UNAB - Full Integration - application id and domain id
search cancel

UNAB - Full Integration - application id and domain id

book

Article ID: 205128

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Request 

We need to login to the server using both their application ID and Domain ID. 

Environment

Release : 14.1

Component : PAM SERVER CONTROL UNAB ENDPOINT

Cause

The feature consists in the possibility to have multiple names/aliases for an AD account, so that an AD user can log in via any of those aliases.   Which attributes aliases are picked from is defined in the user_name_alt_attr_name token.  By default, it is set to SAMAccountName, so the legacy behavior is presrved, but can contain up to 3 aliases altogether. 

Resolution

Modified unab

The first attribute in a list acts as a "primary"  in the sense that it will determine the name NSS lookups will return for all of the aliases.  Below is shown the user_name_alt_attr_name token is described  the moment in the uxauth.ini file

 

; Specifies Active Directory user name alternatives on the UNAB endpoint.
; By default, a user's name on Unix is set using the value of the sAMAccountName
; attribute of that user's entry in Active Directory.  It can be changed to use
; a different attribute or even set to a list of attributes, in which case multiple
; user records for the same AD account will be created in UNAB's user datastore
; when user object in Active Directory has those attributes set.  A list can
; contain up to 3 attributes.  The order of attributes in a list is significant
; and will affect how data is retrieved by Unix/Linux NSS APIs and presented by
; native Unix commands like id, getent.
; Default value: sAMAccountName
user_name_alt_attr_name = extensionName sAMAccountName
 
In the example above, an AD user can log in via UNAB on the endpoint using either name contained in the extensionName or sAMAccountName attribute and the endpoint will "know" the user in Unix as the name contained in her extensionName attribute.
 
The feature comes with a helper utility called utmpfix, which can be used when it is required that the who command shows the same name for AD user as id -un.  Otherwise, who -m will retrieve user name specified at logon (e.g., in ssh -l user hostname). In the example above, if a user logs in with sAMaccountName, who -m and id -un will show different names.  The utility can be run from the user login script such as .profile, so that it "fixes" a corresponding entry in the utmp file.
Powered by Wolken Software