立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.1.3 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

RFC classes and attributes

Safeguard Authentication Services supports all NIS map objects defined in RFC 2307 as well as the ability to store custom NIS data. RFC 2307 provides classes for six standard NIS maps:

  • hosts

  • networks

  • protocols

  • services

  • rpc

  • netgroup

Safeguard Authentication Services supports these RFC 2307 standard maps and their representative classes.

Table 15: RFS classes and attributes
Map name RFC 2307 object class

netgroup

nisNetgroup

hosts

ipHost (device)

networks

ipNetwork

services

ipService

protocols

ipProtocol

rpc

oncRpc

These objects are generally created inside a container or organizational unit.

All other NIS maps are represented using the generic map classes provided in RFC 2307. These classes are nisMap and nisObject. A nisMap is a container object that holds nisObject objects. Set the nisMapName attribute of the nisMap object and nisObject objects it contains to the name of the imported NIS map. A nisObject represents a key-value pair where cn is the key attribute and nisMapEntry is the value.

Limitations of RFC 2307 as implemented by Microsoft

The RFC 2307 specification assumes that the cn attribute is multivalued. In Active Directory, the cn attribute is single-valued. This means that you must create aliases as separate objects.

NIS is case-sensitive and Active Directory is case-insensitive. Some aliases for certain NIS map entries are the same keys except all capitalized. Active Directory cannot distinguish between names that differ only by case.

Installing and configuring the Safeguard Authentication Services NIS components

To ensure that the NIS proxy agent daemon, vasypd, does not cause any system hangs when you install, configure, or upgrade it, follow the steps for each supported UNIX platform outlined in this section.

NOTE: Before installing and configuring the Safeguard Authentication Services NIS components, make sure you already installed the Safeguard Authentication Services agent software and joined the UNIX machine to an Active Directory domain.

Installing and configuring the Linux NIS client components

You can find the vasyp.rpm file in the client directory for your Linux operating system on the installation media.

To install and configure vasyp on Linux

  1. Ensure that the system ypserv daemon is stopped by running the following as root:

    # /etc/init.d/ypserv stop
    or, if systemd is available, use:
    systemctl stop ypserv

    NOTE: Consider the following about stopping the ypserv daemon:

    • You do not need to perform this step if you do not have ypserv configured.

    • This option is not available on SUSE Linux (11 or later) and on Red Hat.

  2. Ensure that the system ypserv daemon is not configured to start at system boot time.

    The commands for doing this vary for the different supported Linux distributions. See your operating system documentation for instructions on disabling system services.

  3. Ensure that the system ypbind daemon is not running by entering the following command:

    # /etc/init.d/ypbind stop
    or, if systemd is available, use:
    systemctl stop ypbind
    
  4. Ensure that the system ypbind daemon is configured to start at system boot time.

    The commands for doing this vary for the different supported Linux distributions. See your operating system documentation for instructions on enabling system services.

  5. As root, mount the Safeguard Authentication Services installation CD, change directories into the linux directory, and run the following command:

    # rpm -Uvh vasyp-<version>.<build number>.rpm

    As part of the install process, vasyp is registered with chkconfig to start at system boot time.

  6. Configure the ypbind daemon to only talk to NIS servers on the local network interface by modifying /etc/yp.conf to contain only the following entry:

    ypserver localhost

    You can use either localhost or the actual hostname.

  7. Set the system NIS domain name to match the Active Directory domain to which you are joined by running the following command as root:

    # domainname example.com

    where example.com is the domain to which your machine has been joined.

    Set the NIS domain name permanently on Red Hat Linux by modifying /etc/sysconfig/network to have the following option:

    NIS_DOMAIN="example.com"

    where example.com is the Active Directory domain to which the machine is joined.

    On SUSE Linux, modify the /etc/defaultdomain file to include only example.com where example.com is the Active Directory domain to which you are joined.

  8. Start vasyp with the following command:

    vastool daemon start vasypd
  9. Start ypbind with the following command:

    # /etc/init.d/ypbind start
    or, if systemd is available, use:
    systemctl start ypbind

    You can now use the NIS utilities like ypwhich and ypcat to query vasyp for NIS map data.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级