Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

AIX extended attribute support

The Authentication Services LAM module has the ability to service a number of user attributes beyond the standard Unix identity attributes (UID, GID, Shell, and so on). For example, you can store user-specific ulimit attributes, such as fsize, core, or cpu. There are many other attributes you can service with the Authentication Services LAM module.

To store all of these attributes in an LDAP directory, IBM provides a user object schema extension. Authentication Services does not require this schema extension to service these extended attributes. Instead, the Authentication Services LAM module stores this extended attribute data in a local database. In this way, the Authentication Services module is a hybrid module; it serves core identity information (UID) from Active Directory, while storing and serving these extended user attributes locally. Since extended attributes are stored locally on each AIX server, you must make extended attribute changes for user accounts on every AIX server.

Use the chuser command to set an extended attribute on a Authentication Services user, as follows:

bash$ chuser fsize=3000000 jdoe

You can set any number of attributes in this fashion.

After setting the value, you can view it using the lsuser command:

bash$ lsuser jdoe
jdoe id=5000 pgrp=jdgroup home=/home/jdoe shell=/bin/bash gecos= registry=VAS fsize=3000000

You can set a large number of attributes this way; however, you can not set attributes that have either a static value returned by the Authentication Services LAM module or a read-only value served out of Active Directory.

These are the attributes you can not set through the Authentication Services LAM module (chuser).

Table 15: AIX extended attributes
SYSTEM
account_locked
auth1
auth2
gecos
groups
groupsids
home
id
pgid
pgrp
pwdwarntime
registry
shell
unsuccessful_login_count
logintimes
expires
maxage
minage

Use the rmuser command to remove all of the extended attributes from an Authentication Services user. The rmuser command usually deletes a user, but when used on an Authentication Services user, it only removes attributes stored locally on the AIX server. It never modifies anything in Active Directory.

Notice in the following example that you can still list the user. The only thing missing is the fsize attribute that was just set using chuser.

bash$  rmuser jdoe
bash$ lsuser jdoe
jdoe id=5000 pgrp=jdgroup home=/home/jdoe shell=/bin/bash gecos= registry=VAS

Unix Account Import Wizard

The Unix Account Import Wizard is a versatile tool that helps migrate Unix account information to Active Directory. It is especially well-suited to small, one-shot import tasks, such as importing all the local user accounts from a specific Unix host. The Unix Account Import Wizard can import Unix data as new user and group objects, or use the data to Unix-enable existing users and groups. In Unix Personality Mode, you can use account information to create and link personality objects.

The Unix Account Import Wizard provides several different ways to import Unix account data into Active Directory. You can import Unix account information from various sources, such as local files, remote Unix hosts, and NIS servers. Once the wizard has imported the source data, it uses customizable rules to match the source accounts with existing accounts in Active Directory or uses the information to create new accounts in Active Directory.

Import Source Selection

The Import Source Selection page allows you to select the source of your Unix account information by clicking on an item in the list. You can only import from a single source, but you can run the Account Importer several times to capture data from multiple sources. Options include:

  • Local Files

    Import Unix account information from text files in /etc/passwd format stored on the local host.

    You can easily migrate local users to Active Directory by exporting a file from the Master /etc/passwd List report accessible from mangement console's Reports page, then importing it into the Unix Account Import Wizard accessible from the Authentication Services Control Center Tools navigation link.

    NOTE: By default, Management Console for Unix creates the Master_etc_passwdList .csv file in the Application Data directory:

    • On Windows:

      %SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\reports

    • On Unix:

      /var/opt/quest/mcu/reports

    NOTE: You can also use vastool utilities from a Unix server command line, such as vastool load, to assist you in migrating local users to Active Directory. See the vastool man page located in the docs directory of the installation media.

  • NIS Server

    Import Unix account information directly from the passwd and group maps of an active NIS server.

  • Remote Unix Host

    Import Unix account information directly from /etc/passwd or /etc/group files stored on a remote Unix host. This option uses SSH to retrieve the remote data so you must have an SSH login on the remote Unix host.

  • Existing Unlinked Unix Personalities

    Use this option to link orphaned or newly created Unix personalities with Active Directory users and groups. This option does not create new objects in Active Directory. It provides a way to quickly find and link Unix personalities using matching rules. This option is only available when the Unix Account Import Wizard is launched from Active Directory Users and Computers in the context of a Primary UPM container. (Right click on a UPM container and select All Tasks | Unix Tasks | Unix Account Import Wizard.)

  • Saved Import Session

    Use this option to resume an import session that was saved previously.

  • Existing Active Directory objects

    Use this option to create Unix personality objects based on existing Active Directory users and groups. This is helpful when creating new personality containers that are pre-populated with a set of personality objects linked to existing users and groups.

Account matching rules

When Unix-enabling existing users or importing personalities, you can specify rules that automatically associate Unix accounts to Active Directory accounts.

Documents connexes