VAS (Vintela Authentication Service) is not caching Users who have been "Unix Enabled" through Active Directory Users and Computers. Performing a "vastool list users" does not return some or all of the UNIX enabled Users, while a "vastool -u host/ list -la users" does.
The computer object does not have sufficient rights to User object in Active Directory.
1. First determine which schema VAS is using by running:
# vastool -u host/ schema detect
Make note of the value associated with "uidNumber attribute name <uid attribute>"
e.g. uidNumber attribute name: uidNumber
2. Perform the following LDAP search, which should return all UNIX enabled User objects in Active Directory:
# vastool -u host/ search "(<uid attribute>=*)"
e.g. vastool -u host/ search "(uidNumber=*)"
This should return a list of all UNIX enabled User objects; if does not, this means the computer object does not have sufficient rights to User object in Active Directory.
SOLUTION:
To grant the computer objects the necessary rights to view user objects:
1. Right-click computer object and select Properties | Member Of tab | Make note of group membership that the object is already a member of, the default should be Domain Computers.
2. Right-click the Object Unit containing the User objects and select Delegate Control... | click Next | click Add and type the name of the Computer Objects group in the available field.
3. Click OK | click Next | check "Read all user information" | click Next and then click Finish.
4. Perform a "vastool flush" on the UNIX system and all the UNIX enabled Users should be displayed when performing a "vastool list users".
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center