Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Unix Personality Management schema extension

Unix Personality Management requires an extension to the default Active Directory schema in order to store multiple Unix identities for each Active Directory user and group. The UPM schema extension derives from the RFC 2307 standard for storing Unix identity information in LDAP. It introduces new structural classes for user personalities and group personalities. You can link multiple user personalities to an Active Directory user, and multiple group personalities to an Active Directory group.

The UPM schema extension is provided in the standard LDAP Data Interchange Format (LDIF). You can use LDIF files to modify your schema using the ldifde.exe utility that is distributed by Microsoft with the Windows operating system. You must have administrative rights to extend the schema. You can find the LDIF file, qas_unix_personality_management.ldif, on the distribution media in the windows\ldif directory.

For help with running ldifde.exe, see Ldifde Command-line Reference.

Joining the domain in Unix Personality Management mode

To join a Unix host to the domain in UPM mode,

  1. Extend the schema with the Unix Personality Management schema extension.
  2. Create a personality container.

    In ADUC, right-click a container and select All Tasks | Unix Tasks | Promote to Personality Container.

  3. Join Unix hosts to the domain in UPM mode using the new personality container.

For example, run the following vastool command to join to domain using personality container ou=Unix Users,dc=example,dc=com:

vastool -u Administrator join -p "ou=Unix Users,dc=example,dc=com"

When the Unix host is joined in UPM mode, only the Unix objects contained in the personality container are cached.

Overriding Unix account information

You can override user account attributes on the local Unix host. This allows you to use the identity information from Active Directory but modify individual attributes on certain hosts as needed. User overrides are specified in the /etc/opt/quest/vas/user-override configuration file. Overrides are specified as follows:

DOMAIN\sAMAccountName:<Login Name>:<UID Number>:<Primary GID Number>:<Comment (GECOS)>:<Home Directory>:<Login Shell>

DOMAIN\sAMAccountName must refer to a valid Active Directory user account. You can omit any of the Unix account fields. If a field is not specified it will get the default value for that user. You can override every member of a group using the following syntax:

DOMAIN\sAMAccountName:::::<Home Directory>:<Login Shell>

DOMAIN\sAMAccountName must refer to a valid Active Directory group account. You can only specify the Home Directory and Login Shell attributes because all of the other attributes are user-specific. You can insert a special %s macro anywhere in the override entry to specify the user name. For example, refer to the /etc/opt/quest/vas/user-override.sample file. (See also the Overriding Unix Account Information section in the vasd man page. (See to Using Authentication Services manual pages (man pages) for information about accessing the vasd man page.)

You can manage user overrides using Group Policy. (See Account override policies for more information.)

Managing Unix group accounts

You can Unix-enable Active Directory groups. A Unix-enabled group has a Group Name and a GID Number. These attributes cause an Active Directory group to appear as a standard Unix group. The group membership on Unix is the same as the Windows group membership, but any users that are not Unix-enabled are excluded from the group membership on the Unix host.

Related Documents