Release Notes › General Considerations › UNAB Considerations

UNAB Considerations

This section describes items you should consider when using UNAB.

Maximum Supported Active Directory Groups for User

UNAB does not support more than 128 Active Directory groups for user. If a user is a member of more than 128 Active Directory groups, the user is denied log in.

User Name Length Limitation

Valid on AIX

By default, the user name length is limited to eight (8) characters. If you specify an explicit Active Directory user name as user@domain, the full string length is counted toward the maximum limit.

On AIX 5.3 you can change the default limitation to a maximum of 255 characters using the following command:

chdev -l sys0 -a max_logname=N

N

Specifies the maximum user name length

Disable Local User Account After Migration

After fully migrating user accounts to Active Directory, you can disable the local UNIX account by adding an asterisk (*) at the beginning of the account entry in the etc/passwd file.

Do Not Set the unab_refresh_interval Token Value to a Short Interval

To avoid performance issues in UNAB, do not set the value of the unab_refresh_interval token value to a short interval.

Do not Set Kerberos dns_lookup_realm to True

Valid for SSO mode

We recommend that unless required, do not set the Kerberos dns_lookup_realm value to true. When set to true, Kerberos initiates unnecessary DNS searches that can result in a substantial slowdown of UNAB login processing.

UNAB Users Cannot Change Account Password According to Specified Password Policy

If UNAB users cannot change their account passwords, verify that the Domain Controller security policy you use does not prohibit users from changing their account passwords.

sepass Integration with UNAB Endpoints

The sepass utility is integrated with UNAB. The integration lets users change their Active Directory passwords on endpoints on which both CA Access Control and UNAB are installed.

To integrate sepass with UNAB:

• Verify that you set the "change_pam" token value, in the seos.ini file, to yes. Configure this token to instruct sepass to change passwords using the PAM interface.
• Verify that you set the "auth_login" token value, in the seos.ini file, to pam. Configure this token to instruct sepass to validate existing passwords using the PAM interface.

Note: For more information about seos.ini initialization file tokens, see the Reference Guide.

Log In to UNAB with Active Directory Account

If you want to log in to UNAB with an Active Directory account that did not previously exist on the local host, follow these steps:

1. Register the UNAB host with Active Directory as follows:

   uxconsole -register
   

2. Activate UNAB as follows:

   uxconsole -activate
   

3. Create a UNAB login authorization (login policy) or local login policy (users.allow, users.deny, groups.allow, groups.deny) to enable Active Directory users to log in.

You Cannot Log In to CA Access Control for UNIX Using 'Administrator' Account When UNAB Is Installed

You cannot log in to a CA Access Control endpoint for UNIX with the 'Administrator' Active Directory user account if UNAB is installed on the endpoint. To work around this problem, you can create userPrincipleName for this account.

CA Access Control Installation and Uninstallation Restarts UNAB

When CA Access Control is installed or uninstalled from an endpoint that UNAB is running on, the UNAB agent, uxauthd, is stopped and started.