User identity specification changes
Authentication Services 4.x uses new user name formats for identifying users and groups in configuration files.
Authentication Services daemon changes for upgrade
vasd Caching and vasgpd Group Policy Daemons
|
|
Note: The changes made in Authentication Services 4.x may affect any monitoring scripts that you created for watching the vasd or vasgpd daemons. |
In VAS 3.xvasd and vasgpd (Group Policy update daemon) were separate processes delivered in separate packages. In Authentication Services 4.x, the functionality of vasgpd has been absorbed into vasd, eliminating vasgpd.
However, please note:
- you must still install the vasgp package in order to utilize Group Policy on the Unix host; and
- vastool no longer stops vasd during a flush operation to allow the daemon to supply Name Service data.
vasd Changes
To improve the stability and integrity of the local identity cache in Authentication Services 4.x, One Identity updated vasd to provide better isolation of the processes responsible for accessing the local identity cache.
In a typical 3.x environment, vasd was split into a parent process, with a single child process, whose sole responsibility was to maintain the local cache and respond to all update requests from the Name Service and Authentication modules.
Authentication Services 4.x changed the process hierarchy and now uses five separate but related vasd processes which allow vasd to ensure cache integrity, as well as maintain responsiveness from all requests. It also removes the need to start additional processes to handle legacy password hash and netgroup data requests.
One Identity designed Authentication Services 4.1 to be backwards compatible. There are no configuration changes you need to make to take advantage of this improvement.
Authentication Services configuration file changes
Authentication Services 4.x has extended the syntax of many of the host configuration files to allow you to specify users and groups by the more commonly used DOMAIN\sAMAccountName identifier.
The following configuration files are affected:
-
Account overrides
/etc/opt/quest/vas/user-override /etc/opt/quest/vas/group-override
-
Access control
/etc/opt/quest/vas/users.allow /etc/opt/quest/vas/users.deny
-
Client configuration
/etc/opt/quest/vas/vas.conf
The extended syntax does not affect configuration entries that were configured and working under previous versions of Authentication Services. The new syntax provides an optional format that you can use in the future. Group Policy settings use the new format if configured with the Group Policy object editor.
Account overrides
User Account Overrides
Entries in the user-override file have the form:
<identifier>:<Unix name>:<uid>:<primary gid>:<gecos>:<home directory>:<login shell>
| Identifier | Description |
|---|---|
| localuser@example.com | For backwards compatibility with previous versions of Authentication Services, any identifier in the file that contains an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user. |
| localgroup | For backwards compatibility with previous versions of Authentication Services, any simple name in the file is interpreted as the name of an Active Directory group. |
| EXAMPLE\localuser or EXAMPLE\localgroup | In previous versions of Authentication Services, the agent assumed that this identifier was only used for Active Directory groups. In Authentication Services, any identifier that contains an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory object. That object may be either a user or a group. |
Group Account Overrides
Entries in the group-override file have the form:
<identifier>:<Unix name>:<gid>:<member list>
| Identifier | Description |
|---|---|
| localgroup | For backwards compatibility with previous versions of Authentication Services, any simple name in the file is interpreted as the name of an Active Directory group of the joined domain. |
| EXAMPLE\localgroup | In Authentication Services, any identifier that contains an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory object. In this file, that object is always a group. |
One Identity designed Authentication Services 4.1 to be backwards compatible. There are no configuration changes you need to make to take advantage of this improvement.