Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

One-way trust authentication

You can enable authentication between domains which do not have a two-way trust between them.

To configure a one-way trust

  1. On the Unix host joined to domain A (TRUSTING.COM) which trusts domain B (TRUSTED.COM), create a service principal in domain B, as follows:
    vastool -u <DomainAdminUserInDomainB> service create ServiceName/@TRUSTED.COM

    where ServiceName is any unique identifier you choose.

    This creates a keytab file containing the value of the krb5name for your service name.

  2. To list the keytab file, enter the following:
    vastool ktutil -k /etc/opt/quest/vas/ServiceName.keytab list

    The results will look something like:

    Vno     Type                 Principal
    1       arcfour-hmac-md5     unixclient-ServiceName@TRUSTED.COM
    1       arcfour-hmac-md5     ServiceName/unixclient.trusting.com@TRUSTED.COM
                    
  3. Create a trust mapping by adding the service principal name to the vas_host_services section of the vas.conf file, as follows:
    [vas_host_services]
      trusted.com = {
      krb5name = ServiceName/hostname.com@trusted.com
      }

Note: You can also use an interactive script to configure a one-way trust. Run the following:

/opt/quest/libexec/vas/scripts/vas_oneway_setup.sh

This script prompts you for all of the necessary information and creates the one-way trust configuration for you.

Supporting legacy LDAP applications

The Authentication Services daemon, vasproxyd, provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasproxyd by means of the loopback interface. vasproxyd proxies these requests to Active Directory using Kerberos as the security mechanism.

vasproxyd provides the following features:

  • Secure LDAP authentication without SSL

    LDAP is designed as a data access protocol. The use of LDAP as an authentication mechanism introduces important security considerations—especially since most applications are only able to produce "simple" bind credentials. vasproxyd allows applications to use LDAP simple bind securely by generating the appropriate Kerberos authentication traffic. The use of Kerberos eliminates the need for public key cryptography while providing a high level of security.

  • Authenticated "anonymous" searches

    Many applications require the use of anonymous LDAP searches. vasproxyd allows you to specify a service account that can authenticate and proxy anonymous queries so that applications that expect to be able to use anonymous LDAP can operate with Active Directory without requiring modification of Active Directory to allow anonymous queries.

  • "allow/deny" Authorization

    vasproxyd allows you to add an additional layer of application authorization based on Active Directory user-name, Active Directory group membership, or Active Directory Organizational Unit (OU) containership. In other words, vasproxyd returns an LDAP BindResponse error on an (otherwise valid) LDAP bind attempt if the authenticating user is not authorized by means of settings in the users.allow/ users.deny files.

Installing the LDAP proxy

You can install the LDAP proxy package using the install.sh script.

To install the LDAP proxy

  1. Insert the Authentication Services distribution media and navigate to the root directory of the installation media.
  2. Execute the following command as root:
    ./install.sh vasproxy
  3. Follow the prompts to complete the installation.

Configuring the LDAP proxy

The LDAP proxy must be configured for each application that will use it. LDAP proxy configuration is stored in the [vasproxyd] section of vas.conf. Each setting in the [vasproxyd] section specifies a proxy handler configured to listen on a specific local port for LDAP traffic.

To configure the LDAP proxy for an application

  1. Open vas.conf and add a proxy handler for your legacy application. A proxy handler is a multi-valued setting. For example:
    [vasproxyd] 
    mydomain = { 
       listen-addrs = 127.0.0.1:10000 
       enable-anonymous = true 
       service-principal = mydomain.example.com@EXAMPLE.COM 
       allow-deny-name = mydomain 
       daemon-user = mydomain 
       connection-timeout = 120 
       largest-ldap-message = 2000000 
       } 

    This example configures a proxy handler for the mydomain application. The name is only used for identification in log files. It does not have to match the name of the application. This proxy handler listens on the localhost port 10000. For a complete list of all proxy handler options and their meanings see the vasproxyd man page. After you set up the proxy, you may need to adjust the legacy application configuration to use the proxy address and port.

  2. After you have configured the LDAP proxy handler, restart the service. The method for restarting the service differs by platform:

    Linux and Solaris:

    /etc/init.d/vasproxyd restart

    HPUX:

    /sbin/init.d/vasproxyd restart

    AIX:

    stopsrc -s vasproxyd startsrc -s vasproxyd
Related Documents