The users.allow and users.deny files contain a list of identifiers, one per line.
| Identifiers | Description |
|---|---|
| localuser@example.com | For backwards compatibility with previous versions of Authentication Services, any identifier in the file that contains an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user. |
| localgroup | For backwards compatibility with previous versions of Authentication Services, any simple name in the file is interpreted as the name of an Active Directory group. |
| EXAMPLE\localuser EXAMPLE\localgroup | In previous versions of Authentication Services, the agent assumed that this identifier was only used for Active Directory groups. In Authentication Services 4.x, any identifier that contains an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory object. That object may be either a user or a group. |
| @example.com | Any identifier that begins with '@' indicates a domain. This allows you to specify all users in the domain. |
| ou=foo,dc=example,dc=com | Any identifier in DN format specifies a container or OU. This allows you to specify all users under the container or OU. |
One Identity designed Authentication Services 4.1 to be backwards compatible. There are no configuration changes you need to make to take advantage of this improvement.
In VAS 3.x, if either the <service>.allow or <service>.deny service-level access control file was missing, then the corresponding users.allow or users.deny file would be used.
In Authentication Services 4.x, any missing service-level access control file is treated as an empty file and thus treated as though there were no corresponding allow or deny rules for that service.
The vas.conf configuration file has four settings where you can specify a user, a group, or a list of users or groups. Authentication Services 4.0 modified these settings to allow you to use the DOMAIN\sAMAccountName identifier to list any Active Directory user or group.
The following settings are affected.
| Section | Key | Notes |
|---|---|---|
| vas_macos | admin-users | A comma-separated list of users and/or groups. An identifier with an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory user or group. Simple names are not allowed. |
| vas_auth | mapped-root-user | Only a user may be specified. An identifier with an '@' character is interpreted as the LDAP userPrincipalName. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory user or group. Simple names are not allowed. |
| vasd | perm-disconnected-users | A comma-separated list of users and/or groups. An identifier with an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory user. Simple names are interpreted as the sAMaccountName of an Active Directory group. |
| vasd | workstation-mode-users-preload | A comma-separated list of groups. An identifier with an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory group. Simple names are interpreted as the sAMaccountName of an Active Directory group of the joined domain. |
One Identity designed Authentication Services 4.1 to be backwards compatible.
Authentication Services 4.x changed the default for the root-update-mode option. In VAS 3.5 the default option was force. In Authentication Services 4.x; the default is force-if-missing. This causes the nss_vas module to force an update to the vasd cache whenever a process running as root performs a name search for a user that is not already in the identity cache.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy
