Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

RFC classes and attributes

Safeguard Authentication Services supports all NIS map objects defined in RFC 2307 as well as the ability to store custom NIS data. RFC 2307 provides classes for six standard NIS maps:

  • hosts
  • networks
  • protocols
  • services
  • rpc
  • netgroup

Safeguard Authentication Services supports these RFC 2307 standard maps and their representative classes.

Table 15: RFS classes and attributes
Map name RFC 2307 object class
netgroup nisNetgroup
hosts ipHost (device)
networks ipNetwork
services ipService
protocols ipProtocol
rpc oncRpc

These objects are generally created inside a container or organizational unit.

All other NIS maps are represented using the generic map classes provided in RFC 2307. These classes are nisMap and nisObject. A nisMap is a container object that holds nisObject objects. Set the nisMapName attribute of the nisMap object and nisObject objects it contains to the name of the imported NIS map. A nisObject represents a key-value pair where cn is the key attribute and nisMapEntry is the value.

Limitations of RFC 2307 as implemented by Microsoft

The RFC 2307 specification assumes that the cn attribute is multivalued. In Active Directory, the cn attribute is single-valued. This means that you must create aliases as separate objects.

NIS is case-sensitive and Active Directory is case-insensitive. Some aliases for certain NIS map entries are the same keys except all capitalized. Active Directory cannot distinguish between names that differ only by case.

Installing and configuring the Safeguard Authentication Services NIS components

To ensure that the NIS proxy agent daemon, vasypd, does not cause any system hangs when you install, configure, or upgrade it, follow the steps for each supported Unix platform outlined in this section.

Note: Before installing and configuring the Safeguard Authentication Services NIS components, you should have previously installed the Safeguard Authentication Services agent software and joined the Unix machine to an Active Directory domain.

Installing and configuring the Linux NIS client components

You can find the vasyp.rpm file in the client directory for your Linux operating system on the installation media.

To install and configure vasyp on Linux

  1. Ensure that the system ypserv daemon is stopped by running the following as root:
    # /etc/init.d/ypserv stop

    Note: You do not need to do this if you have not previously configured ypserv.

    Note: This option is not available on SUSE Linux (11 or later) or on Red Hat.

  2. Ensure that the system ypserv daemon is not configured to start at system boot time.

    The commands for doing this vary for the different supported Linux distributions. Please see your operating system documentation for instructions on disabling system services.

  3. Ensure that the system ypbind daemon is not running by entering the following command:
    # /etc/init.d/ypbind stop
  4. Ensure that the system ypbind daemon is configured to start at system boot time.

    The commands for doing this vary for the different supported Linux distributions. Please see your operating system documentation for instructions on enabling system services.

  5. As root, mount the Safeguard Authentication Services installation CD, change directories into the linux directory, and run the following command:
    # rpm -Uvh vasyp-<version>.<build number>.rpm

    As part of the install process, vasyp is registered with chkconfig to start at system boot time.

  6. Configure the ypbind daemon to only talk to NIS servers on the local network interface by modifying /etc/yp.conf to contain only the following entry:
    ypserver localhost

    You can use either localhost or the actual hostname.

  7. Set the system NIS domain name to match the Active Directory domain to which you are joined by running the following command as root:
    # domainname example.com

    where example.com is the domain to which your machine has been joined.

    Set the NIS domain name permanently on Red HatLinux by modifying /etc/sysconfig/network to have the following option:

    NIS_DOMAIN="example.com"

    where example.com is the Active Directory domain to which the machine is joined.

    On SUSE Linux, modify the /etc/defaultdomain file to include only example.com where example.com is the Active Directory domain to which you are joined.

  8. Start vasyp with the following command:
    # /etc/init.d/vasypd start
  9. Start ypbind with the following command:
    # /etc/init.d/ypbind start

    You can now use the NIS utilities like ypwhich and ypcat to query vasyp for NIS map data.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating