Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Using Authentication Services to augment or replace NIS

Authentication Services addresses several issues that affect NIS viability in modern computing environments. The NIS protocol is not secure and is not well-adopted on non-Unix platforms. Traditionally, the underlying NIS data store is file-based, leading to issues with scalability, data extensibility, and accessibility. Authentication Services supports re-hosting NIS data in Active Directory and provides tools to securely access the NIS maps stored in Active Directory.

Authentication Services provides a NIS proxy agent (vasypd) that runs on each Unix host. This proxy acts as a local NIS server, providing NIS data to the local host using information retrieved securely from Active Directory using Kerberized LDAP. NIS data is cached locally to reduce load on Active Directory. With Authentication Services, the NIS wire protocols are eliminated. NIS traffic only occurs on the loopback device. This increases network security without the need for NIS+.

Authentication Services allows you to transition to Kerberos-based authentication for Unix users, eliminating a variety of security risks and providing better manageability and interoperability. If there are no identity conflicts, both the user's identity and configuration can be transitioned. Otherwise, you can accomplish the migration in steps, starting with upgrading to Kerberos and then reconciling and consolidating the user's identities.

The use of standards, such as RFC-2307, as the native store for Unix identity information dovetails nicely with standard Unix practices. Authentication Services is designed to naturally integrate with the majority of real world Windows, Unix, and Linux deployments.

RFC 2307 overview

The schema definitions of choice for most Authentication Services users is a subset of the IETF RFC 2307 schema for Unix user attributes. RFC 2307 is a cross-platform standard designed to promote interoperability between Unix systems and LDAP-based directories. (Authentication Services also recognizes the Microsoft SFU schema as well as allowing custom schema definitions.)

With Microsoft Windows Server 2003 R2, Microsoft has embraced the RFC 2307 standard, and is now including the RFC 2307 attribute definition as part of the default Active Directory schema. This means that when you install Windows 2003 R2 (or later), support for Unix attribute information is automatically included and forms part of the baseline Active Directory schema definition.

RFC classes and attributes

Authentication Services supports all NIS map objects defined in RFC 2307 as well as the ability to store custom NIS data. RFC 2307 provides classes for six standard NIS maps:

  • hosts
  • networks
  • protocols
  • services
  • rpc
  • netgroup

Authentication Services supports these RFC 2307 standard maps and their representative classes.

Table 16: RFS classes and attributes
Map name RFC 2307 object class
netgroup nisNetgroup
hosts ipHost (device)
networks ipNetwork
services ipService
protocols ipProtocol
rpc oncRpc

These objects are generally created inside a container or organizational unit.

All other NIS maps are represented using the generic map classes provided in RFC 2307. These classes are nisMap and nisObject. A nisMap is a container object that holds nisObject objects. Set the nisMapName attribute of the nisMap object and nisObject objects it contains to the name of the imported NIS map. A nisObject represents a key-value pair where cn is the key attribute and nisMapEntry is the value.

Limitations of RFC 2307 as implemented by Microsoft

The RFC 2307 specification assumes that the cn attribute is multivalued. In Active Directory, the cn attribute is single-valued. This means that you must create aliases as separate objects.

NIS is case-sensitive and Active Directory is case-insensitive. Some aliases for certain NIS map entries are the same keys except all capitalized. Active Directory cannot distinguish between names that differ only by case.

Documents connexes