Authentication Services stores Unix identity and login information in Active Directory. One Identity designed Authentication Services to provide support for the following standard Active Directory schema extensions.
Table 21: Active Directory schema extensions
|Windows 2003 R2 Schema
||This schema extension is provided by Microsoft and adds support for the PosixAccount auxiliary class, used to store Unix attributes on user and group objects.|
|Services for Unix 2.0
||Microsoft provides this schema extension with the Services for Unix 2.0 set of tools. It adds custom attributes to user and group objects, used to store Unix account information.|
|Services for Unix 3.0
||Microsoft provides this schema extension with the Services for Unix 3.0 set of tools. It adds custom attributes to user and group objects, used to store Unix account information.|
It is possible to customize the schema setup to work with any schema configuration with Authentication Services. No schema extensions are necessary with the new "schemaless" storage feature. When you configure Authentication Services for the first time, Authentication Services attempts to auto-detect the best schema configuration for your environment. The schema configuration is a global application setting that applies to all Authentication Services management tools and Unix agents. You can change the detected settings at any time using Control Center.
If you do not have a schema that supports Unix data storage in Active Directory, you can configure Authentication Services to use existing, unused attributes of users and groups to store Unix information in Active Directory.
To configure a custom schema mapping
- Open the Control Center and click Preferences on the left navigation pane.
- Expand the Custom Unix Attributes and click Customize.
Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type attributes except User ID Number, User Primary Group ID, and Group ID Number, which may be integers. If an attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is invalid.
- Click OK to validate and save the specified mappings in Active Directory.
Indexing certain attributes used by the Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project. The Custom Unix Attributes panel in the Preferences section of Control Center displays a warning if the Active Directory configuration is not optimized according to best practices.
One Identity recommends that you index the following attributes in Active Directory:
- User UID Number
- User Unix Name
- Group GID Number
- Group Unix Name
Note: LDAP display names vary depending on your Unix attribute mappings.
It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Authentication Services Unix agents.
Click the Optimize Schema link to run a script that updates these attributes as necessary.
Note: The Optimize Schema option is only available if you have not optimized the Unix schema attributes defined for use in Active Directory.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
The topics in this section help you learn how to do some basic system administration tasks using the Control Center and Management Console for Unix.
Note: The exercises in this section assume that you have successfully installed Authentication Services and Management Console for Unix and have added a host to the console and joined it to Active Directory. For more information, see Prepare Unix hosts.
This section shows you how to create the following test user and group accounts used in various examples:
- A local group name called localgroup
- A local user object called localuser
- An Active Directory group object called UNIXusers
- An Active Directory user object called ADuser
One Identity recommends that you work through the topics in this section in order as a self-directed "test drive" of some of the key product features. You will learn how easy it is to manage your users and groups from the mangement console.