One Identity Authentication Services Administration Guide

One Identity Authentication Services Administration Guide

One Identity Authentication Services 4.2.2 Administration Guide Copyright 2019 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: One Identity LLC. Attn: LEGAL Dept 4 Polaris Way Aliso Viejo, CA 92656 Refer to our Web site (http://www.OneIdentity.com) for regional and international office information. Patents One Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.OneIdentity.com/legal/patents.aspx. Trademarks One Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.OneIdentity.com/legal. All other trademarks are the property of their respective owners. Legend WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Authentication Services Administration Guide Updated - November 2019 Version - 4.2.2 Contents Privileged Access Suite for Unix 10 About this guide 11 Introducing One Identity Authentication Services 13 About Authentication Services licenses 13 System requirements 13 Windows and cloud requirements 14 Authentication Services Windows components 15 Windows permissions 15 Configure Active Directory for Authentication Services 16 Unix agent requirements 21 Authentication Services Unix components 22 Authentication Services permissions matrix 23 Authentication Services encryption types 27 Management Console for Unix requirements 28 Network requirements 29 Unix administration and configuration 31 Joining the domain 31 Joining the domain using VASTOOL 32 Automatically generate user attributes 32 Joining the domain using VASJOIN script 33 Using Authentication Services manual pages (man pages) 35 The Authentication Services configuration file 36 Unix login syntax 36 Keytab files 37 Handling platform limitations on user name length 37 Configuring Name Service Switch (NSS) 38 Using VASTOOL to configure NSS 38 Using NSCD with Authentication Services 38 Forcing lowercase names 39 Configuring PAM 39 Using VASTOOL to configure PAM 39 Authentication Services 4.2.2 Administration Guide 3 Home directory creation 40 Kerberos ticket caches 40 Configuring AIX 41 Using VASTOOL to configure AIX 41 Configuring SELinux 41 Using VASTOOL to configure SELinux 42 Enabling diagnostic logging 42 Working with netgroups 44 Configuring netgroup support with name service 45 Unconfiguring netgroup support with name service 46 Cache administration 46 Blackout period 47 Disconnected authentication 47 Working with read-only domain controllers 49 Cross-forest authentication 49 One-way trust authentication 49 Supporting legacy LDAP applications 50 Installing the LDAP proxy 51 Configuring the LDAP proxy 51 IPv6 52 Identity management 54 Planning your user identity deployment strategy 54 User and group schema configuration 56 Configuring a custom schema mapping 56 Active Directory optimization (Best practice) 57 Managing Unix user accounts 57 Managing Unix users with MMC 58 Managing user accounts from the Unix command line 60 Managing users with Windows PowerShell 61 PowerShell cmdlets 62 Password management 64 Changing passwords 64 Mapping local users to Active Directory users 66 Using map files to map users 66 Mapping the root account 67 Authentication Services 4.2.2 Administration Guide 4 Enable self-enrollment 67 Automatically generating Posix user identities 68 Migrating auto-generated identities to enterprise identities 69 Migrating auto-generated group identities 69 Unix Personality Management 69 Unix Personality Management schema extension 70 Joining the domain in Unix Personality Management mode 70 Overriding Unix account information 71 Managing Unix group accounts 71 Nested group support 71 Managing Unix groups with MMC 72 Managing groups from the Unix command line 73 Managing groups with Windows PowerShell 74 Overriding Unix group information 74 Local account migration to Active Directory 75 AIX extended attribute support 75 Unix Account Import Wizard 77 Import Source Selection 77 Account matching rules 79 Search base selection 79 Account Association 79 Final Review 79 Results 80 Unix account management in large environments 80 User and group search paths 80 Minimizing the size of the user cache 80 Migrating from NIS 82 Using Authentication Services to augment or replace NIS 82 RFC 2307 overview 83 RFC classes and attributes 83 Limitations of RFC 2307 as implemented by Microsoft 84 Installing and configuring the Authentication Services NIS components 84 Installing and configuring the Linux NIS client components 84 Installing and configuring the Oracle Solaris NIS client components 86 Installing and configuring the HP-UX NIS client components 87 Authentication Services 4.2.2 Administration Guide 5 Installing and configuring the AIX NIS client components 88 NIS map search locations 89 Deploying Authentication Services in a NIS environment 89 Starting the NIS Map Import Wizard 90 Import RFC 2307 NIS map objects from a local file 90 Import RFC 2307 NIS map objects from an existing NIS server 91 Using NIS map command line administration utility 92 passwd, group, and netid maps 92 Specific vs generic maps 92 The VASYP daemon 93 Maintaining netgroup data 94 Managing access control 95 About host access control 95 Using "Logon To" for access control 97 Setting up access control 97 Configuring local file-based access control 97 Resolving conflicts between the allow and deny files 99 Per-service access control 100 Configuring access control on ESX 4 101 Configuring Sudo access control 101 Enabling sudo_vas 101 Certificate distribution policy 102 Managing local file permissions 103 The Ownership Alignment Tool 103 Using OAT 104 Installing OAT 105 Changing file ownership manually 106 Performing a cross-domain search 107 OAT matching scripts 107 Rollback changes 107 Changing file ownership using the script 108 OAT file formats 109 Active Directory User Information file 109 Active Directory Group Information file 110 Authentication Services 4.2.2 Administration Guide 6 User map file 111 Group map file 111 Local User Override file 112 Local Group Override file 112 Files to Process List file 113 Files to Exclude List file 113 Processed Files List file 114 Certificate Autoenrollment 115 Certificate Autoenrollment on UNIX and Linux 115 Certificate Autoenrollment requirements and setup 116 Java requirement: Unlimited Strength Jurisdiction Policy Files 118 Installing certificate enrollment web services 119 Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy 119 Configuring Certificate Services Client - Auto-Enrollment Group Policy 120 Configuring Certificate Templates for autoenrollment 121 Using Certificate Autoenrollment 122 Configuring Certificate Autoenrollment manually 122 Configure a machine for Certificate Autoenrollment 122 Configure a user for Certificate Autoenrollment 123 Trigger machine-based Certificate Autoenrollment 124 Troubleshooting Certificate Autoenrollment 124 Certificate Autoenrollment process exited with an error 124 Enable full debug logging 125 Pulse Certificate Autoenrollment processing 126 Manually apply Group Policy 127 Command line tool 127 vascert command reference 127 vascert commands and arguments 129 Integrating with other applications 132 One Identity Starling

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    212 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us