What is Personality Service Switch (PSS)?
Personality Service Switch (PSS) associates NIS, LDAP, or local file ( pretty much any NSS source ) based users with their corresponding Active Directory identities. This provides a one-to-one correlation between Unix/Linux user accounts and Active Directory user accounts. The existing identity information: UID, GID, gecos, home directory, login, and login shell are derived exactly as before. This local mapping is not stored in Active Directory; it is stored only where needed-locally.
This prevents creating transitory objects during a migration and allows rapid deployment of VAS as a centralized authentication service. This also enables operating in a mixed environment, where some systems utilize the complete VAS functionality and have UID, GID, etc. persisted as attributes in Active Directory.
This is also known as Mapped User. As VAS is mapping the authenticaition of a non-VAS user to an AD account.
There are two methods of mapping.
Both rely on knowing the UPN ( Userprincipalname ) of the account to map against.
The first is the more common implimentation, it involves a map file, that looks like so:
So for example:
Then place that in a file at ( for example ) /etc/opt/quest/vas/mapfile.pss
And configure VAS to use it as so:
vastool configure vas vas_auth user-map-files /etc/opt/quest/vas/mapfile.pss
( The vas.conf setting will take multiple files ).
Now whenever a user named bob logs into the system, pam_vas or the LAM module will take that request, and try to authenticate the given password against the AD account email@example.com instead of the request falling to the local account information.
The second way can be used in conjunction with the first ( the map-from-nss option determines priority ), and provide the mapping through the password fields instead of a map file.
For example using NIS to distribute this, the users passwd.byname entry for bob might look like:
pam_vas will read that info, extract out the upn in the password field ( making use of the fact that the @ symbol is not in the response space of current password hashes ) to know what AD account to map the user to.
The second can be used with an exisiting NIS infrastructure to quickly deploy AD based password authentication to an otherwise in-secure ( password hash in the clear ) NIS setup.