Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Evaluation Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Getting started with Authentication Services

Unix agent requirements

Note: To install Authentication Services on Unix, Linux, or Mac OS X, you must have root access rights.

Click www.oneidentity.com/products/authentication-services/ to view a list of supported Unix and Linux platforms for Authentication Services 4.1.

With Authentication Services 4.1, Linux platforms require glibc 2.4 or greater.

For maximum security and performance, before you begin the installation, make sure that you have the latest patches for your operating system version.

Table 4: Patch level requirements
Platform Patch Level
Solaris 8 SPARC 108993-55 or greater
Solaris 8 X86 108994-01 or greater
Solaris 9 SPARC

112874-37 or greater

112960-14 or greater

113319-22 or greater

Solaris 9 X86 114432-37 or greater
Solaris 10 SPARC 127127-11 or greater
Solaris 10 x86 127128-11 or greater
AIX 5.3 OS level 5300-05 or greater
AIX 6.1 OS level 5300-05 or greater
AIX 7.1 OS level 5300-05 or greater
HPUX 11.11

GOLDQPK11i - GOLDBASE11i

GOLDAPPS11i quality packs

BUNDLE11i - Patch bundle

linker tools cumulative patch (PHSS_30970 or greater)

HPUX 11.23 MAINTPACK E0306 or greater
 

Note: One Identity recommends that you run the Preflight utility to check for supported operating system and correct operating system patches.

(For more information, see Running Preflight in the Authentication Services Installation Guide.)

Authentication Services Unix components

Authentication Services includes the following Unix components:

Table 5: Authentication Services Unix components
Unix Component Description
vasd The Authentication Services agent background process that manages the persistent cache of Active Directory information used by the other Authentication Services components. vasd is installed as a system service. You can start and stop vasd using the standard service start/stop mechanism for your platform. vasd is installed by the vasclnt package.
vastool The Authentication Services command line administration utility that allows you to join a Unix host to an Active Directory Domain; access and modify information about users, groups and computers in Active Directory; and configure the Authentication Services components. vastool is installed at /opt/quest/bin/vastool. vastool is installed by the vasclnt package.
vgptool A command line utility that allows you to manage the application of Group Policy settings to Authentication Services clients. vgptool is installed at /opt/quest/bin/vgptool. vgptool is installed by the vasgp package.
oat (Ownership Alignment Tool) A command line utility that allows you to modify file ownership on local Unix hosts to match user accounts in Active Directory. oat is installed at /opt/quest/libexec/oat/oat. oat is installed by the vasclnt package.
LDAP proxy A background process that secures the authentication channel for applications using LDAP bind to authenticate users without introducing the overhead of configuring secure LDAP (LDAPS). The LDAP proxy is installed by the vasproxy package.
NIS proxy A background process that acts as a NIS server which can provide backwards compatibility with existing NIS infrastructure. The NIS proxy is installed by the vasyp package.
SDK package The vasdev package, the Authentication Services programming API.

Authentication Services permissions matrix

The following table details the permissions required for full Authentication Services functionality.

Table 6: Authentication Services: Required permissions
Function Active Directory Permissions Local Client Permissions
Authentication Services Application Configuration: creation Location in Active Directory with Create Container Object rights NA
Authentication Services Application Configuration: changes
  • Unix Global Settings
  • Licensing
  • Custom Unix Attributes
Update permission to the containers created above (no particular permissions if you are the one who created it) NA
Schema optimization Schema Administrator rights NA
Display Specifier Registration Enterprise Administrator rights NA
Editing Users Administrator rights NA
Create any group policy objects Group Policy Creator Owners rights NA
RFC 2307 NIS Import Map Wizard Location in Active Directory with Create Container Object rights (you create containers for each NIS map) NA
Unix Account Import Wizard Administrator rights (you are creating new accounts) NA
Logging Options Write permissions to the file system folder where you want to create the logs NA
vasd daemon

The client computer object is expected to have read access to user and group attributes, which is the default.

In order for Authentication Services to update the host object operating system attributes automatically, set the following rights for "SELF" on the client computer object: Write Operating System, Write operatingSystemHotfix, and Write operatingSystemServicePack.

vasd must run as root
QAS/VAS PAM module NA (updated by means of vasd) Any local user
QAS/VAS NSS module

vastool nss

NA (updated by means of vasd) Any local user
vastool command-line tool Depends on which vastool command is run Any local user for most commands

vastool join

vastool unjoin

computer creation or deletion permissions in the desired container root

vastool configure

vastool unconfigure

NA root

vastool search

vastool attrs

read permission for the desired objects (regular Active Directory user) Any local user
vastool setattrs write permissions for the desired object Any local user
vastool cache NA Run as root if you want all tables including authcache
vastool create permissions to create new users, groups, and computers as specified Any local user; root needed to create a new local computer
vastool delete permissions to delete existing users, groups, or computers as specified; permissions to remove the keytab entry for the host object created (root or write permissions in the directory and the file) Any local user
vastool flush The client computer object is expected to have read access to user and group attributes, which should be the default root

vastool group add

vastool group del

permission to modify group membership Any local user
vastool group hasmember read permission for the desired objects (regular Active Directory user) Any local user
vastool info { site | domain | domain -n | forest-root | forest-root -dn | server | acl } NA Any local user
vastool info { id | domains | domains -dn | adsecurity | toconf } read permission for the desired objects (regular Active Directory user) Any local user

vastool isvas

vastool inspect

vastool license

NA Any local user

vastool kinit

vastool klist

vastool kdestroy

local client needs permissions to modify the keytab specified, default is the computer object which is root. Any local user
vastool ktutil NA root if you are using the default host.keytab file
vastool list (with -l option) read permission for the desired objects (regular Active Directory user) Any local user
vastool load permissions to create users and groups in the desired container Any local user

vastool merge

vastool unmerge

NA root
vastool passwd Regular Active Directory user Any local user
vastool passwd <AD user> Active Directory user with password reset permission Any local user

vastool schema list

vastool schema detect

Regular Active Directory user Any local user
vastool schema cache Regular Active Directory user root (to modify the local cache file)
vastool service list Regular Active Directory user Any local user
vastool service { create | delete } Active Directory user with permission to create/delete service principals in desired container NA
vastool smartcard NA root
vastool status NA root
vastool timesync NA root, if you only query the time from AD, you can run as any local user
vastool user { enable | disable } modify permissions on the AD Object Any local user
vastool user { checkaccess | checkconflict } NA Any local user
vastool user checklogin Access to Active Directory users password Any local user

Authentication Services encryption types

The following table details the encryption types used in Authentication Services.

Table 7: Authentication Services: Encryption types
Encryption Types Specification Active Directory Version Authentication Services Version
KERB_ENCTYPE_DES_CBC_CRC
CRC32 RFC 3961 All All
KERB_ENCTYPE_DES_CBC_MD5
RSA-MD5 RFC 3961 All All
KERB_ENCTYPE_RC4_HMAC_MD5
RC4-HMAC-MD5 RFC 4757 All All
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
HMAC-SHA1-96-AES128 RFC 3961 Windows Server 2008 + 3.3.2+
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
HMAC-SHA1-96-AES256 RFC 3961 Windows Server 2008 + 3.3.2+
Related Documents