Indexing certain attributes used by the Safeguard Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project.
The Control Center, Preferences | Schema Attributes | Unix Attributes panel displays a warning if the Active Directory configuration is not optimized according to best practices.
One Identity recommends that you index the following attributes in Active Directory:
- User UID Number
- User Unix Name
- Group GID Number
- Group Unix Name
Note: LDAP display names vary depending on your Unix attribute mappings.
It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Safeguard Authentication Services Unix agents.
Click the Optimize Schema link to run a script that updates these attributes as necessary. The Optimize Schema option is only available if you have not optimized the Unix schema attributes defined for use in Active Directory.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
You can specify the user mobile number and user email address attributes to be used by the Starling push notifications.
Modifications to the Starling schema attributes configuration are global and apply to all Safeguard Authentication Services clients in the forest. For users configured to use Starling, this could cause user logins to fail.
To configure custom LDAP attributes for use with Starling push notifications
- From the Control Center, navigate to the Starling Attributes in one of the following two ways:
- Preferences | Starling Two-Factor Authentication and click the Starling Attributes link.
- Preferences | Schema Attributes
- Click the Unix Attributes link in the upper right to display the Customize Schema Attributes dialog.
Enter the LDAP display name for one or both of the Starling attributes used by the Starling push notifications:
- User Mobile Number
- User Email Address
- Click OK.
- Click Yes to confirm that you want to modify the Starling schema attributes configuration.
- Back on the Starling Two-Factor Authentication preference pane, the Starling attributes to be used are displayed.
Safeguard Authentication Services includes PowerShell modules that provide a "scriptable" interface to many Safeguard Authentication Services management tasks. You can access a customized PowerShell console from the Control Center Tools navigation link.
You can perform the following tasks using PowerShell cmdlets:
- Unix-enable Active Directory users and groups
- Unix-disable Active Directory users and groups
- Manage Unix attributes on Active Directory users and groups
- Search for and report on Unix-enabled users and groups in Active Directory
- Install product license files
- Manage Safeguard Authentication Services global configuration settings
- Find Group Policy objects with Unix/macOS settings configured
Using the Safeguard Authentication Services PowerShell modules, it is possible to script the import of Unix account information into Active Directory.
The following procedure explains how to Unix-enable a user and user group using the Authentication Services PowerShell Console.
To Unix-enable a user and user group
- From the Control Center, navigate to Tools | Safeguard Authentication Services.
- Click Safeguard Authentication Services PowerShell Console.
Note: The first time you launch the PowerShell Console, it asks you if you want to run software from this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your system as a trusted entity. Once you have done this, you will never be asked this question again on this machine.
- At the PowerShell prompt, enter the following:
Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567
Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured earlier and look similar to the following:
ObjectClass : group
DistinguishedName : CN=UNIXusers,CN=Users,DC=example,DC=com
ObjectGuid : 71aaa88-d164-43e4-a72a-459365e84a25
GroupName : UNIXusers
UnixEnabled : True
GidNumber : 1234567
AdsPath : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
CommonName : UNIXusers
- At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:
Enable-QasUnixUser ADuser | Seet-QasUnixUser -PrimaryGidNumber 1234567
The Unix properties of the user display:
ObjectClass : user
DistinguishedName : CN=ADuser,CN=Users,DC=example,DC=com
ObjectGuid : 5f83687c-e29d-448f-9795-54d272cf9f25
UserName : ADuser
UnixEnabled : True
UidNumber : 80791532
PrimaryGidNumber : 1234567
HomeDirectory : /home/ADuser
LoginShell : /bin/sh
AdsPath : LDAP://windows.example.com/CN=ADuser,CN=Users,
CommonName : ADuser
- To disable the ADuser user for Unix login, at the PowerShell prompt enter:
Note: To clear all Unix attribute information, enter:
Now that you have Unix-disabled the user, that user can no longer log in to systems running the Safeguard Authentication Services agent.
- From the Control Center, under Login to remote host, enter:
- Host name: The Unix host name.
- User name: The Active Directory user name, ADuser.
Click Login to log in to the Unix host with your Active Directory user account.
A PuTTY window displays.
Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos is not enabled or properly configured for the remote SSH service.
- Enter the password for the Active Directory user account.
You will receive a message that says Access denied.