立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.0.4 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Enable self-enrollment

Self-enrollment allows users to map their Unix account to an Active Directory account as they log in to Unix. This mapping occurs as part of the standard PAM login. Users are first prompted for their Unix password. Once authenticated to Unix, they are prompted to authenticate to Active Directory. This process happens on the first log in after you enable self-enrollment. Once the self-enrollment is complete, the user logs in with his Unix user name and Active Directory password.

To enable self-enrollment

  1. Run the following command as root:
    vastool configure vas vas_auth enable-self-enrollment true

    Note: All users mapped by the self-enrollment process are stored in the /etc/opt/quest/vas/automatic_mappings file.

  2. Force Safeguard Authentication Services to reload configuration settings by restarting the Safeguard Authentication Services services.

Restarting services

  1. The method for restarting services varies by platform:
    1. To restart Safeguard Authentication Services on Linux or Oracle Solaris, enter:
      /etc/init.d/vasd restart
    2. To restart Safeguard Authentication Services on HP-UX, enter:
      /sbin/init.d/vasd restart
    3. To restart Safeguard Authentication Services on AIX, enter:
      stopsrc -s vasd
      startsrc -s vasd

Note: Due to library changes between the Safeguard Authentication Services 4.1 and 4.2, the system may need to be rebooted before all processes load the new libraries.

Automatically generating Posix user identities

When user identity information is not stored centrally within Active Directory, it is possible for Active Directory users to have Posix identity attributes automatically generated for them when interacting with Unix hosts, allowing the user to authenticate with an Active Directory password.

This is convenient in situations where you can not utilize enterprise user and group identification from Active Directory. For example, when you do not have sufficient rights to modify User identity objects, or are unable to create the Safeguard Authentication Services Application Configuration object, you can configure Safeguard Authentication Services to auto-generate Posix identity attributes on the Unix host for Active Directory users.

The following attributes are auto-generated:

  • UID Number: This attribute is derived from a hash of the Active Directory Users Globally Unique Identifier (GUID).
  • GID Number: This attribute is derived from the hash of the Active Directory Group GUID that is assigned as the Windows Primary Group object.
  • Gecos: The gecos field is populated by the users CN, but is configurable by using the [vasd] realname-attr vas.conf setting.
  • Unix Home Directory: This attribute is a concatenation of the per-machine configurable home directory base option, [vasd] autogen-posix-homedir-base, and the users sAMAccountName value.
  • Login Shell: This attribute is set by the per-machine [vasd] autogen-posix-default-shell configuration option.

The generated attributes are stored locally on each Unix host and remain in effect until manually removed by the system administrator.

Migrating auto-generated identities to enterprise identities

Once a host has Posix identity attributes generated for an Active Directory user or group, they remain in effect until you manually remove them. This ensures that you take the proper steps when migrating user identities, specifically when you realign the file and directory ownerships to the new UID and GID values.

To migrate an auto-generated user to use an enterprise identity

  1. Make sure that you have realigned the file and directory ownerships to the new UID and GID values, including the user's home directory.

    For more information, see Managing local file permissions..

  2. Locate the user record in the /etc/opt/quest/vas/autogen.passwd file, and remove it.

  3. Force Safeguard Authentication Services to update the user by means of logging in or by running:

    vastool list –f user <username>
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级