Safeguard Authentication Services 5.0.2 - Administration Guide

Safeguard Authentication Services policies

One goal of Group Policy is to simplify and centralize Safeguard Authentication Services configuration data. Use Safeguard Authentication Services Policies to configure everything from basic settings to advanced host access control and account override information.

Configuration policy

The Safeguard Authentication Services Configuration policy manages runtime configuration settings stored in the Safeguard Authentication Services configuration file (vas.conf) located in /etc/opt/quest/vas/.

Safeguard Authentication Services Configuration policies support non-tattooing, block inheritance, ACL filtering, and enforced settings. Policies applied later do not override enforced settings. When you unlink all Safeguard Authentication Services Configuration policies, the next GPO processing event restores the Safeguard Authentication Services configuration file to its previous state.

Mapped User policy

The Mapped User policy controls the mapping between local users and Active Directory users. The Mapped User policy is under Unix Settings | Quest Safeguard Authentication Services | Identity Mapping in the Group Policy Object Editor (GPOE). When a local user is mapped to an Active Directory user, that user specifies his local account user name but is prompted for the Active Directory password of the mapped account. The local account password is no longer used. Unix identity for the local user comes from the /etc/passwd file as usual.

The Mapped User policy allows you to manage user mappings. You can load a list of users from a file in /etc/passwd format. You can load files from the local machine or from a remote Unix host over SSH. When you specify a mapping you can browse Active Directory for a user object.

Service Access Control policy

The Service Access Control policies control which applications a user can log in with.

Service Access Control entries are "append-only" and cannot be overridden. However, if there is duplicate entry, the entry is only added once to the service Allow or Deny file.

Typical services include ftpd, sshd, and login.

To configure a Service Allow Entry

1. Start Group Policy Editor.
2. Navigate to Unix Settings | Authentication Services | Access Control | Service Access.
3. Right-click Service Access and select New | Service.

   The New Service dialog opens.

4. Enter ftp and click OK.

   The ftp Configuration item now appears in the results pane.

5. Double-click ftp Configuration to open the service Configuration Properties dialog.
6. Click the ftp.allow Configuration tab:
   • Click Browse AD to add a container. User objects under this container are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
   • Click Add Group to add groups to the <service>.allow file. Members of the specified groups are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
   • Click Add User to locate specific users to add to the <service>.allow file. The specified users are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
   • Click Add Domain to select the domain to add to the <service>.allow file. All users in the specified domain are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
7. Click OK to save settings and close the dialog.

To configure a service deny entry

1. Start Group Policy Editor.
2. Navigate to Unix Settings | Authentication Services | Access Control | Service Access.
3. Right-click Service Access and select New | Service.

   The New Service dialog opens.

4. Enter ftp and click OK.

   The ftp Configuration item now appears in the results view.

5. Double-click ftp Configuration to open the Service Configuration Properties dialog.
6. Click the ftp.deny Configuration tab:
   • Click Browse AD to add a container name to deny. User objects under this container are denied log in by means of ftp.
   • Click Add Group to locate groups to deny. Members of specified groups are denied log in by means of ftp.
   • Click Add User to locate specific users to deny. These users are denied log in by means of ftp.
   • Click Add Domain to select the domain to deny. Users in the specified domain are denied log in by means of ftp.
7. Click OK to save settings and close the dialog.