Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.2 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Using NSCD

nscd is a Unix caching daemon that can increase the efficiency of the Name Service. nscd caches results supplied by NSS modules. This cache is used instead of calling the NSS modules for a specified period of time. After a configurable timeout, the cached results are flushed and NSS again calls the NSS modules directly to load the cache.

Note: nscd is not available on all supported platforms.

Safeguard Authentication Services contains similar functionality for its own user and group caches. Therefore, the behavior for vastool join and vastool configure nss is to modify /etc/nscd.conf to disable nscd caching of passwd and group data. It is possible to use Safeguard Authentication Services and nscd together, but you must manually re-enable nscd caching for users and groups. Safeguard Authentication Services comments out the previous nscd configuration so you can locate and reverse this change in /etc/nscd.conf, if needed.

Forcing lowercase names

In some environments, the user and group names in Active Directory are upper case or mixed case. Normally user and group names on Unix systems are lowercase. It is possible to have the Safeguard Authentication Services name service module force user and group names to lowercase.

To enable this, add the following line to the nss_vas section in vas.conf

lowercase-names = true

To apply the change, you can either restart vasd or flush the cache.

Configuring PAM

Pluggable Authentication Module (PAM) is a common Unix authentication API. A PAM module provides a PAM implementation. You can stack PAM modules together to allow a single Unix host to authenticate using several back-end authentication providers. Safeguard Authentication Services provides a PAM module that provides advanced Active Directory authentication.

Depending on the platform, PAM is controlled by configuration settings in the /etc/pam.conf or by individual service-specific files in the /etc/pam.d directory. When you join the domain, Safeguard Authentication Services automatically configures PAM to work with the Safeguard Authentication Services PAM module.

Using VASTOOL to configure PAM

vastool can automatically update the PAM configuration files on your system.

To modify the PAM configuration

  1. To configure PAM to use the Safeguard Authentication Services PAM module, execute the following command as root:
    vastool configure pam
  2. To remove the Safeguard Authentication Services PAM module configuration, run the following command as root:
    vastool unconfigure pam

    When you join the domain, PAM is configured for all existing services. If you install a new service that requires PAM configuration, you can configure individual services using vastool.

  3. To configure sshd to use the Safeguard Authentication Services PAM module, execute the following command as root:
    vastool configure pam sshd
  4. To remove the PAM configuration from sshd, execute the following command as root:
    vastool unconfigure pam sshd
  5. After modifying the PAM configuration, you may have to restart the affected services.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating