Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.7 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Using map files to map users

Instead of modifying password entries directly, you can map local Unix users to Active Directory accounts using map files.

To configure a user mapping file

  1. Run the following command as root to enable local map files:
    vastool configure vas vas_auth user-map-files /etc/user-map

    Note: This example configures Safeguard Authentication Services to use /etc/user-map for user mappings. You can specify any filename.

  2. Add user mappings to the map file.

    The format is <local user name>:<sAMAccountName@domain>.

    If you want to map a local user named pspencer to the Active Directory account for pspencer@example.com, add the following line to the file:

    pspencer:pspencer@example.com

Mapping the root account

You can only map the root account to an Active Directory account using the mapped-root-user setting in vas.conf.

To map the root user to an Active Directory account

  1. Run the following command as root: 
    vastool configure vas vas_auth mapped-root-user Administrator@example.com

Note: If you specify mapped-root-user on AIX you must set VASMU on the system line of the root section in /etc/security/user. Refer to your AIX system documentation for more information.

Enable self-enrollment

Self-enrollment allows users to map their Unix account to an Active Directory account as they log in to Unix. This mapping occurs as part of the standard PAM login. Users are first prompted for their Unix password. Once authenticated to Unix, they are prompted to authenticate to Active Directory. This process happens on the first log in after you enable self-enrollment. Once the self-enrollment is complete, the user logs in with his Unix user name and Active Directory password.

To enable self-enrollment

  1. Run the following command as root: 
    vastool configure vas vas_auth enable-self-enrollment true

    Note: All users mapped by the self-enrollment process are stored in the /etc/opt/quest/vas/automatic_mappings file.

  2. Force Safeguard Authentication Services to reload configuration settings by restarting the Safeguard Authentication Services services.

Restarting services

  1. The method for restarting services varies by platform:
    1. To restart Safeguard Authentication Services on Linux or Oracle Solaris, enter:
      /etc/init.d/vasd restart
    2. To restart Safeguard Authentication Services on HP-UX, enter:
      /sbin/init.d/vasd restart
    3. To restart Safeguard Authentication Services on AIX, enter:
      stopsrc -s vasd
startsrc -s vasd

Note: Due to library changes between the Safeguard Authentication Services 4.1 and 4.2, the system may need to be rebooted before all processes load the new libraries.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating