Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Configure a custom schema mapping

If you do not have a schema that supports Unix data storage in Active Directory, you can configure Authentication Services to use existing, unused attributes of users and groups to store Unix information in Active Directory.

To configure a custom schema mapping

  1. Open the Control Center and click the Preferences on the left navigation panel.
  2. Expand the Custom Unix Attributes and click Customize.
  3. Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type attributes except User ID Number, User Primary Group ID and Group ID Number which may be integers. If an attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is invalid.

    Note: When customizing the schema mapping, ensure that the attributes used for User ID Number and Group ID Number are indexed and replicated to the global catalog.

    For more information, see Active Directory Optimization in the Control Center online help.

  4. Click OK to validate and save the specified mappings in Active Directory.

Active Directory optimization (Best Practice)

Indexing certain attributes used by the Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project. The Custom Unix Attributes panel in the Preferences section of Control Center displays a warning if the Active Directory configuration is not optimized according to best practices.

Note: The Optimize Schema option is only available if you have not optimized the Active Directory schema.

One Identity recommends that you index the following attributes in Active Directory.

Note: LDAP display names vary depending on your Unix attribute mappings.

  • User Login Name
  • User ID Number
  • Group Name
  • Group ID Number

It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Authentication Services Unix agents. Click the Optimize Schema link to run a script that updates these attributes as necessary.

This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.

All schema optimizations are reversible and no schema extensions are applied in the process.

Managing Unix user accounts

You can Unix-enable Active Directory user accounts. A Unix-enabled user has a Unix User Name, UID Number, Primary GID Number, Comment (GECOS), Home Directory and Login Shell. These attributes enable an Active Directory user to appear as a standard Unix user. Authentication Services provides several tools to help you manage Unix account information in Active Directory.

Managing Unix users with MMC

You can access Active Directory Users and Computers (ADUC) from the Control Center. Navigate to the Tools | Authentication Services Extensions for Active Directory Users and Computers.

After installing Authentication Services on Windows, a Unix Account tab appears in the Active Directory user's properties dialog:

Note: If the Unix Account tab does not appear in the user's Properties dialog, review the installation steps outlined in the Authentication ServicesInstallation Guide, located in the docs directory of the installation media, to ensure that Authentication Services was installed correctly. Refer to Unix Account tab is missing in ADUC for more information.

Select the Unix-enabled option to Unix-enable the user. Unix-enabled users can log in to Unix hosts joined to the domain. Selecting this option causes Authentication Services to generate default values for each of the Unix attributes. You can alter the way default values are generated using Control Center.

Table 13: Unix attributes
Unix Attribute Description
User Name This is the Unix user name of the Windows account used to log in to a Unix host.
UID Number Use this field to set the numeric Unix User ID (UID). This value must be unique in the forest. In some environments users have a different UID number on each Unix host. In this case you can use mapped user, local account overrides or OAT (Ownership Alignment Tool) to ensure that the local Unix user is associated with the correct Windows user account and that local resources are still associated with the correct UID Number.
Primary Group ID Use this field to set the Unix Primary Group ID. This field determines the group ownership of files that are created by the user. Click the Search button to search for Unix-enabled groups in Active Directory. This field defaults to 1000. You can modify the default in the Control Center under Preferences.
Primary Group Name This read-only field displays the name of the group associated with the Primary Group ID. If the Primary Group ID is not associated with a Unix-enabled Active Directory group, then the field is blank.
Comment (GECOS) Use this free form field to store information that is found in the GECOS field in /etc/passwd. This information is typically used to record the user's full name and other information, such as phone number and office location. If this field contains a colon, the colon will be replaced by a _ on Unix. You can change the Comment (GECOS) default in the Control Center under Preferences.
Home Directory Use this field to configure the user's Unix home directory. If the home directory does not exist when the user logs into a machine for the first time, Authentication Services creates it. The default value is /home/<User Name>. (/Users/<User Name> on Mac OS X.) You can override the default home directory prefix in the Control Center under Preferences.
Login Shell Use this field to configure the shell that is executed when the user logs into Unix using a terminal-based log in. If the specified shell does not exist, the user will not be allowed to log in. You can use a Symlink Policy to ensure that a particular shell path exists on all of your Unix hosts. This value defaults to /bin/sh. You can modify the default in the Control Center under Preferences.
Generate Unique ID Click this link to generate a unique User ID number. If the ID is already unique, it will not be modified. By default you cannot save a non-unique ID number. You can modify this setting in the Control Center under Preferences.
Clear Unix Attributes If a user is not Unix-enabled, you can click this link to clear all of the Unix attribute values.
Related Documents