Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.3 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

Change Auditor for Authentication Services integration

Change Auditor for Authentication Services provides auditing, alerting, and change tracking capabilities.

Change Auditor provides the ability to capture Safeguard Authentication Services events for both Active Directory and Group Policy.

Why is auditing, alerting, and change tracking important?

When organizations make the key decision to integrate UNIX with Active Directory, they expand Active Directory's scope and strategic importance. As a result, it is critical to provide visibility into the UNIX-centric data, which is now managed by Active Directory. Safeguard Authentication Services addresses this challenge by delivering the ability to audit, alert, and show detailed change history of UNIX-centric information now managed by Active Directory.

Without these capabilities, Active Directory bridge administrators are blind to any changes made to UNIX-centric information managed by Active Directory and may be forced to purchase and implement a third-party solution.

Who needs the Change Auditor functionality in Safeguard Authentication Services?

An organization using the Active Directory Group Policy features of Safeguard Authentication Services to manage UNIX systems may have a group policy that grants a UNIX system administrator the right to authenticate to every UNIX machine. If an administrator edits this group policy and grants additional users the same access, Safeguard Authentication Services now provides immediate visibility into these changes. An alert will be generated and the organization will know who made the change, when, and from where. A detailed history of the policy will also be provided.

To achieve and maintain compliance with regulations and policy, an organization must be able to prove it has control over its UNIX-centric data in Active Directory. With Safeguard Authentication Services, an organization will now be alerted to events, such as when UNIX systems are joined to Active Directory, when Active Directory users or groups are "UNIX enabled," or changes to NIS data stored in Active Directory. This information will be available for audit and will show the change history.

How does Safeguard Authentication Services’ audit capabilities compare to other Active Directory bridge solutions?

The audit, alerting, and change tracking capabilities of Safeguard Authentication Services are unique, and a critical differentiator for One Identity. Only One Identity can offer these benefits as an integrated and included component of its Active Directory bridge solution.

Is there an additional charge for Safeguard Authentication Services 4.x audit capabilities?

There is no additional cost for Safeguard Authentication Services audit, alerting, and change tracking capabilities; they are considered new features and are available to new customers, as well as to existing customers that upgrade as part of their active relationship with One Identity.

How does Safeguard Authentication Services integrate with Change Auditor?

Safeguard Authentication Services includes a special license key for Change Auditor for Authentication Services that unlocks a number of unique, Safeguard Authentication Services-specific events. These Active Directory events can be monitored using the Change Auditor console, as illustrated in the following table.

Table 20: Events for Safeguard Authentication Services
Change Auditor Safeguard Authentication Services event Description

NIS Object Added

Created when an NIS object is added to Active Directory.

NIS Object Attribute Changed

Created when the data stored in an NIS object in Active Directory is changed.

NIS Object Deleted

Created when an NIS object is deleted from Active Directory.

NIS Object Moved

Created when an NIS object is moved within Active Directory.

NIS Object Renamed

Created when an NIS object is renamed within Active Directory.

Personality Object Added

Created when a UNIX user or group personality object is added to Active Directory.

Personality Object Attribute Changed

Created when the data stored in a UNIX personality object in Active Directory is changed.

Personality Object Deleted

Created when a UNIX user or group personality object is deleted from Active Directory.

Personality Object Moved

Created when a UNIX personality object is moved within Active Directory.

Personality Object Renamed

Created when a UNIX personality object is renamed within Active Directory.

Safeguard Authentication Services Computer Object Added

Created when a new Safeguard Authentication Services computer object is added to an Active Directory domain.

Safeguard Authentication Services Computer Object Attribute Changed

Created when an attribute for Safeguard Authentication Services computer object is changed.

Safeguard Authentication Services Computer Object Deleted

Created when a Safeguard Authentication Services computer object is removed from an Active Directory domain.

Safeguard Authentication Services Computer Object Moved

Created when Safeguard Authentication Services computer object is moved in an Active Directory domain.

Safeguard Authentication Services Computer Object Renamed

Created when Safeguard Authentication Services computer object is renamed in an Active Directory domain.

Safeguard Authentication Services GPO Setting Changed

Created when Safeguard Authentication Services Group Policy settings is changed.

NOTE: To capture Safeguard Authentication Services GPO events, Safeguard Authentication Services must be installed on the DC which is used to perform the GPO changes (in most cases this will be the PDC).

UNIX GECOS Changed

Created when the GECOS attribute of a UNIX-enabled Active Directory user is changed.

UNIX Group ID Number Changed for Group

Created when the group ID number of a UNIX-enabled Active Directory group is changed.

UNIX Group ID Number Changed for User

Created when the primary group ID number of a UNIX-enabled Active Directory user is changed.

UNIX Group Name Changed

Created when the UNIX name of a UNIX-enabled Active Directory group is changed.

UNIX Home Directory Changed

Created when the UNIX home directory of a UNIX-enabled Active Directory user is changed.

UNIX Login Name Changed

Created when the UNIX login name of a UNIX-enabled Active Directory user is changed.

UNIX Login Shell Changed

Created when the UNIX login shell of a UNIX-enabled Active Directory user is changed.

UNIX User ID Number Changed

Created when the user ID number of a UNIX-enabled Active Directory user is changed.

UNIX-Enabled Changed for Group

Created when the UNIX attributes of an Active Directory group are changed such that it no longer exists on a UNIX or Linux system.

Installing Change Auditor for Authentication Services

The following steps outline the basic procedure for installing Change Auditor for Authentication Services. For detailed steps on installing Change Auditor for Authentication Services, see the Change Auditor Installation Guide.

To install Change Auditor for Authentication Services

  1. Insert the Safeguard Authentication Services distribution media.

    The Autorun Home page displays.

    NOTE: If the Autorun Home page does not display, navigate to the root of the distribution media and double-click autorun.exe.

  2. Click the Setup tab and select Change Auditor for Authentication Services.

    The Change Auditor for Authentication Services for Active Directory web page opens.

  3. Click Download on the left navigation panel.

  4. Follow the online instructions to gain access to the Trial Download page.

  5. From the Trial Download: Change Auditor for Active Directory page, click the Installation Guide link.

Application integration

One Identity provides many applications with the same level of Active Directory integration that it provides for UNIX-based operating systems. That is, One Identity's solution provides Active Directory-based single sign-on (and the closely associated reduced sign-on) for the following applications.

Table 21: Applications that integrate with Safeguard Authentication Services
Application One Identity provides

Ansible

Infrastructure Administrators can use Ansible 2.9 or later for the following functions, including generating reports.

  • Install, upgrade, and uninstall Safeguard Authentication Services (SAS) software packages and create reports to summarize software deploy status.

  • Configure and join Safeguard Authentication Services to your AD domain including:

    • Perform preflight checks.

    • Modify vas.conf.

    • Modify users/groups.allow and users/groups.deny.

    • Modify user/group overrides.

    • Join/unjoin SAS from domain.

    • Create reports to summarize configure/join status.

Safeguard Authentication Services Ansible Collection

The One Identity Safeguard Authentication Services Ansible Collection, referred to as ansible-authentication-services, consists of roles, modules, plugins, report templates, and sample playbooks to automate software deployment, configuration, Active Directory joining, profiling, and report generation for Safeguard Authentication Services. Go to: https://github.com/OneIdentity/ansible-authentication-services.

Ansible details

For Ansible information consult:

Applications with an API

You can integrate any application with an authentication API (such as GSSAPI) with Active Directory for single sign-on.

LDAP-aware applications

You can bring any non-Windows application that is LDAP-aware into the Active Directory trusted realm through a powerful LDAP proxy.

Kerberos-enabled applications

You can bring any non-Windows application that is Kerberos-aware into the Active Directory trusted realm.

Oracle databases

Integration to enable single sign-on to Oracle databases running on UNIX or Linux.

SAP

An SAP-certified single sign-on solution that enables an Active Directory login to provide seamless access to SAP GUI applications running on UNIX or Linux. One Identity One also delivers single sign-on for any SAP NetWeaver application.

Managing UNIX hosts with Group Policy

Safeguard Authentication Services extends Group Policy to UNIX, Linux and macOS. Safeguard Authentication Services Group Policy provides policies to manage a wide array of configuration settings, files, scripts and applications.

NOTE: For more information about managing your macOS clients with Group Policy, see the Safeguard Authentication Services macOS Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating