Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.6 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Mapped User policy

The Mapped User policy controls the mapping between local users and Active Directory users. The Mapped User policy is under Unix Settings | Quest Safeguard Authentication Services | Identity Mapping in the Group Policy Object Editor (GPOE). When a local user is mapped to an Active Directory user, that user specifies his local account user name but is prompted for the Active Directory password of the mapped account. The local account password is no longer used. Unix identity for the local user comes from the /etc/passwd file as usual.

The Mapped User policy allows you to manage user mappings. You can load a list of users from a file in /etc/passwd format. You can load files from the local machine or from a remote Unix host over SSH. When you specify a mapping you can browse Active Directory for a user object.

Service Access Control policy

The Service Access Control policies control which applications a user can log in with.

Service Access Control entries are "append-only" and cannot be overridden. However, if there is duplicate entry, the entry is only added once to the service Allow or Deny file.

Typical services include ftpd, sshd, and login.

Note: telnet uses the login service.

To configure a Service Allow Entry

  1. Start Group Policy Editor.
  2. Navigate to Unix Settings | Authentication Services | Access Control | Service Access.
  3. Right-click Service Access and select New | Service.

    The New Service dialog opens.

  4. Enter ftp and click OK.

    The ftp Configuration item now appears in the results pane.

  5. Double-click ftp Configuration to open the service Configuration Properties dialog.
  6. Click the ftp.allow Configuration tab:
    • Click Browse AD to add a container. User objects under this container are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
    • Click Add Group to add groups to the <service>.allow file. Members of the specified groups are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
    • Click Add User to locate specific users to add to the <service>.allow file. The specified users are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
    • Click Add Domain to select the domain to add to the <service>.allow file. All users in the specified domain are allowed to log in by means of ftp unless a deny rule prevents it. Other users are not allowed to log in by means of ftp unless another allow rule allows it.
  7. Click OK to save settings and close the dialog.

To configure a service deny entry

  1. Start Group Policy Editor.
  2. Navigate to Unix Settings | Authentication Services | Access Control | Service Access.
  3. Right-click Service Access and select New | Service.

    The New Service dialog opens.

  4. Enter ftp and click OK.

    The ftp Configuration item now appears in the results view.

  5. Double-click ftp Configuration to open the Service Configuration Properties dialog.
  6. Click the ftp.deny Configuration tab:
    • Click Browse AD to add a container name to deny. User objects under this container are denied log in by means of ftp.
    • Click Add Group to locate groups to deny. Members of specified groups are denied log in by means of ftp.
    • Click Add User to locate specific users to deny. These users are denied log in by means of ftp.
    • Click Add Domain to select the domain to deny. Users in the specified domain are denied log in by means of ftp.
  7. Click OK to save settings and close the dialog.

Account Override policies

Group Policy provides policies to manage the user-override and group-override files. The user-override file allows you to override certain user attributes such as the login shell or home directory. The group-override file allows you to override certain group attributes such as group name and group membership list.

Account Override policies support non-tattooing, block inheritance, ACL filtering, and enforced settings. If an Account Override policy is enforced, then entries in that policy cannot be overridden. When there are no Account Override policies associated with the Unix agent, a Group Policy refresh returns the local override files to their original states.

If there are multiple policies affecting the same override entry, then the user or group override is dictated by the lowest policy in the hierarchy affecting that user or group or the highest enforced policy affecting that user or group in the hierarchy.

Group Policy creates the user-override and group-override files on the system if they do not already exist. It merges the policy-defined entries with the existing local entries and prunes the duplicates. The policy settings override local settings.

User Account Override policy

The User Account Override policy allows administrators to add users to the override list and selectively set account attributes for those users. This policy manages the Safeguard Authentication Servicesuser-override file, which allows specified users to take on a different identity on a per-machine basis.

To add a user override entry

  1. Start Group Policy Editor.
  2. Navigate to the Unix Settings | Authentication Services | Identity Mapping node.
  3. Double-click User Account Override to open the User Account Override Properties dialog.
  4. Click Add.

    The User Account Override dialog opens initially with all fields disabled except the Apply To field.

  5. Enter the specific DOMAIN\sAMAccountName or a * in the Apply To field.

    Note:

    • A * indicates all Safeguard Authentication Services users.
    • Safeguard Authentication Services ignores a non-existent user in the Apply To field.

    Thus, only the Primary GID, Home Directory, and Login Shell fields are valid. All other fields are disabled.

  6. Click Browse.

    The Select User or Group dialog opens.

  7. Enter a user or group name to select. Or, type the first letter of a name and click Check Names for Group Policy to find Safeguard Authentication Services-enabled users in Active Directory. Once you locate the names, click OK and return to the User Account Override dialog.
  8. Enter override values for the Primary GID, Home Directory, and Login Shell user attributes and click OK.

    The entry displays in the list of account override settings. Scroll the list or adjust column widths to view all of the account settings.

  9. Click OK to save settings and close the dialog.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating