Chat now with support
Tchattez avec un ingénieur du support

Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Migrating auto-generated group identities

To migrate an auto-generated group to use an enterprise identity

  1. Make sure that you have realigned the file and directory ownerships to the new UID and GID values, including the user's home directory.

    For more information, see Managing local file permissions.

  2. Locate the user record in the /etc/opt/quest/vas/autogen.group file, and remove it.
  3. Force Authentication Services to update the user by means of logging in or by running:
    vastool list –f group <groupname>

Unix Personality Management

Unix Personality Management (UPM) delivers a highly flexible model for managing multiple Unix identities for a user or group. This preserves the administrative boundaries typical to Unix systems while still allowing for consolidation into Active Directory.

In Unix Personality Management, Unix hosts are joined to a "personality container" when they join the domain. The personality container provides a constrained view of the users and groups available in Active Directory. Personality containers can contain Unix-enabled users. In addition, you can define Unix personality objects and link them to regular Windows users. This allows an override mechanism for Unix identity data that is stored in Active Directory. In this way a single Active Directory user is associated with multiple Unix identity objects. Personality containers can also link to secondary containers, which allows for a shared repository of globally unique Unix identities.

NIS domains are particularly applicable to Unix Personality Management. If you have several NIS domains where users have different Unix identities in each NIS domain, you can create a personality container corresponding to each NIS domain. Unix hosts are then joined to the personality container corresponding to their NIS domain. To aid in this scenario, you can create a personality container directly from a NIS domain. See the Unix Account Import Wizard online help for more information.

Note: Unix Personality Management is not appropriate when Unix identity data is divergent across Unix hosts. For example, if users have a different UID number on every Unix host, UPM is not the best choice because you need to maintain a personality container per-host.

Unix Personality Management schema extension

Unix Personality Management requires an extension to the default Active Directory schema in order to store multiple Unix identities for each Active Directory user and group. The UPM schema extension derives from the RFC 2307 standard for storing Unix identity information in LDAP. It introduces new structural classes for user personalities and group personalities. You can link multiple user personalities to an Active Directory user, and multiple group personalities to an Active Directory group.

The UPM schema extension is provided in the standard LDAP Data Interchange Format (LDIF). You can use LDIF files to modify your schema using the ldifde.exe utility that is distributed by Microsoft with the Windows operating system. You must have administrative rights to extend the schema. You can find the LDIF file, qas_unix_personality_management.ldif, on the distribution media in the windows\ldif directory.

For help with running ldifde.exe, see Ldifde Command-line Reference.

Joining the domain in Unix Personality Management mode

To join a Unix host to the domain in UPM mode,

  1. Extend the schema with the Unix Personality Management schema extension.
  2. Create a personality container.

    In ADUC, right-click a container and select All Tasks | Unix Tasks | Promote to Personality Container.

  3. Join Unix hosts to the domain in UPM mode using the new personality container.

For example, run the following vastool command to join to domain example.com using personality container ou=Unix Users,dc=example,dc=com:

vastool -u Administrator join -p "ou=Unix Users,dc=example,dc=com" example.com

When the Unix host is joined in UPM mode, only the Unix objects contained in the personality container are cached.

Documents connexes