To uninstall a gMSA, follow the steps.
NOTE: To uninstall a gMSA, you can also use the following command that Authentication Services provides:
sudo vastool service gmsa uninstall gmsaExample
For more information, see man vastool.
To uninstall a gMSA
Remove the keytab file.
Remove the line of the account from the "/etc/opt/quest/vas/gmsa.ktlist" config file.
The Safeguard Authentication Services daemon, vasproxyd, provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasproxyd by means of the loopback interface. vasproxyd proxies these requests to Active Directory using Kerberos as the security mechanism.
vasproxyd provides the following features:
LDAP is designed as a data access protocol. The use of LDAP as an authentication mechanism introduces important security considerations—especially since most applications are only able to produce simple bind credentials. vasproxyd allows applications to use LDAP simple bind securely by generating the appropriate Kerberos authentication traffic. The use of Kerberos eliminates the need for public key cryptography while providing a high level of security.
Many applications require the use of anonymous LDAP searches. vasproxyd allows you to specify a service account that can authenticate and proxy anonymous queries so that applications that expect to be able to use anonymous LDAP can operate with Active Directory without requiring modification of Active Directory to allow anonymous queries.
vasproxyd allows you to add an additional layer of application authorization based on Active Directory user name, Active Directory group membership, or Active Directory Organizational Unit (OU) containership. In other words, vasproxyd returns an LDAP BindResponse error on an (otherwise valid) LDAP bind attempt if the authenticating user is not authorized by means of settings in the users.allow/ users.deny files.
You can install the LDAP proxy package using the install.sh script.
To install the LDAP proxy
./install.sh vasproxy
The LDAP proxy must be configured for each application that will use it. LDAP proxy configuration is stored in the [vasproxyd] section of vas.conf. Each setting in the [vasproxyd] section specifies a proxy handler configured to listen on a specific local port for LDAP traffic.
To configure the LDAP proxy for an application
[vasproxyd]
mydomain = {
listen-addrs = 127.0.0.1:10000
enable-anonymous = true
service-principal = mydomain.example.com@EXAMPLE.COM
allow-deny-name = mydomain
daemon-user = mydomain
connection-timeout = 120
largest-ldap-message = 2000000
}
This example configures a proxy handler for the mydomain application. The name is only used for identification in log files. It does not have to match the name of the application. This proxy handler listens on the localhost port 10000.
For a complete list of all proxy handler options and their meanings, see the vasproxyd man page. After you set up the proxy, you may need to adjust the legacy application configuration to use the proxy address and port.
Linux and Oracle Solaris:
/etc/init.d/vasproxyd restart
HPUX:
/sbin/init.d/vasproxyd restart
AIX:
stopsrc -s vasproxyd startsrc -s vasproxyd
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center