Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

The Ownership Alignment Tool

The Ownership Alignment Tool (OAT) provides a flexible solution for changing resource ownership to accommodate changes in users’ UID/GID, and changes to group membership before, during, or after migration to Active Directory.

OAT is a general-purpose tool that combines an automated solution with fine-grained control, reporting, error recovery, the ability to stop and restart bulk updates, and rollback capability. OAT provides the necessary flexibility to update file or directory ownerships in a production environment.

OAT features include:

  • Breaking a migration down into multiple projects
  • Rollback and restore to a previous state
  • Automated matching of Unix and Windows identities

OAT allows you to:

  1. Match local Unix/Linux users to their corresponding Active Directory user
  2. Resolve conflicts with existing users and groups

OAT leverages the single, enterprise-wide identity based on the user's Active Directory identity. OAT maps multiple Unix accounts to a single, authoritative, Active Directory-based identity:

Figure 1: Ownership Alignment Tool (OAT) Tool

Using OAT

You use OAT to change the ownership of files and directories on Unix hosts to reflect the UID and GID in Active Directory. This allows you to maintain user or group information exclusively in Active Directory.

There are two ways to change file ownership:

You can run OAT any time after you have installed Authentication Services. OAT makes scenarios such as mergers, acquisitions, and business unit restructuring much simpler. If you have been using override files and mapped users, you can simplify your Authentication Services implementation by running OAT.

OAT allows you to maintain user information in Active Directory and simplify the footprint of information required on each Unix host. To do this, set the UID (User ID) and GID (Group ID) of each file or directory on each host to that of the User ID and Group ID maintained in Active Directory. For example, suppose you have the following user information:

Hostname Username UserID Explanation
hosta jdoe 100 files and/or directories on hosta have owner uid 100
hostb johnd 1000 files and/or directories on hosta have owner uid 1000
hostc john 10000 files and/or directories on hosta have owner uid 10000

And in Active Directory you have:

Hostname Username UserID Explanation
hostAD johndoe 55555  

After running OAT, the UID associated with each file and/or directory on each host is 55555, as follows:

Hostname Old UserID New UserID Explanation
hosta 100 55555 files and/or directories on hosta have owner uid 55555
hostb 1000 55555 files and/or directories on hosta have owner uid 55555
hostc 10000 55555 files and/or directories on hosta have owner uid 55555

Once you have changed the UID and GID to reflect the information now maintained in Active Directory, you can remove the /etc/passwd, /etc/shadow, and /etc/group information from each host. Authentication Services allows proper permission handling of each file and directory.

Installing OAT

OAT is implemented as a combination of binaries and is included in the vasclnt package.

The following OAT man pages explain all the command line parameters and options:

  • oat (1)
  • oat_adlookup (1)
  • oat_changeowner (1)
  • oat_match (1)

Note: You start OAT from the Unix command line.

Changing file ownership manually

OAT consists of three utilities. You run each of these utilities in order. The first two steps of the process create a file that gets passed to the next step:

  1. oat_adlookup

    The first command creates the Active Directory User Information file (or the Active Directory Group Information file ) listing the Unix-enabled Active Directory users (or groups) that is passed to oat_match to create a map between Active Directory and local users or groups.

  2. oat_match

    The second command creates the User map file (or the Group map file ) containing mappings between Active Directory and local users (or groups) that is passed to oat_changeowners to align file ownership.

  3. oat_changeowner

    The third command changes UID and/or GID of files and directories on local Unix hosts to the UID/GID maintained in Active Directory. Before you do this step you can manually create special files to pass into oat_changeowner, the Files to Process List file or the Files to Exclude List file . Finally, oat_changeowner produces the Processed Files List file .

Note: One Identity also provides an interactive script, named oat, that calls oat_adlookup, oat_match, and oat_changeowner utilities with appropriate arguments based on responses that you provide. For more information see Changing file ownership using the script.

The /opt/quest/libexec/oat/oat_example.sh script file shows you examples of running OAT without using the interactive script. Having the ability to run the oat utilities manually gives you flexibility when changing ownership. As noted in the example in Changing file ownership using the script, OAT is not limited when hosts do not use the same naming conventions.

Note: To see the arguments and options for each of these utilities, run them with a -h option. For example, to see the syntax for oat_adlookup, enter

# /opt/quest/libexec/oat/oat_adlookup -h

Related Documents