Chat now with support
Tchattez avec un ingénieur du support

Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Installing the LDAP proxy

You can install the LDAP proxy package using the install.sh script.

To install the LDAP proxy

  1. Insert the Authentication Services distribution media and navigate to the root directory of the installation media.
  2. Execute the following command as root:
    ./install.sh vasproxy
  3. Follow the prompts to complete the installation.

Configuring the LDAP proxy

The LDAP proxy must be configured for each application that will use it. LDAP proxy configuration is stored in the [vasproxyd] section of vas.conf. Each setting in the [vasproxyd] section specifies a proxy handler configured to listen on a specific local port for LDAP traffic.

To configure the LDAP proxy for an application

  1. Open vas.conf and add a proxy handler for your legacy application. A proxy handler is a multi-valued setting. For example:
    [vasproxyd] 
    mydomain = { 
       listen-addrs = 127.0.0.1:10000 
       enable-anonymous = true 
       service-principal = mydomain.example.com@EXAMPLE.COM 
       allow-deny-name = mydomain 
       daemon-user = mydomain 
       connection-timeout = 120 
       largest-ldap-message = 2000000 
       } 

    This example configures a proxy handler for the mydomain application. The name is only used for identification in log files. It does not have to match the name of the application. This proxy handler listens on the localhost port 10000. For a complete list of all proxy handler options and their meanings, see the vasproxyd man page. After you set up the proxy, you may need to adjust the legacy application configuration to use the proxy address and port.

  2. After you have configured the LDAP proxy handler, restart the service. The method for restarting the service differs by platform:

    Linux and Solaris:

    /etc/init.d/vasproxyd restart

    HPUX:

    /sbin/init.d/vasproxyd restart

    AIX:

    stopsrc -s vasproxyd startsrc -s vasproxyd

IPv6

Authentication Services supports IPv6 and is designed to run equally in IPv4-only, dual-stack (IPv4 and IPv6), and IPv6-only environments. The following describes the IPv6 features and considerations when running Authentication Services in an IPv6-enabled environment.

Note: Authentication Services uses IPv6 when the operating system's DNS resolver correctly supports mapping of IPv4 addresses to IPv6 addresses. If a problem with address mapping is detected, Authentication Services operates in IPv4-only mode, even if an IPv6 address is assigned and other applications use IPv6.

Authentication Services uses IPv6 automatically when DNS contains IPv6 address records (AAAA records). These are most commonly published for servers running Windows 2008 or later on an IPv6-enabled network. Similarly, hosts may use IPv4 whenever IPv4 address records (A records) appear in DNS.

To ensure reliability, when connecting to a TCP service that is available over both IPv4 and IPv6, Authentication Services uses an adaptive algorithm used by popular web browsers and published in RFC 6555. If an initial connection attempt does not complete in a short amount of time, it makes a parallel connection attempt using a subsequent address, if available. This happens in a fraction of a second and is usually invisible to the user, even if one protocol is perennially unavailable.

For UDP connections, the service sends packets in parallel using both protocols (when available). This provides the best performance and reliability, with a negligible effect on network traffic.

IPv6 connectivity in Authentication Services depends on the operating system. To determine IPv6 availability on a host-by-host basis, run vastool info ipv6 on each client.

Note: You may need to update or patch your operating system for Authentication Services to use IPv6.

The system resolver's address selection policies directly influence the addresses chosen by Authentication Services when more than one address is available. Depending on the operating system, you may be able to configure the polices. For example, configure /etc/gai.conf on GNU libc-based operating systems. The standard address selection policies (RFC 3484) and fallback connection algorithm should obviate the need to alter the default address selection policy.

Note: Active Directory servers must be running Windows 2008 or later for IPv6 communication.

Identity management

Authentication Services provides many features designed to help you consolidate and organize your identity infrastructure by bringing Unix identity information into Active Directory. This section introduces you to some of the identity management tools available to you.

Note: You can access your Unix hosts from the Control Center to perform the command line tasks described in this section.

Documents connexes