Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Changes in VASTOOL output

Some vastool command output has changed in Authentication Services 4.x. Many error messages have been changed to be clearer and more informative. If you have scripts written to vastool you should test these scripts before rolling out an upgrade particularly if you parse vastool text output. Take special note of the following changes:

  • vastool checkaccess <user> output was formatted as follows in 3.x:
    Access for service <service> by <user> is allowed.
    Access for service <service> by <user> is not allowed, <reason>.
  • vastool checkaccess <user> output has been changed as follows in 4.x:
    ALLOWED [user=<user>] [service=<service>]
    DENIED (<reason>) [user=<user>] [service=<service>]

    This makes the result of the access check more obvious.

Internal database changes

Authentication Services 4.0 changed the format of the internal database. Thus, when upgrading from VAS 3.x to 4.1, all stored disconnected credentials become unusable and will be flushed. You will not have disconnected credentials until you have successfully logged in during a connected state.

vasfilter adm was removed

VAS 3.5 provided vasfilter.adm which allowed you to create limits on Unix values in the ADUC snap-in module. In Authentication Services 4.x you set the Global Unix Options in the Control Center under Preferences.

PAM module changes

In VAS 3.5 the pam module was placed at the top of the PAM stack. In Authentication Services 4.x it is placed just before the local password validation module, usually pam_unix. When Authentication Services configures the PAM stack, it converts multi-line entries to one-line entries.

Related Documents