ Identity Manager Driver - Midrange OS/400 Bi-directional
NetIQ Identity Manager Driver - Midrange OS/400 Fan Out

Situation

Customer has the i5/os shim installed in their AS/400 environment, and also has a product called AOD from SeaSoft that grants temporary permissions to users, similar to a SUDO command. Since the installation of the shim, that software is having a ~2 minute wait time to execute as it seems to be hitting the EXIT POINT that the shim is registered to and the shim waits to timeout before returning. This seems to stem from a Auditing value being changed for the user profile.
 
You may also run into this problem with any application that uses adopted authority.

Resolution

You will need to update to IDM4 for this option to work. You don't have to upgrade the engine. You can just install the i5 update. The activation version did not change.

The exits adopt the authority of their owning profile in order to write records to the changelog. This can cause problems in processes such as the one the AOD product uses to modify profiles, probably with its own adopted authority. The only way to get around this is to turn off this feature and open the changelog for any users to write into.

To do that:

Add to the config file: -disableadoptauth

Make sure that these paths are readable by all users:
/etc/i5osdrv.conf
/usr/local/i5osdrv
/usr/local/i5osdrv/keys

Make sure that these paths are writable by all users:
/usr/local/i5osdrv/changelog
/usr/local/i5osdrv/snapshot

By all users, I mean all users who make changes that will go through the exits. If you are allowing password change on the as400, then all users will need this. If users are doing all changes with adopted authority, then only the users who's authority they adopt need these rights.