search cancel

How to Limit the Trusted Domains UNAB Queries

book

Article ID: 202257

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

UNAB was registered to the top-level domain and the output of `uxconsole -status -detail` shows it querying a large number of domains, including unwanted domains. This is causing performance issues with UNAB including long amount of time for UNAB  to start.

# uxconsole -status -detail
CA ControlMinder UNAB uxconsole v12.81.0.1912 - console utility
Copyright (c) 2013 CA. All rights reserved.

Client's site          - SiteName
Registration domain    - domain.com
   DCs                 - domaindc1, domaindc2, domaindc3
   User search base    - DC=domain,DC=com
   Group search base   - DC=domain,DC=com

Trusted domain         - unab.domain.com
   DCs                 - unabdc1, unabdc2, unabdc3
   User search base    - DC=unab,DC=domain,DC=com
   Group search base   - DC=unab,DC=domain,DC=com

Trusted domain         - pim.domain.com
   DCs                 - pimdc1
   User search base    - DC=pim,DC=domain,DC=com
   Group search base   - DC=pim,DC=domain,DC=com

UNAB mode              - full integration 
UNAB status            - activated 
Agent status           - not running 
FIPS only mode         - no 
SELinux status         - enforcing 
SELinux UNAB policy    - uxauth (version: 2.2)
Kerberos configuration - internal 
Time sync              - disabled 
Nested groups ACL      - enable login by nested groups 
Enterprise policy      - [email protected]#02 (updated: Thu Sep  5 11:03:45 2019) 
Local policy           - disabled 
Default login access   - deny 
Cached AD Unix users   - 3 (updated: Fri Dec 13 22:36:45 2019) 
Cached AD Unix groups  - 2 (updated: Fri Dec 13 22:36:45 2019) 
Cached Windows groups  - 28 (updated: Fri Dec 13 21:55:01 2019) 
Migration              - not migrated 
CA PAM server host     - ssl://entmhost.domain.com:61616 
UNAB Watchdog          - disabled 
CA PAM Server Control  - running 
                         Include AD users and groups in CA PAM Server Control ladb : yes 
                         Display AD names in CA PAM Server Control Audit : no 
                         Support AD non-Unix groups in CA PAM Server Control : yes 
                         PAM authentication in CA PAM Server Control utilities : yes 
                         CA PAM Server Control Watchdog monitors UNAB agent : enabled 
                         OWT domain user password management : disabled 

 

Environment

Unix Authentication Broker 12.8 and above

Resolution

The following two tokens in uzauth.ini control what trusted domains UNAB will query within the registered domain. To have UNAB only query the registered domain, set ignore_domain_list to all. If UNAB should query specific domains, add them to lookup_domain_list in a comma separated list.

; Specifies the Active Directory domains supposed to have bidirectional
; with registration domain.
; Options are: none - UNAB will automatically query trusted domains,
; or a comma separated list of trusted domains.
; Default value: none
lookup_domain_list = none

; Specifies the Active Directory domains that UNAB ignores (not counting the
; registration domain) when it queries users and groups.  This token applies
; to all types of domains, including domains with one-way trust relationships.
; Options are: none - query current and all trusted domains, all - do not query
; trusted domains, or a comma separated list of domains to ignore.
; Default value: none
ignore_domain_list = none