Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Handling platform limitations on user name length

Some platforms limit the length of a user name. By default Authentication Services uses the attribute mapped to User Name in the Authentication Services application configuration as the Unix user name. You can view this mapping in Control Center under Preferences | Custom Unix Attributes. However, you may need to override this setting for certain hosts. You can use the username-attr-name option in vas.conf to override this setting. This allows you to work around name length limitations on a machine-by-machine basis by defining an attribute to be used for a short name.

To map the user name to the Active Directory gecos attribute, add the following lines to vas.conf:

username-attr-name = gecos

Configuring Name Service Switch (NSS)

Unix-based operating systems can work with a number of databases for host, user, group and other information. The name service provides access to these databases. You can configure each database for multiple data sources through plugin modules. For example, host name information can be returned from /etc/hosts, NIS, NIS+, LDAP or DNS. You may use one or more modules for each database; the modules and their lookup order are specified in the /etc/nsswitch.conf file.

Authentication Services provides a name service module (vas4) which resolves user and group information from Active Directory. When the Unix host is joined to the domain, the passwd and group lines of /etc/nsswitch.conf are automatically modified to include the Authentication Services name service module (details vary by platform). The following is an example of what the passwd and group lines may look like after a Unix host has been joined to the domain:

passwd: files vas4 nis 
group: files vas4 nis

Note: The Authentication Services name service module (vas4) does not apply to AIX or Mac OS X; instead of NSS, AIX uses LAM and Mac OS X uses Directory Services.

Using VASTOOL to configure NSS

Because the name service configuration may vary by platform, Authentication Services provides the ability to automatically configure the name service system for Authentication Services.

To configure the NSS

  1. Execute the following command as root:
    vastool configure nss
  2. To undo the configuration, run the following command as root:
    vastool unconfigure nss
  3. After modifying the name service configuration, restart any affected services or reboot.

Using NSCD with Authentication Services

nscd is a Unix caching daemon that can increase the efficiency of the Name Service. nscd caches results supplied by NSS modules. This cache is used instead of calling the NSS modules for a specified period of time. After a configurable timeout, the cached results are flushed and NSS again calls the NSS modules directly to load the cache.

Note: nscd is not available on all supported platforms.

Authentication Services contains similar functionality for its own user and group caches. Therefore, the behavior for vastool join and vastool configure nss is to modify /etc/nscd.conf to disable nscd caching of passwd and group data. It is possible to use Authentication Services and nscd together, but you must manually re-enable nscd caching for users and groups. Authentication Services comments out the previous nscd configuration so you can locate and reverse this change in /etc/nscd.conf, if needed.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating