Disconnected mode in Quest Authentication Services is changing to include a true disconnected state. A new script has been included to test for network connectivity and to put QAS into disconnected mode if the domain cannot be reached.
Located here.
/opt/quest/libexec/vas/scripts/check_network_state.sh
In the past stopping the VASD process would trigger a disconnected state and would allow for testing in disconnected mode. That is no longer true in the newer versions of QAS. If VASD stops for any reason that indicates a different issue and not disconnected mode.
The test for disconnected mode now is to short circuit the network connectivity test temporarily in order to conduct tests. Upon completion of tests proper functionality will be restored.
Step 1. Back up check_network_state.sh
# cp /opt/quest/libexec/vas/scripts/check_network_state.sh /opt/quest/libexec/vas/scripts/check_network_state.sh.backup
Step 2. Edit the check_network_state.sh script and add two additional lines.
Script Before Changes.
#!/bin/sh
##==============================================================================
# Copyright 2012 Quest Software, Inc. ALL RIGHTS RESERVED.
##
## Version: 4.0.3.152
##
##==============================================================================
DOMAIN_REACHABLE="/opt/quest/libexec/vas/get_domain_reachable"
ASDCOM="/opt/quest/libexec/vas/sugi/asdcom"
$DOMAIN_REACHABLE "$@"
RVAL=$?
if [ $RVAL = 0 ] ; then
$ASDCOM NetUpNotification
else
$ASDCOM NetDownNotification
fi
exit $RVAL
Script After Changes.
#!/bin/sh
##==============================================================================
# Copyright 2012 Quest Software, Inc. ALL RIGHTS RESERVED.
##
## Version: 4.0.3.126
##
##==============================================================================
DOMAIN_REACHABLE="/opt/quest/libexec/vas/get_domain_reachable"
ASDCOM="/opt/quest/libexec/vas/sugi/asdcom"
$ASDCOM NetDownNotification
exit 1
$DOMAIN_REACHABLE "$@"
RVAL=$?
if [ $RVAL = 0 ] ; then
$ASDCOM NetUpNotification
else
$ASDCOM NetDownNotification
fi
exit $RVAL
Step 3. Execute Script.
This will put QAS into disconnected mode that can be tested by running '/opt/quest/bin/vastool status' and the output may look like this.
Host: <hostname.example.com, Linux i686>
Date: <Thu Jan 29 09:36:40 EST 2012>
QAS: <4.0.3.152>
Domain: <example.com>
WARNING: 231 QAS daemon is operating in a disconnected state.
Result: <Test(s) failed> (3 seconds)(v0.6.5)
Now you can test to see if users in the perm-disconnected-line or who have previously logged in can use disconnected mode or not.
Also on most systems you should also see an entry in the auth log for that session indicating disconnected authentication.
Sep 6 09:39:52 HOSTNAME su[15735]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <USER> account: <USER@example.com> service: <su-l> reason: <N/A> Access Control Identifier(NT Name):<EXAMPLE\USER>
Step 4. Once satisfied that disconnected mode is now working properly you can restore the 'check_network_state.sh' from the backup.
# cp /opt/quest/libexec/vas/scripts/check_network_state.sh.backup /opt/quest/libexec/vas/scripts/check_network_state.sh
Then execute the script
# /opt/quest/libexec/vas/scripts/check_network_state.sh
These steps are meant to be guidelines only as a possible method for testing disconnected mode.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center