If you do not have a schema that supports Unix data storage in Active Directory, you can configure Safeguard Authentication Services to use existing, unused attributes of users and groups to store Unix information in Active Directory.
To configure a custom schema mapping
- Open the Control Center and click Preferences then Schema Attributes on the left navigation pane.
- Click the Unix Attributes link in the upper right to display the Customize Schema Attributes dialog.
-
Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type attributes except User ID Number, User Primary Group ID, and Group ID Number, which may be integers. If an attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is invalid.
- Click OK to validate and save the specified mappings in Active Directory.
Indexing certain attributes used by the Safeguard Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project.
The Control Center, Preferences | Schema Attributes | Unix Attributes panel displays a warning if the Active Directory configuration is not optimized according to best practices.
One Identity recommends that you index the following attributes in Active Directory:
- User UID Number
- User Unix Name
- Group GID Number
- Group Unix Name
Note: LDAP display names vary depending on your Unix attribute mappings.
It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Safeguard Authentication Services Unix agents.
Click the Optimize Schema link to run a script that updates these attributes as necessary. The Optimize Schema option is only available if you have not optimized the Unix schema attributes defined for use in Active Directory.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
You can specify the user mobile number and user email address attributes to be used by the Starling push notifications.
Modifications to the Starling schema attributes configuration are global and apply to all Safeguard Authentication Services clients in the forest. For users configured to use Starling, this could cause user logins to fail.
To configure custom LDAP attributes for use with Starling push notifications
- From the Control Center, navigate to the Starling Attributes in one of the following two ways:
- Preferences | Starling Two-Factor Authentication and click the Starling Attributes link.
- Preferences | Schema Attributes
- Click the Unix Attributes link in the upper right to display the Customize Schema Attributes dialog.
-
Enter the LDAP display name for one or both of the Starling attributes used by the Starling push notifications:
- User Mobile Number
- User Email Address
- Click OK.
- Click Yes to confirm that you want to modify the Starling schema attributes configuration.
- Back on the Starling Two-Factor Authentication preference pane, the Starling attributes to be used are displayed.
Safeguard Authentication Services includes PowerShell modules that provide a "scriptable" interface to many Safeguard Authentication Services management tasks. You can access a customized PowerShell console from the Control Center Tools navigation link.
You can perform the following tasks using PowerShell cmdlets:
- Unix-enable Active Directory users and groups
- Unix-disable Active Directory users and groups
- Manage Unix attributes on Active Directory users and groups
- Search for and report on Unix-enabled users and groups in Active Directory
- Install product license files
- Manage Safeguard Authentication Services global configuration settings
- Find Group Policy objects with Unix/macOS settings configured
Using the Safeguard Authentication Services PowerShell modules, it is possible to script the import of Unix account information into Active Directory.