Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Access control changes

The users.allow and users.deny files contain a list of identifiers, one per line.

Table 12: Account Control Identifiers
Identifiers Description
localuser@example.com For backwards compatibility with previous versions of Authentication Services, any identifier in the file that contains an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user.
localgroup For backwards compatibility with previous versions of Authentication Services, any simple name in the file is interpreted as the name of an Active Directory group.
EXAMPLE\localuser EXAMPLE\localgroup In previous versions of Authentication Services, the agent assumed that this identifier was only used for Active Directory groups. In Authentication Services 4.x, any identifier that contains an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory object. That object may be either a user or a group.
@example.com Any identifier that begins with '@' indicates a domain. This allows you to specify all users in the domain.
ou=foo,dc=example,dc=com Any identifier in DN format specifies a container or OU. This allows you to specify all users under the container or OU.

One Identity designed Authentication Services 4.1 to be backwards compatible. There are no configuration changes you need to make to take advantage of this improvement.

Changes in access control with service-level files

In VAS 3.x, if either the <service>.allow or <service>.deny service-level access control file was missing, then the corresponding users.allow or users.deny file would be used.

In Authentication Services 4.x, any missing service-level access control file is treated as an empty file and thus treated as though there were no corresponding allow or deny rules for that service.

Client configuration changes

The vas.conf configuration file has four settings where you can specify a user, a group, or a list of users or groups. Authentication Services 4.0 modified these settings to allow you to use the DOMAIN\sAMAccountName identifier to list any Active Directory user or group.

The following settings are affected.

Table 13: Client Configuration Changes
Section Key Notes
vas_macos admin-users A comma-separated list of users and/or groups. An identifier with an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory user or group. Simple names are not allowed.
vas_auth mapped-root-user Only a user may be specified. An identifier with an '@' character is interpreted as the LDAP userPrincipalName. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory user or group. Simple names are not allowed.
vasd perm-disconnected-users A comma-separated list of users and/or groups. An identifier with an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory user. Simple names are interpreted as the sAMaccountName of an Active Directory group.
vasd workstation-mode-users-preload A comma-separated list of groups. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory group. Simple names are interpreted as the sAMaccountName of an Active Directory group of the joined domain.

One Identity designed Authentication Services 4.1 to be backwards compatible.

vas.conf [nss_vas] option changes

Authentication Services 4.x changed the default for the root-update-mode option. In VAS 3.5 the default option was force. In Authentication Services 4.x; the default is force-if-missing. This causes the nss_vas module to force an update to the vasd cache whenever a process running as root performs a name search for a user that is not already in the identity cache.

Related Documents