Enable the IWS UNIX/Linux installer to support Domain IDs in LDAP/SSSD environments without failing due to POSIX group resolution issues by reducing strict dependency on OS-level group mapping or providing configurable group handling.
Why is this useful?
In many enterprise environments, UNIX/Linux systems are integrated with Active Directory using LDAP and SSSD for centralized authentication. Domain IDs are preferred over local accounts for security, compliance, and audit purposes.
Currently, when installing IWS using a Domain ID, the installer fails if the associated POSIX group is not properly resolved, even when LDAP and SSSD are correctly configured. This forces teams to use local IDs, which goes against standard security and governance practices.
Enhancing the installer to handle such scenarios will reduce installation failures, minimize dependency on local accounts, and improve adoption in enterprise environments.
Who would benefit from it?
- Organizations using Active Directory with LDAP/SSSD integration on UNIX/Linux
- Enterprises that enforce centralized identity management
- System administrators managing IWS installations
- Security and compliance teams that discourage the use of local accounts
- IBM customers deploying IWS in hybrid or large-scale environments
How should it work?
The IWS installer should be enhanced to:
- Validate the domain ID and group mappings before starting the installation
- Provide clear pre-installation checks and error messages for missing POSIX groups
- Allow administrators to configure or override the group used during installation
- Support fallback mechanisms when default domain group resolution fails
- Optionally allow installation using Domain IDs without strict dependency on local POSIX groups, where technically feasible
This improvement would make the installation process more robust, flexible, and aligned with modern enterprise authentication standards.
Business Impact
- Reduces installation and deployment delays
- Lowers operational overhead caused by repeated failures and rework
- Improves compliance with enterprise security standards
- Enhances customer confidence in IWS deployments
- Increases product adoption in enterprise environments
Technical Justification
The current installer depends heavily on OS-level group resolution and assumes the presence of locally resolvable POSIX groups. In modern environments using AD, LDAP, and SSSD, group mapping is managed centrally and may not always align with local UNIX expectations.
By introducing better validation, configurability, and flexibility in group handling, the installer can become more compatible with domain-integrated environments without requiring changes to customer infrastructure.
Customer Use Case
An organization uses centralized Active Directory authentication with LDAP and SSSD on UNIX/Linux servers. Local user accounts are restricted by policy. When attempting to install IWS using a Domain ID, the installation fails due to unresolved POSIX groups, even though authentication works correctly.
As a workaround, administrators are forced to create and use local IDs, which violates internal security standards. With the proposed enhancement, the organization would be able to complete the installation using authorized domain IDs without modifying their identity infrastructure.
Expected Outcome
- Successful IWS installation using Domain IDs in LDAP/SSSD environments
- Reduced dependency on local system accounts
- Fewer installation-related support cases
- Improved compatibility with enterprise identity systems
- Better overall customer experience
