Running nss layer commands such as " vastool nss getpwnam jdoe" will list the user even though they do not have access to the system.
1) To prevent this you can edit your vas.conf file or use VGP to set the following option:
[nss_vas]
user-hide-if-denied = true
NOTE: This will only hide users from NSS calls, not vastool list user commands. See additional info below for details.
There is a vas.conf setting that you can set if you only want to see the users that are allowed on the system.
user-hide-if-denied = <true | false>
Default value: false
By default, all available users are visible from the standard getpw* and getgr* functions. Setting this option to true will cause nss_vas not to return users if they are denied access according the access control rules in /etc/opt/quest/vas/users.allow and /etc/opt/quest/vas/users.deny. This virtually hides those users as if they are not available on the system. This option is off by default. If this option is changed, the groups cache must be flushed before denied users will be excluded from membership lists returned from getgr* calls.
Note that this is a global option and will modify the behavior of nss_vas in all processes on the Unix host.
The following example shows how to hide users who are denied access from the getpw* family of functions.
[nss_vas]
user-hide-if-denied = true
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center