Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Planning your user identity deployment strategy

Before you deploy Authentication Services in your enterprise, One Identity recommends that you have a strategy for resolving the user identities on each Unix host against Active Directory. Authentication Services supports the following methods:

  • Enterprise Identity. Unix User and Group identities have their Posix identity information centrally managed within Active Directory. All entities have the same credential information across the enterprise.
  • Mapped User. User identity information is local to each Unix Host, however Active Directory users are mapped to a local Unix account. This enables the user to authenticate using an Active Directory password, while maintaining his existing local identity.
  • Posix Identity Auto-generation. User identity information is not stored centrally within Active Directory, however Active Directory users have Posix identity attributes automatically generated for them when interacting with Unix Hosts. Users authenticate with an Active Directory password.
  • Personalities. Personalities allow an Active Directory user to have multiple identity objects stored in Active Directory, allowing for multiple roles, multiple NIS domain consolidation, and so forth.

The following table describes each strategy, potential use cases, specific considerations, and the location in the Authentication Services Administration Guide for more information.

Table 12: User deployment scenarios
Description Use case Considerations

Enterprise Identity

See Managing Unix users with MMC for details.

Posix attributes for both Users and Groups are stored in Active Directory. Active Directory users authenticate using Active Directory credentials. Enterprise identity is already defined within the corporation. User/Group identity/Authentication extended to Unix. UID/GID uniqueness, sufficient AD schema (for example, RFC2307), account provisioning privileges.

Mapped User

See Mapping local users to Active Directory users for details.

Posix attributes for users are stored locally (for example, /etc/passwd file), and Active Directory users are mapped to a local account. The Unix credential contains local identity information and Active Directory authentication. Unix machines have predefined user identity (via /etc/passwd) but desire authentication auditing controls. Mapped User is typically a transitory state where the end state is Enterprise Identity. Map-file management, new account provisioning, account migration details (file ownership alignment, and so on)

Autogen

See Automatically generating Posix user identities for details.

Active Directory Users and Groups do not have posix attributes assigned to them. Authentication Services generates posix attributes for users and groups for identity purposes, and Active Directory password is used for authentication. Enterprise Identity accounts are not provisioned in Active Directory, or Unix Admin does not have permissions to provision Enterprise Identity accounts, and the Unix hosts have joined the Active Directory domain. Admins want AD users to log in to Unix machines with AD credentials. Potential for disparate UID/GID for same user, account migration details (file ownership alignment, and so on)

Personalities

See Unix Personality Management for details.

Active Directory Users have many personalities, typically defined by membership in many NIS domains. Each personality represents a separate NIS identity. A Unix host defines which personality to use when joined to Active Directory. Identity is supplied by personality data stored in the directory, and authentication utilizes Active Directory passwords. Many NIS domains have been collapsed into a single Active Directory domain. Unix information across domains are not unique. Also used as a transitory migration state to Enterprise Identity. Personality management, personality OU architecture, new account provisioning, account migration details, domain separation.

For more information please refer to the vastool, vasd, and vas.conf man pages.

User and group schema configuration

Authentication Services is designed to support any Active Directory schema configuration. If your Active Directory schema has built-in support for Unix attributes (Windows 2003 R2 schema, SFU schema), Authentication Services automatically uses one of these schema configurations. Using a native Active Directory schema for Unix attributes is the best practice. However, if your Active Directory schema does not natively support Unix account attributes and a schema extension is not possible, Authentication Services uses "schemaless" functionality where Unix account information is stored in the altSecurityIdentities attribute.

The schema configuration applies to all Authentication Services Unix agents and management tools.

Configure a custom schema mapping

If you do not have a schema that supports Unix data storage in Active Directory, you can configure Authentication Services to use existing, unused attributes of users and groups to store Unix information in Active Directory.

To configure a custom schema mapping

  1. Open the Control Center and click Preferences on the left navigation pane.
  2. Expand the Custom Unix Attributes and click Customize.
  3. Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type attributes except User ID Number, User Primary Group ID, and Group ID Number, which may be integers. If an attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is invalid.

    Note: When customizing the schema mapping, ensure that the attributes used for User ID Number and Group ID Number are indexed and replicated to the global catalog.

    For more information, see Active Directory Optimization in the Control Center online help.

  4. Click OK to validate and save the specified mappings in Active Directory.

Active Directory optimization (Best Practice)

Indexing certain attributes used by the Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project. The Custom Unix Attributes panel in the Preferences section of Control Center displays a warning if the Active Directory configuration is not optimized according to best practices.

Note: The Optimize Schema option is only available if you have not optimized the Active Directory schema.

One Identity recommends that you index the following attributes in Active Directory:

  • User Login Name
  • User ID Number
  • Group Name
  • Group ID Number

Note: LDAP display names vary depending on your Unix attribute mappings.

It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Authentication Services Unix agents. Click the Optimize Schema link to run a script that updates these attributes as necessary.

This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.

All schema optimizations are reversible and no schema extensions are applied in the process.

Related Documents