Chat now with support
Chat with Support

Safeguard Authentication Services 5.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment [[[Missing Linked File System.LinkedTitle]]] Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Changing file ownership manually

OAT consists of three utilities. You run each of these utilities in order. The first two steps of the process create a file that gets passed to the next step:

  1. oat_adlookup

    The first command creates the Active Directory User Information file (or the Active Directory Group Information file ) listing the Unix-enabled Active Directory users (or groups) that is passed to oat_match to create a map between Active Directory and local users or groups.

  2. oat_match

    The second command creates the User map file (or the Group map file ) containing mappings between Active Directory and local users (or groups) that is passed to oat_changeowners to align file ownership.

  3. oat_changeowner

    The third command changes UID and/or GID of files and directories on local Unix hosts to the UID/GID maintained in Active Directory. Before you do this step you can manually create special files to pass into oat_changeowner, the Files to Process List file or the Files to Exclude List file . Finally, oat_changeowner produces the Processed Files List file .

Note: One Identity also provides an interactive script, named oat, that calls oat_adlookup, oat_match, and oat_changeowner utilities with appropriate arguments based on responses that you provide. For more information see Changing file ownership using the script.

The /opt/quest/libexec/oat/oat_example.sh script file shows you examples of running OAT without using the interactive script. Having the ability to run the oat utilities manually gives you flexibility when changing ownership. As noted in the example in Changing file ownership using the script, OAT is not limited when hosts do not use the same naming conventions.

Note: To see the arguments and options for each of these utilities, run them with a -h option. For example, to see the syntax for oat_adlookup, enter:

# /opt/quest/libexec/oat/oat_adlookup -h

Performing a cross-domain search

To perform a cross-domain search

  1. Enter the following command:
    vastool -u admin -w password search -b "dc=example2,dc=com" "(objectCategory=person)" sAMAccountName > results_file

    This command performs a cross-domain search of all person objects in the example2.com domain, and puts their sAMAccountName into a new file called results_file.

  2. Use the results_file for the oat_match.

    For more information about vastool search options, refer to the OAT man page.

OAT matching scripts

The OAT matching scripts allow for flexible resolution of user name rules. These scripts match local Unix accounts to Active Directory accounts. You can customize or replace these scripts to work as needed in your environment.

The basic match scripts match users and groups by comparing naming attributes:

  • oat_match_group.awk
  • oat_match_user.awk

The mapped user script matches users based on an existing mapped user file:

  • oat_match_user_mappeduser.awk

The override scripts match users and groups using an existing Safeguard Authentication Services override file:

  • oat_match_user_override.awk
  • oat_match_group_override.awk

Rollback changes

In the event that you want to revert the files back to the original User ID and Group ID, you can use the rollback option.

To change the ownership of a directory and remove the users from the system with oat_changeowner, enter:

oat_changeowner process -b backup_dir -d /home/user -u user_match_file -m

To undo the changes made by the oat_changeowner command, enter:

oat_changeowner rollback -b backup_dir

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating