One Identity Privileged Access Suite for Unix
Introducing One Identity Authentication Services
Licensing Authentication Services
System requirements
Installing and configuring Authentication Services
Windows management tools requirements
Unix agent requirements
Network requirements
Authentication Services Unix components
Authentication Services permissions matrix
Authentication Services encryption types
Management Console for Unix requirements
Install the management console
Install Authentication Services Windows components
Configure Active Directory for Authentication Services
Configure Unix agent components
Getting started with Authentication Services
Getting acquainted with the Control Center
Management console
Group Policy
Tools
Preferences
Learning the basics
Add a local group
Add local user account
Add an Active Directory group account
Add an Active Directory user account
Change the default Unix attributes
Active Directory account administration
Enable local user for AD authentication
Test the mapped user login
Unix-enable an Active Directory group
Unix-enable an Active Directory user
Test the Active Directory user login
Run reports
Use Authentication Services PowerShell
Change Auditor for Authentication Services
One Identity Defender
Unix agent requirements
|
|
Note: To install Authentication Services on Unix, Linux, or Mac OS X, you must have root access rights. Click www.oneidentity.com/products/authentication-services/ to view a list of supported Unix and Linux platforms for Authentication Services 4.1. With Authentication Services 4.1, Linux platforms require glibc 2.4 or greater. |
For maximum security and performance, before you begin the installation, make sure that you have the latest patches for your operating system version.
| Platform | Patch Level |
|---|---|
| Solaris 8 SPARC | 108993-55 or greater |
| Solaris 8 X86 | 108994-01 or greater |
| Solaris 9 SPARC |
112874-37 or greater 112960-14 or greater 113319-22 or greater |
| Solaris 9 X86 | 114432-37 or greater |
| Solaris 10 SPARC | 127127-11 or greater |
| Solaris 10 x86 | 127128-11 or greater |
| AIX 5.3 | OS level 5300-05 or greater |
| AIX 6.1 | OS level 5300-05 or greater |
| AIX 7.1 | OS level 5300-05 or greater |
| HPUX 11.11 |
GOLDQPK11i - GOLDBASE11i GOLDAPPS11i quality packs BUNDLE11i - Patch bundle linker tools cumulative patch (PHSS_30970 or greater) |
| HPUX 11.23 | MAINTPACK E0306 or greater |
|
|
Note: One Identity recommends that you run the Preflight utility to check for supported operating system and correct operating system patches. (For more information, see Running Preflight in the Authentication Services Installation Guide.) |
Authentication Services Unix components
Introducing One Identity Authentication Services > System requirements > Unix agent requirements > Authentication Services Unix components
Authentication Services includes the following Unix components:
| Unix Component | Description |
|---|---|
| vasd | The Authentication Services agent background process that manages the persistent cache of Active Directory information used by the other Authentication Services components. vasd is installed as a system service. You can start and stop vasd using the standard service start/stop mechanism for your platform. vasd is installed by the vasclnt package. |
| vastool | The Authentication Services command line administration utility that allows you to join a Unix host to an Active Directory Domain; access and modify information about users, groups and computers in Active Directory; and configure the Authentication Services components. vastool is installed at /opt/quest/bin/vastool. vastool is installed by the vasclnt package. |
| vgptool | A command line utility that allows you to manage the application of Group Policy settings to Authentication Services clients. vgptool is installed at /opt/quest/bin/vgptool. vgptool is installed by the vasgp package. |
| oat (Ownership Alignment Tool) | A command line utility that allows you to modify file ownership on local Unix hosts to match user accounts in Active Directory. oat is installed at /opt/quest/libexec/oat/oat. oat is installed by the vasclnt package. |
| LDAP proxy | A background process that secures the authentication channel for applications using LDAP bind to authenticate users without introducing the overhead of configuring secure LDAP (LDAPS). The LDAP proxy is installed by the vasproxy package. |
| NIS proxy | A background process that acts as a NIS server which can provide backwards compatibility with existing NIS infrastructure. The NIS proxy is installed by the vasyp package. |
| SDK package | The vasdev package, the Authentication Services programming API. |
Authentication Services permissions matrix
Introducing One Identity Authentication Services > System requirements > Unix agent requirements > Authentication Services permissions matrix
The following table details the permissions required for full Authentication Services functionality.
| Function | Active Directory Permissions | Local Client Permissions |
|---|---|---|
| Authentication Services Application Configuration: creation | Location in Active Directory with Create Container Object rights | NA |
Authentication Services Application Configuration: changes
|
Update permission to the containers created above (no particular permissions if you are the one who created it) | NA |
| Schema optimization | Schema Administrator rights | NA |
| Display Specifier Registration | Enterprise Administrator rights | NA |
| Editing Users | Administrator rights | NA |
| Create any group policy objects | Group Policy Creator Owners rights | NA |
| RFC 2307 NIS Import Map Wizard | Location in Active Directory with Create Container Object rights (you create containers for each NIS map) | NA |
| Unix Account Import Wizard | Administrator rights (you are creating new accounts) | NA |
| Logging Options | Write permissions to the file system folder where you want to create the logs | NA |
| vasd daemon |
The client computer object is expected to have read access to user and group attributes, which is the default. In order for Authentication Services to update the host object operating system attributes automatically, set the following rights for "SELF" on the client computer object: Write Operating System, Write operatingSystemHotfix, and Write operatingSystemServicePack. |
vasd must run as root |
| QAS/VAS PAM module | NA (updated by means of vasd) | Any local user |
| QAS/VAS NSS module
vastool nss |
NA (updated by means of vasd) | Any local user |
| vastool command-line tool | Depends on which vastool command is run | Any local user for most commands |
|
vastool join vastool unjoin |
computer creation or deletion permissions in the desired container | root |
|
vastool configure vastool unconfigure |
NA | root |
|
vastool search vastool attrs |
read permission for the desired objects (regular Active Directory user) | Any local user |
| vastool setattrs | write permissions for the desired object | Any local user |
| vastool cache | NA | Run as root if you want all tables including authcache |
| vastool create | permissions to create new users, groups, and computers as specified | Any local user; root needed to create a new local computer |
| vastool delete | permissions to delete existing users, groups, or computers as specified; permissions to remove the keytab entry for the host object created (root or write permissions in the directory and the file) | Any local user |
| vastool flush | The client computer object is expected to have read access to user and group attributes, which should be the default | root |
|
vastool group add vastool group del |
permission to modify group membership | Any local user |
| vastool group hasmember | read permission for the desired objects (regular Active Directory user) | Any local user |
| vastool info { site | domain | domain -n | forest-root | forest-root -dn | server | acl } | NA | Any local user |
| vastool info { id | domains | domains -dn | adsecurity | toconf } | read permission for the desired objects (regular Active Directory user) | Any local user |
|
vastool isvas vastool inspect vastool license |
NA | Any local user |
|
vastool kinit vastool klist vastool kdestroy |
local client needs permissions to modify the keytab specified, default is the computer object which is root. | Any local user |
| vastool ktutil | NA | root if you are using the default host.keytab file |
| vastool list (with -l option) | read permission for the desired objects (regular Active Directory user) | Any local user |
| vastool load | permissions to create users and groups in the desired container | Any local user |
|
vastool merge vastool unmerge |
NA | root |
| vastool passwd | Regular Active Directory user | Any local user |
| vastool passwd <AD user> | Active Directory user with password reset permission | Any local user |
|
vastool schema list vastool schema detect |
Regular Active Directory user | Any local user |
| vastool schema cache | Regular Active Directory user | root (to modify the local cache file) |
| vastool service list | Regular Active Directory user | Any local user |
| vastool service { create | delete } | Active Directory user with permission to create/delete service principals in desired container | NA |
| vastool smartcard | NA | root |
| vastool status | NA | root |
| vastool timesync | NA | root, if you only query the time from AD, you can run as any local user |
| vastool user { enable | disable } | modify permissions on the AD Object | Any local user |
| vastool user { checkaccess | checkconflict } | NA | Any local user |
| vastool user checklogin | Access to Active Directory users password | Any local user |
Authentication Services encryption types
Introducing One Identity Authentication Services > System requirements > Unix agent requirements > Authentication Services encryption types
The following table details the encryption types used in Authentication Services.
| Encryption Types | Specification | Active Directory Version | Authentication Services Version |
|---|---|---|---|
| KERB_ENCTYPE_DES_CBC_CRC | |||
| CRC32 | RFC 3961 | All | All |
| KERB_ENCTYPE_DES_CBC_MD5 | |||
| RSA-MD5 | RFC 3961 | All | All |
| KERB_ENCTYPE_RC4_HMAC_MD5 | |||
| RC4-HMAC-MD5 | RFC 4757 | All | All |
| KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 | |||
| HMAC-SHA1-96-AES128 | RFC 3961 | Windows Server 2008 + | 3.3.2+ |
| KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 | |||
| HMAC-SHA1-96-AES256 | RFC 3961 | Windows Server 2008 + | 3.3.2+ |