Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Minimizing the size of the user cache

By default Authentication Services caches Unix user information for all users in a domain on every machine joined to that domain. An alternate caching method, known as "workstation mode", allows you to limit the size of the user cache by caching user information only for users who log on to a particular workstation. To enable workstation mode, enable the workstation-mode option in vas.conf.

For details, refer to the vas.conf man page. (See Using Authentication Services manual pages (man pages) for information about accessing the vas.conf man page.)

Migrating from NIS

Authentication Services simultaneously supports ongoing production operations and provides a NIS migration path that does not impact existing systems and processes. The combination of flexible deployment options, data transparency, and One Identity-provided tools enable migrating and consolidating NIS data from various stores into a single, consistent, enterprise-wide identity stored in Active Directory.

Using Authentication Services to augment or replace NIS

Authentication Services addresses several issues that affect NIS viability in modern computing environments. The NIS protocol is not secure and is not well adopted on non-Unix platforms. Traditionally, the underlying NIS data store is file-based, leading to issues with scalability, data extensibility, and accessibility. Authentication Services supports re-hosting NIS data in Active Directory and provides tools to securely access the NIS maps stored in Active Directory.

Authentication Services provides a NIS proxy agent (vasypd) which runs on each Unix host. This proxy acts as a local NIS server providing NIS data to the local host using information retrieved securely from Active Directory using Kerberized LDAP. NIS data is cached locally to reduce load on Active Directory. With Authentication Services, the NIS wire protocols are eliminated. NIS traffic only occurs on the loopback device. This increases network security without the need for NIS+.

Authentication Services allows you to transition to Kerberos-based authentication for Unix users, eliminating a variety of security risks and providing better manageability and interoperability. If there are no identity conflicts, both the user's identity and configuration can be transitioned. Otherwise, you can accomplish the migration in steps, starting with upgrading to Kerberos and then reconciling and consolidating the user's identities.

The use of standards, such as RFC-2307, as the native store for Unix identity information dovetails nicely with standard Unix practices. Authentication Services is designed to naturally integrate with the majority of real world Windows, Unix, and Linux deployments.

RFC 2307 overview

The schema definitions of choice for most Authentication Services users is a subset of the IETF RFC 2307 schema for Unix user attributes. RFC 2307 is a cross-platform standard designed to promote interoperability between Unix systems and LDAP-based directories. (Authentication Services also recognizes the Microsoft SFU schema as well as allowing custom schema definitions.)

With Microsoft Windows Server 2003 R2, Microsoft has embraced the RFC 2307 standard, and is now including the RFC 2307 attribute definition as part of the default Active Directory schema. This means that when you install Windows 2003 R2 or higher, support for Unix attribute information is automatically included and forms part of the baseline Active Directory schema definition.

Related Documents