Chat now with support
Chat mit Support

Safeguard Authentication Services 6.1 - Upgrade Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services Upgrade Windows components Configure Active Directory Configure UNIX agent components Upgrade client components manually Getting started with Safeguard Authentication Services Troubleshooting

Display specifier registration tables

Display specifiers are stored in the Active Directory configuration partition under the DisplaySpecifiers container. The DisplaySpecifiers container has child containers named for a corresponding locale ID. US English display specifiers are in cn=409,cn=DisplaySpecifers,cn=Configuration,dc=domain. The following modifications are made for each locale by the display specifier registration script, DsReg.vbs.

Table 12: Object: User-Display
Attribute Change type Value Description

adminPropertyPages

modify, insert

10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316}

Registers the UNIX Account property page extension with User objects.

adminPropertyPages

modify, insert

11,{53108A01-9B68-4DFB- A16D-4945D26A38A9}

Registers the UNIX Personality property page extension with User objects.

attributeDisplayNames

modify, insert

uidNumber, UID Number

Provides a more user-friendly name for the UNIX user ID number attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

uid, Login Name

Provides a more user-friendly name for the UNIX login name attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

gidNumber, GID Number

Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

canonicalName, Path

Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results.

Table 13: Object: Group-Display
Attribute Change type Value Description

adminPropertyPages

modify, insert

10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316}

Registers the UNIX Account property page extension with User objects.

attributeDisplayNames

modify, insert

gidNumber, GID Number

Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

canonicalName, Path

Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results.

Table 14: Object: vintela-UnixUserPersonality-Display
Attribute Change type Value Description

cn

create object

vintela-UnixUserPersonality- Display

The display specifier object is created.

adminPropertyPages

modify, insert

10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316}

This registers the UNIX User Personality property page extension with user personality objects.

classDisplayName

modify, set

UNIX User Personality

Sets the friendly name of the object class. This is the text displayed in the New Object menu and elsewhere in ADUC.

creationWizard

modify, set

{57AC8F6B-5EA8-4DC9- AB9A-C0ED6420C7F9}

This registers the "New UNIX User Personality" object creation wizard. This creation wizard registration mechanism works in ADUC, but is not yet supported in Active Roles. To create personality objects in Active Roles, use the Advanced Create Wizard and select the UNIX User Personality object class.

iconPath

modify, insert

0,vas_dua_user.ico

This is the default personality icon. This icon is installed by Safeguard Authentication Services in the %SYSTEMROOT%\system32 folder so that it is available to all applications that might need it.

iconPath

modify, insert

1,vas_dua_user_disabled.ico

This icon is not currently used.

iconPath

modify, insert

2,vas_dua_user_orphaned.ico

This icon is not currently used.

attributeDisplayNames

modify, insert

uidNumber, UID Number

Provides a more user-friendly name for the UNIX user ID number attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

gidNumber, GID Number

Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

uid, UNIX Login Name

Provides a more user-friendly name for the UNIX login name attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

description, Description

Provides a more user-friendly name for the description attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

canonicalName, Path

Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

managedBy, Linked To

Provides a more descriptive name for the managed by attribute to indicate how this attribute is used on personality objects. Allows this attribute to display in the UNIX Object find dialog results.

Table 15: Object: vintela-UnixGroupPersonality-Display
Attribute Change type Value Description

cn

create object

vintela-UnixGroupPersonality- Display

The display specifier object is created.

adminPropertyPages

modify, insert

10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316}

This registers the UNIX User Personality property page extension with user personality objects.

classDisplayName

modify, set

UNIX Group Personality

Sets the friendly name of the object class. This is the text displayed in the New Object menu and elsewhere in ADUC.

creationWizard

modify, set

{A7C4A545-C7C8-49C8- 8C96-8C665E166D0C}

This registers the "New UNIX User Personality" object creation wizard. This creation wizard registration mechanism works in ADUC, but is not yet supported in ARS. To create personality objects in ARS, use the Advanced Create Wizard and select the UNIX User Personality object class.

iconPath

modify, insert

0,vas_unix_group.ico

This is the default personality icon. This icon is installed by Safeguard Authentication Services in the %SYSTEMROOT%\system32 folder so that it is available to all applications that might need it.

attributeDisplayNames

modify, insert

gidNumber, GID Number

Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

cn, Name

Provides a more user-friendly name for the UNIX login name attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

description, Description

Provides a more user-friendly name for the description attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

canonicalName, Path

Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results.

attributeDisplayNames

modify, insert

managedBy, Linked To

Provides a more descriptive name for the managed by attribute to indicate how this attribute is used on personality objects.

Global UNIX Options

The Global UNIX Options section displays the currently configured options for UNIX-enabling users and groups.

Click Modify Global UNIX Options to change these settings.

NOTE: Safeguard Authentication Services uses the Global UNIX Options when enabling users and groups for UNIX login.

Table 16: UNIX user defaults
Option Description

Require unique User Names

Select to require a unique user login name attribute within the forest.

Require unique UID Numbers

Select to require a unique user's UNIX ID (UID) number within the forest.

Minimum UID Number

Enter a minimum value for the UNIX User ID (UID) number.

Typically, you set this to a value higher than the highest UID among local UNIX users to avoid conflicts with users in Active Directory and local user accounts.

Maximum UID Number

Enter a maximum value for the UNIX User ID (UID) number.

Typically, you would not change this value unless you have a legacy UNIX platform that does not support the full 32-bit integer range for UID number.

Default Primary GID Number

Enter the default value for the Primary GID number when UNIX-enabling a user.

Set primary GID to UID

Select to set the primary GID number to the User ID number.

Default Comments (GECOS)

Enter any text in this box.

Default Login Shell

Enter the default value for the login shell used when UNIX-enabling a user.

Default Home Directory

Enter the default prefix used when generating the home directory attribute when UNIX-enabling a user.

The default value is /home/; use a different value if your UNIX user home directories are stored in another location on the file system. Safeguard Authentication Services uses the user's effective UNIX name when generating the full home directory path.

Use lowercase User Name for Home Directory

Select to use a lower-case representation of the user's effective UNIX name when generating the full home directory path as a user is UNIX-enabled.

Table 17: UNIX group defaults
Option Description

Require unique Group Names

Select to require a unique UNIX group name attribute within the forest.

Require unique GID Numbers

Select to require a unique UNIX Group ID (GID) attribute within the forest.

Minimum GID Number

Enter the minimum value for the UNIX Group ID (GID).

Typically, this is set to a value higher than the highest GID among local UNIX groups to avoid conflicts with groups in Active Directory and local group accounts.

Maximum GID Number

Enter the maximum value for the UNIX Group ID (GID).

Typically, you would not change this value unless you have a legacy UNIX platform that does not support the full 32-bit integer range for GID.

These options control the algorithms used to generate unique user and group IDs.

Table 18: Unique IDs
Option Description

GUID Hash

An ID generated from a hash of the user or group object GUID attribute.

This is a fast way to generate an ID that is usually unique. If the generated value conflicts with an existing value, the ID is re-generated by searching the forest.

Samba Algorithm

An ID generated from the SID of the domain and the RID of the user or group object.

This method works well when there are few domains in the forest. If the generated value conflicts with an existing value, the ID is re-generated by searching the forest.

Legacy Search Algorithm

An ID generated by searching for existing ID values in the forest. This method generates an ID that is not currently in use.

Modifications you make to these Global UNIX Options take effect after you restart the Microsoft Management Console (MMC).

TIP: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the two methods can lead to ID conflicts.

Logging Options

The Logging Options section allows you to enable logging for all Safeguard Authentication Services Windows components. This setting only applies to the local computer. Logging can be helpful when trying to troubleshoot a particular problem. As logging causes components to run slower and use more disk space, set the Log Level to Disabled when you are finished troubleshooting.

Enabling debug logging on Windows

This section describes how to enable debug logging on Windows.

To enable debug logging for all Safeguard Authentication Services Windows components

  1. Open Control Center and click Preferences on the left navigation pane.

  2. Expand the Logging Options section.

  3. Open the Log level drop-down menu and set the log level to Debug.

    Debug generates the most log output. Higher levels generate less output. You can set the Log level to Disabled to disable logging.

  4. Click to specify a folder location where you want to write the log files.

    Safeguard Authentication Services Windows components log information into the specified log folder the next time they are loaded. Each component logs to a text file named after the DLL or EXE that generates the log message.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen