If you do not have a schema that supports Unix data storage in Active Directory, you can configure Safeguard Authentication Services to use existing, unused attributes of users and groups to store Unix information in Active Directory.
To configure a custom schema mapping
- Open the Control Center and click Preferences then Schema Attributes on the left navigation pane.
- Click the Unix Attributes link in the upper right to display the Customize Schema Attributes dialog.
-
Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type attributes except User ID Number, User Primary Group ID, and Group ID Number, which may be integers. If an attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is invalid.
NOTE: When customizing the schema mapping, ensure that the attributes used for User ID Number and Group ID Number are indexed and replicated to the global catalog.
For more information, see Active Directory Optimization in the Control Center online help.
- Click OK to validate and save the specified mappings in Active Directory.
Indexing certain attributes used by the Safeguard Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project. The Control Center, Preferences | Schema Attributes | Unix Attributes panel displays a warning if the Active Directory configuration is not optimized according to best practices.
Note: The Optimize Schema option is only available if you have not optimized the Active Directory schema.
One Identity recommends that you index the following attributes in Active Directory:
- User Login Name
- User ID Number
- Group Name
- Group ID Number
Note: LDAP display names vary depending on your Unix attribute mappings.
It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Safeguard Authentication Services Unix agents. Click the Optimize Schema link to run a script that updates these attributes as necessary.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
You can Unix-enable Active Directory user accounts. A Unix-enabled user has a Unix User Name, UID Number, Primary GID Number, Comment (GECOS), Home Directory, and Login Shell. These attributes enable an Active Directory user to appear as a standard Unix user. Safeguard Authentication Services provides several tools to help you manage Unix account information in Active Directory.
You can access Active Directory Users and Computers (ADUC) from the Control Center. Navigate to the Tools | Safeguard Authentication Services Extensions for Active Directory Users and Computers.
After installing Safeguard Authentication Services on Windows, a Unix Account tab appears in the Active Directory user's Properties dialog:
Note: If the Unix Account tab does not appear in the user's Properties dialog, review the installation steps outlined in the Safeguard Authentication Services Installation Guide to ensure that Safeguard Authentication Services was installed correctly. Refer to Unix Account tab is missing in ADUC for more information.
Select the Unix-enabled option to Unix-enable the user. Unix-enabled users can log in to Unix hosts joined to the domain. Selecting this option causes Safeguard Authentication Services to generate default values for each of the Unix attributes. You can alter the way default values are generated using Control Center.
Table 12: Unix attributes
| User Name |
This is the Unix user name of the Windows account used to log in to a Unix host. |
| UID Number |
Use this field to set the numeric Unix User ID (UID). This value must be unique in the forest. In some environments, users have a different UID number on each Unix host. In this case, you can use mapped user, local account overrides, or Ownership Alignment Tool (OAT) to ensure that the local Unix user is associated with the correct Windows user account and that local resources are still associated with the correct UID Number. |
| Primary Group ID |
Use this field to set the Unix Primary Group ID. This field determines the group ownership of files that are created by the user. Click the Search button to search for Unix-enabled groups in Active Directory. This field defaults to 1000. You can modify the default in the Control Center | Preferences. |
| Primary Group Name |
This read-only field displays the name of the group associated with the Primary Group ID. If the Primary Group ID is not associated with a Unix-enabled Active Directory group, then the field is blank. |
| Comment (GECOS) |
Use this free-form field to store information that is found in the GECOS field in /etc/passwd. This information is typically used to record the user's full name and other information, such as phone number and office location. If this field contains a colon, the colon will be replaced by a _ on Unix. You can change the Comment (GECOS) default in the Control Center | Preferences. |
| Home Directory |
Use this field to configure the user's Unix home directory. If the home directory does not exist when the user logs in to a machine for the first time, Safeguard Authentication Services creates it. The default value is /home/<User Name>. (/Users/<User Name> on macOS.) You can override the default home directory prefix in the Control Center | Preferences. |
| Login Shell |
Use this field to configure the shell that is executed when the user logs in to Unix using a terminal-based login. If the specified shell does not exist, the user will not be allowed to log in. You can use a Symlink Policy to ensure that a particular shell path exists on all of your Unix hosts. This value defaults to /bin/sh. You can modify the default in the Control Center | Preferences. |
| Generate Unique ID |
Click this link to generate a unique User ID number. If the ID is already unique, it will not be modified. By default you cannot save a non-unique ID number. You can modify this setting in the Control Center | Preferences. |
| Clear Unix Attributes |
If a user is not Unix-enabled, you can click this link to clear all of the Unix attribute values. |
