Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Add a Sudo rule

To add a Sudo rule

  1. Start Group Policy Editor.
  2. Select Unix Settings | Quest Authentication Services | Client Configuration in the scope view.
  3. Double-click Sudo.

    The Sudo Properties dialog opens.

  4. Click the Add or Edit button.

    The Sudo Rule dialog opens.

  5. In the Unix Command group box, select All Commands if you want this rule to apply to all commands. Otherwise, specify the full Unix path to the command. For security reasons, relative paths are not allowed. To deny access to the command, click the Disallow the specified command option and the user will be unable to execute the command with sudo.
  6. In the Run as User field, enter the Unix name of a user. The command will run in the security context of the specified user. The default user is root. Select the Password required option if you want sudo to prompt the user for his password when the command is executed.
  7. In the Apply to Users and Groups box, specify the users and groups to which the rule will apply.

    If you want the rule to apply to all users, select the Allow all users to run this command option.

    Otherwise, enter a user or group name and select either User or Group to indicate whether the name is for a user or a group and click Insert. You can specify groups with Text Replacement Macros in the name. For example sudo-group-%%HOSTNAME%%. By defining a text replacement macro for %%HOSTNAME%% you can create one policy which will dynamically adjust the name on each machine when policy is applied.

    Or, click Browse to find an Active Directory user or group. The standard Select Users or Groups dialog opens. You can search for multiple objects by separating each name with a semicolon.

  8. Click OK to return to the Sudo Properties dialog.
  9. You can optionally specify the Path to visudo. Group Policy uses visudo to validate that the sudoers file can be parsed correctly by sudo. If visudo cannot validate the sudoers file, the policy is not applied. If you do not specify the path to visudo, Group Policy attempts to locate it automatically by searching in common locations. If it can not locate visudo, it can not apply the policy.
  10. Click OK to save this new configuration for the sudoers file.

One Identity policies

One Identity policies manage products such as Authentication Services as well as Quest-modified versions of Quest source projects like Samba and OpenSSH.

Quest OpenSSH Configuration policy

OpenSSH provides password-less (by means of GSSAPI), secure, encrypted remote login and file transfer services.

The Quest OpenSSH Configuration policy allows you to manage the OpenSSH server configuration file (sshd.conf) by means of Group Policy. Settings are divided into two sections. The first section contains general SSH server settings. The second section contains settings that are specific to or important for the Quest OpenSSH distribution.

For more detail on specific settings, refer to the sshd-config.conf man page.

Licensing policy

You can maintain and distribute license files through Authentication Services Group Policy using the Licensing Policy. This policy is retained for backward compatibility. Alternatively, in Authentication Services 4.2 and above, you can use the Authentication Services Control Center to manage licenses.

The Authentication Services Licensing policy allows you to specify a set of license files. The next time the Group Policy agent does a policy refresh, Group Policy distributes the license files to the Unix system and performs any additional actions that may be necessary to load the license file information.

Authentication Services Licensing entries are append only and cannot be overridden. However, if there is more than one license file with the same serial number, the file is only installed once.

Documents connexes