Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Specific vs generic maps

Due to the RFC 2307 specifications, some maps are stored as specific objects, while all other maps are stored as generic objects. nisedit supports the six standard NIS maps. For more information, see RFC classes and attributes.

These maps generate their sub-maps from the single information source. For example, the services objects in Active Directory provide information used by vasyp to provide the services.byname and services.byservicename maps.

The VASYP daemon

The vasyp daemon acts as a NIS server that can provide backwards compatibility with existing NIS infrastructure. It provides NIS server functionality without having to run the NIS protocol over the network. By default, vasyp only responds to requests from the system on which vasyp is running, and all NIS map data is obtained from Active Directory by means of secure LDAP requests.

vasyp only works on machines that have the Authentication Services agent software installed and are joined to the Active Directory domain. You can manage NIS map data in Active Directory using the Authentication Services RFC 2307 Nismap Editor.

Using vasyp provides the following features:

  • Security

    NIS is notoriously insecure, without any concept of encryption for data that goes across the network. Typically, user password hashes are also made available in the passwd.byname and passwd.byuid NIS maps. With vasyp, you can still have passwd and group NIS maps, but no password hashes are made available in those maps. Clients can instead use the Authentication Services agent components like pam_vas for secure authentication with Active Directory, while still making the passwd NIS maps available to NAS devices and other systems that need the NIS information to function. vasyp uses the same computer identity that vasd does to authenticate to Active Directory and obtain the NIS map data through secure LDAP.

    To successfully advertise a user's password hash by means of vasyp, a password hash must exist on the user object in Active Directory, and this hash must be cached locally.

    To cache an existing hash locally, you must set the vasdcache-unix-password option in the vasd section of vas.conf

    For further details, refer to the vas.conf man page.

    Initially, creating these password hashes in Active Directory requires installation and configuration of a password filter DLL on the domain controller. One such DLL is included in SFU 3.5.

    Note: The password filter .dll does not work on 64-bit versions of Windows Server. As this .dll is an integral part of legacy authentication support, running legacy authentication support using 64-bit versions of Windows is not supported.

    Note: Authentication Services does not require caching of password hashes to support authentication. Authentication Services features a PAM module that provides Active Directory authentication support for most recent applications. It is only necessary to set up caching of Unix password hashes to support much older applications that are not PAM-enabled and can only do crypt and compare authentication.

  • Disconnected Operation

    vasyp manages a persistent cache of all available NIS maps. This allows applications like autofs, which uses NIS to get configuration information, to continue to function without interruption in situations where the Active Directory domain controller is unreachable.

  • Scalability

    vasyp is a miniature NIS server that runs on each NIS client. Instead of having to deploy a master NIS server along with a number of slave servers, each NIS client talks to the vasyp daemon running on the same machine. This allows each NIS server to only have to handle one client. vasyp has been designed to minimize its memory footprint and computing requirements so that it has a minimal impact on the system's resources.

  • Flexibility

    vasyp uses a two-process model, where the parent process ensures that the child process that handles all of the NIS RPC messages is always running. The NIS RPC process drops root privileges and runs as the daemon user. The parent process runs a separate process to update the NIS map cache periodically. This arrangement avoids potential blocking problems when using vasyp for hosts and services resolving.

    See the vasypd man page for detailed information on usage and available options.

Maintaining netgroup data

The vasd daemon maintains the netgroup cache data regardless of whether netgroup data is resolved through the name service module or through NIS (vasyp).

You can configure netgroup-mode in the vas.conf file. See the vas.conf man page for more information.

Managing access control

Authentication Services extends the native access control capabilities of Active Directory to non-Windows systems, providing centralized access control. Authentication Services allows non-Windows systems to become full citizens in Active Directory. Once you have joined your Unix, Linux, and Mac OS X systems to the Active Directory domain, you can easily control which Active Directory users are permitted to authenticate to your non-Windows systems.

Authentication Services includes the industry’s largest collection of highly flexible access control options and integrates with your existing technology. This section discusses each of these options in detail:

  • Host access control
  • Access control using the "Logon To" functionality
  • Configuring local file-based access control
  • Access control based on service (PAM only)

Documents connexes