Handling platform limitations on user name length
Some platforms limit the length of a user name. By default Safeguard Authentication Services uses the attribute mapped to User Name in the Safeguard Authentication Services application configuration as the Unix user name. You can view this mapping in the Control Center, Preferences | Schema Attributes | Unix Attributes panel.
You may need to override this setting for certain hosts. You can use the username-attr-name option in vas.conf to override this setting. This allows you to work around name length limitations on a machine-by-machine basis by defining an attribute to be used for a short name.
To map the user name to the Active Directory gecos attribute, add the following lines to vas.conf:
[vasd]
username-attr-name = gecos
Configuring Name Service Switch (NSS)
Unix-based operating systems can work with a number of databases for host, user, group, and other information. The name service provides access to these databases. You can configure each database for multiple data sources through plugin modules. For example, host name information can be returned from /etc/hosts, NIS, NIS+, LDAP, or DNS. You may use one or more modules for each database; the modules and their lookup order are specified in the /etc/nsswitch.conf file.
Safeguard Authentication Services provides a name service module (vas4) that resolves user and group information from Active Directory. When the Unix host is joined to the domain, the passwd and group lines of /etc/nsswitch.conf are automatically modified to include the Safeguard Authentication Services name service module (details vary by platform). The following is an example of what the passwd and group lines may look like after a Unix host has been joined to the domain:
passwd: files vas4 nis
group: files vas4 nis
Note: The Safeguard Authentication Services name service module (vas4) does not apply to AIX or macOS; instead of NSS, AIX uses LAM and macOS uses Directory Services.
Using VASTOOL to configure NSS
Because the name service configuration may vary by platform, Safeguard Authentication Services provides the ability to automatically configure the name service system for Safeguard Authentication Services.
To configure the NSS
- Execute the following command as root:
vastool configure nss
- To undo the configuration, run the following command as root:
vastool unconfigure nss
- After modifying the name service configuration, restart any affected services or reboot.
Using NSCD
nscd is a Unix caching daemon that can increase the efficiency of the Name Service. nscd caches results supplied by NSS modules. This cache is used instead of calling the NSS modules for a specified period of time. After a configurable timeout, the cached results are flushed and NSS again calls the NSS modules directly to load the cache.
Note: nscd is not available on all supported platforms.
Safeguard Authentication Services contains similar functionality for its own user and group caches. Therefore, the behavior for vastool join and vastool configure nss is to modify /etc/nscd.conf to disable nscd caching of passwd and group data. It is possible to use Safeguard Authentication Services and nscd together, but you must manually re-enable nscd caching for users and groups. Safeguard Authentication Services comments out the previous nscd configuration so you can locate and reverse this change in /etc/nscd.conf, if needed.
