Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.7 - Installation Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Installing and configuring Safeguard Authentication Services Installing and joining from the Unix command line Getting started with Safeguard Authentication Services Troubleshooting Enterprise package deployment

Active Directory optimization

Indexing certain attributes used by the Safeguard Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project.

The Control Center, Preferences | Schema Attributes | Unix Attributes panel displays a warning if the Active Directory configuration is not optimized according to best practices.

One Identity recommends that you index the following attributes in Active Directory:

  • User UID Number
  • User Unix Name
  • Group GID Number
  • Group Unix Name

Note: LDAP display names vary depending on your Unix attribute mappings.

It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Safeguard Authentication Services Unix agents.

Click the Optimize Schema link to run a script that updates these attributes as necessary. The Optimize Schema option is only available if you have not optimized the Unix schema attributes defined for use in Active Directory.

This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.

All schema optimizations are reversible and no schema extensions are applied in the process.

Starling Attributes: Configure LDAP attributes for use with push notifications

You can specify the user mobile number and user email address attributes to be used by the Starling push notifications.

Modifications to the Starling schema attributes configuration are global and apply to all Safeguard Authentication Services clients in the forest. For users configured to use Starling, this could cause user logins to fail.

To configure custom LDAP attributes for use with Starling push notifications

  1. From the Control Center, navigate to the Starling Attributes in one of the following two ways:
    • Preferences | Starling Two-Factor Authentication and click the Starling Attributes link.
    • Preferences | Schema Attributes
  2. Click the Unix Attributes link in the upper right to display the Customize Schema Attributes dialog.
  3. Enter the LDAP display name for one or both of the Starling attributes used by the Starling push notifications:

    • User Mobile Number
    • User Email Address
  4. Click OK.
  5. Click Yes to confirm that you want to modify the Starling schema attributes configuration.
  6. Back on the Starling Two-Factor Authentication preference pane, the Starling attributes to be used are displayed.

Use Safeguard Authentication Services PowerShell

Safeguard Authentication Services includes PowerShell modules that provide a "scriptable" interface to many Safeguard Authentication Services management tasks. You can access a customized PowerShell console from the Control Center Tools navigation link.

You can perform the following tasks using PowerShell cmdlets:

  • Unix-enable Active Directory users and groups
  • Unix-disable Active Directory users and groups
  • Manage Unix attributes on Active Directory users and groups
  • Search for and report on Unix-enabled users and groups in Active Directory
  • Install product license files
  • Manage Safeguard Authentication Services global configuration settings
  • Find Group Policy objects with Unix/macOS settings configured

Using the Safeguard Authentication Services PowerShell modules, it is possible to script the import of Unix account information into Active Directory.

Unix-enabling a user and user group (PowerShell Console)

The following procedure explains how to Unix-enable a user and user group using the Authentication Services PowerShell Console.

To Unix-enable a user and user group

  1. From the Control Center, navigate to Tools | Safeguard Authentication Services.
  2. Click Safeguard Authentication Services PowerShell Console.

    Note: The first time you launch the PowerShell Console, it asks you if you want to run software from this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your system as a trusted entity. Once you have done this, you will never be asked this question again on this machine.

  3. At the PowerShell prompt, enter the following:
    Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567

    Note: You created the UNIXusers group in a previous exercise. See Adding an Active Directory group account.

    Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured earlier and look similar to the following:

    ObjectClass              : group
    DistinguishedName        : CN=UNIXusers,CN=Users,DC=example,DC=com
    ObjectGuid               : 71aaa88-d164-43e4-a72a-459365e84a25
    GroupName                : UNIXusers
    UnixEnabled              : True
    GidNumber                : 1234567
    AdsPath                  : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
                               DC=example,DC=com
    CommonName               : UNIXusers
  4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:
    Enable-QasUnixUser ADuser | Seet-QasUnixUser -PrimaryGidNumber 1234567

    The Unix properties of the user display:

    ObjectClass              : user
    DistinguishedName        : CN=ADuser,CN=Users,DC=example,DC=com
    ObjectGuid               : 5f83687c-e29d-448f-9795-54d272cf9f25
    UserName                 : ADuser
    UnixEnabled              : True
    UidNumber                : 80791532
    PrimaryGidNumber         : 1234567
    Gecos                    :
    HomeDirectory            : /home/ADuser
    LoginShell               : /bin/sh
    AdsPath                  : LDAP://windows.example.com/CN=ADuser,CN=Users,
                               DC=example,DC=com
    CommonName               : ADuser
  5. To disable the ADuser user for Unix login, at the PowerShell prompt enter:
    Disable-QasUnixUser ADuser

    Note: To clear all Unix attribute information, enter:

    Clear-QasUnixUser ADuser

    Now that you have Unix-disabled the user, that user can no longer log in to systems running the Safeguard Authentication Services agent.

  6. From the Control Center, under Login to remote host, enter:
    • Host name: The Unix host name.
    • User name: The Active Directory user name, ADuser.

    Click Login to log in to the Unix host with your Active Directory user account.

    A PuTTY window displays.

    Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos is not enabled or properly configured for the remote SSH service.

  7. Enter the password for the Active Directory user account.

    You will receive a message that says Access denied.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating