Chat now with support
Chat with Support

We are currently preforming website maintenance, any feature requiring sign-in is temporarily unavailable, if you have an issue requiring immediate assistance please call Technical Support.

Safeguard Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Unix account management in large environments

In large Active Directory environments, it is always a challenge to provide optimal performance and functionality. Authentication Services provides configuration settings that may help you improve performance in an enterprise deployment.

User and group search paths

Each Unix host running Authentication Services builds a persistent cache of user and group information. By default, the cache is built from users and groups in the joined domain. It is possible to change the search base from which the users or groups are loaded by using the group-search-path and user-search-path options. These search paths can either restrict the location from which the users and groups are loaded, or you can specify a search base in an entirely different domain. This is useful in organizations that use resource domains, where computer objects are stored in a separate domain from the domains where users and groups are located.

You can specify a group or user search path using the -g or -u options to the vastool join command. The following command joins the Unix host to the domain, and loads users from the base of the domain:

vastool -u admin join -u DC=sub,DC=example,DC=com 

You can change the default user or group search base at any time by adding the group-search-path and user-search-path options in the [vasd] section of vas.conf and running vastool flush. See the vas.conf man page for an example of user and group search paths.

Minimizing the size of the user cache

By default, Authentication Services caches Unix user information for all users in a domain on every machine joined to that domain. An alternate caching method, known as "workstation mode", allows you to limit the size of the user cache by caching user information only for users who log in to a particular workstation. To enable workstation mode, enable the workstation-mode option in vas.conf.

For details, refer to the vas.conf man page. See Using Authentication Services manual pages (man pages) for information about accessing the vas.conf man page.

Migrating from NIS

Authentication Services simultaneously supports ongoing production operations and provides a NIS migration path that does not impact existing systems and processes. The combination of flexible deployment options, data transparency, and One Identity-provided tools enable migrating and consolidating NIS data from various stores into a single, consistent, enterprise-wide identity stored in Active Directory.

Related Documents