Safeguard Authentication Services is designed to support any Active Directory schema configuration. If your Active Directory schema has built-in support for UNIX attributes (Windows 2003 R2 schema, SFU schema), Safeguard Authentication Services automatically uses one of these schema configurations. Using a native Active Directory schema for UNIX attributes is the best practice. However, if your Active Directory schema does not natively support UNIX account attributes and a schema extension is not possible, Safeguard Authentication Services uses "schemaless" functionality where UNIX account information is stored in the altSecurityIdentities attribute.
The schema configuration applies to all Safeguard Authentication Services UNIX agents and management tools.
If you do not have a schema that supports UNIX data storage in Active Directory, you can configure Safeguard Authentication Services to use existing, unused attributes of users and groups to store UNIX information in Active Directory.
To configure a custom schema mapping
-
Open the Control Center and click Preferences then Schema Attributes on the left navigation pane.
-
Click the UNIX Attributes link in the upper right to display the Customize Schema Attributes dialog.
-
Type the LDAP display names of the attributes that you want to use for UNIX data. All attributes must be string-type attributes except User ID Number, User Primary Group ID, and Group ID Number, which may be integers. If an attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is invalid.
NOTE: When customizing the schema mapping, ensure that the attributes used for User ID Number and Group ID Number are indexed and replicated to the global catalog.
For more information, see Active Directory Optimization in the Control Center online help.
-
Click OK to validate and save the specified mappings in Active Directory.
Indexing certain attributes used by the Safeguard Authentication Services UNIX agent can have a dramatic effect on the performance and scalability of your UNIX and Active Directory integration project. The Control Center, Preferences > Schema Attributes > UNIX Attributes panel displays a warning if the Active Directory configuration is not optimized according to best practices.
NOTE: The Optimize Schema option is only available if you have not optimized the Active Directory schema.
One Identity recommends that you index the following attributes in Active Directory:
-
User Login Name
-
User ID Number
-
Group Name
-
Group ID Number
NOTE: LDAP display names vary depending on your UNIX attribute mappings.
It is also a best practice to add all UNIX identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Safeguard Authentication Services UNIX agents. Click the Optimize Schema link to run a script that updates these attributes as necessary.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
You can UNIX-enable Active Directory user accounts. A UNIX-enabled user has a UNIX User Name, UID Number, Primary GID Number, Comment (GECOS), Home Directory, and Login Shell. These attributes enable an Active Directory user to appear as a standard UNIX user. Safeguard Authentication Services provides several tools to help you manage UNIX account information in Active Directory.
