There are 3 different types of overrides:
user
by group
or Wildcard.
The override has been designed to apply only one of those. When a wildcard is specified in the user-override file as well as individual entries for specific users the override specified with the wildcard will apply to all users execpt for users who also have overrides that apply specifically to them.
For example if you have the following users:
$ /opt/quest/bin/vastool list users
DOMAIN\user1:VAS:101:101:User 1:/home/user1:/bin/sh
DOMAIN\user2:VAS:102:101:User 2:/home/user2:/bin/sh
DOMAIN\user3:VAS:103:101:User 3:/home/user3:/bin/sh
And the following user-overide:
*::::::/bin/zsh
DOMAIN\user2:::102:::
Then with the override applied you will have the following:
$ /opt/quest/bin/vastool list -o users
user1:VAS:101:101:User 1:/home/user1:/bin/zsh
user2:VAS:102:102:User 2:/home/user2:/bin/sh
user3:VAS:103:101:User 3:/home/user3:/bin/zsh
Note that the default shell for user2 has not been changed.
This is the intended behaviour for the user-override and group-override file. Instead of attempting to guess which override is intended to take priority the general override is always ignored for users or groups who also have an override specific to them.
This can be worked around by including the override intended for all users or groups in each of the overrides specified. In the previous example changing the user-override file to look like this:
*::::::/bin/zsh
DOMAIN\user2:::102:::/bin/zsh
Would give the expected results.
The only option to have a user in more than one is when using user-override-by-group-apply-all, this allows multiple by groups overrides to be set. Note, this option excludes the wildcard option, which will not apply to users/groups who already have overrides applying.
man vas.conf
<snip>
user-override-by-group-apply-all = <boolean>
Default value: false
When applying user-by-group overrides, only the first entry found will be applied by
default. If this option is set to true, then it will apply all by-group entries, with
the latter overwriting earlier changes to the same attribute.
[vasd]
user-override-by-group-apply-all = true
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center