adclient.autoedit
This configuration parameter specifies whether the agent is allowed to automatically edit the NSS and PAM configuration files on the local computer.
In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.
The parameter value is set to true to allow the files to be edited or false to prevent the files from being edited. The following example allows both the NSS and PAM configuration files to be edited automatically:
adclient.autoedit: true
In most cases, this parameter should be set to true to allow the agent to maintain configuration files automatically. When this parameter is set to true, you can further control the specific individual files to be automatically edited in different operating environments through additional configuration parameters. For example, you can use the adclient.autoedit.nss to enable or disable automatic editing of the nsswitch.conf file or the adclient.autoedit.pam to enable or disable automatic editing of the PAM configuration file. These additional configuration parameters are ignored if the adclient.autoedit parameter is set to false. For more information about the configuration parameters to control the editing of specific files on different platforms, see Enabling automatic editing for specific files.
If you set the adclient.autoedit parameter to false, you must manually edit the appropriate configuration files to enable agent operation. For example, if you set this parameter to false, you should manually edit the nsswitch.conf and /etc/pam.d/systemauth or /etc/pam.d files to include Delinea information or authentication through Active Directory will fail and you may disable login access entirely.
If you want to manually edit the configuration files, you should first make a backup copy of the existing files. After you make a backup copy of the files, you can use the following examples to manually update the files with the configuration information for the agent.
Enabling automatic editing for specific files
If you set the adclient.autoedit parameter to true, you can use the following parameters to identify the specific files to be automatically edited in different operating environments:
Use this parameter | To do this |
---|---|
adclient.autoedit.nss | Specify whether you want to automatically edit the Name Service Switch configuration (nsswitch.conf) file on HP-UX, Solaris, and Linux computers. For example: adclient.autoedit.nss: true You can also use group policy to set this parameter. |
adclient.autoedit.pam | Specify whether you want to automatically edit the PAM configuration (pam.conf file or pam.d directory) on AIX, HP-UX, Solaris, Mac OS X, and Linux computers. For example: adclient.autoedit.pam: true You can also use group policy to set this parameter. |
adclient.autoedit.centrifypam | Specify whether to activate the Delinea authorization plug-in and add it to the authorization mechanism every time adclient starts. The default value is true. For example: adclient.autoedit.centrifypam: true |
adclient.autoedit.centrifypam.restart.securityagent | Specify whether to restart SecurityAgent after the authorization database is edited. The default value is true. For example: adclient.autoedit.centrifypam.restart.securityagent: true If this parameter is set to false, you must restart the SecurityAgent process or reboot the computer manually after the authorization database is edited. If you do not restart SecurityAgent or reboot, users might not be able to log in. |
adclient.autoedit.nscd |
Note that if you make any changes to any adclient.autoedit.* parameter, you must restart the adclient process for the change to take effect. Restarting adclient is required whether you set the parameters manually in the configuration file or by enabling a group policy.
Related topics
Editing the NSS configuration manually
Editing the PAM configuration manually
Editing the NSS configuration manually
To manually edit the NSS configuration, modify the /etc/nsswitch.conf file to include centrifydc as the first entry for the password and group lines as appropriate for your environment. For example:
passwd: centrifydcfiles
shadow: centrifydcfiles
group: centrifydcfiles
By placing centrifydc at the beginning of each line, you ensure that Active Directory authentication takes precedence over other forms of authentication.
Editing the PAM configuration manually
In most cases, you should not manually edit the PAM configuration on a computer unless absolutely necessary because changes can produce unexpected and undesirable results. If you choose to edit the file manually, you should use caution and limit the changes you make.
To manually edit the PAM configuration to use Delinea and Active Directory, you need to add several lines to the top of the appropriate PAM configuration file for the local operating environment.
For example, on Linux you need to add the following lines to the top of the /etc/pam.d/system-auth file:
auth sufficient pam_centrifydc.so debug
auth requisite pam_centrifydc.so deny debug
account sufficient pam_centrifydc.so debug
session sufficient pam_centrifydc.so homedir
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny
On Solaris and other platforms, you need to add the following lines to the top of the /etc/pam.conf file:
rlogin auth sufficient pam_centrifydc.so debug
rlogin auth requisite pam_centrifydc.so deny debug
login auth sufficient pam_centrifydc.so debug
login auth requisite pam_centrifydc.so deny debug
passwd auth sufficient pam_centrifydc.so try_first_pass debug
passwd auth requisite pam_centrifydc.so deny debug
other auth sufficient pam_centrifydc.so debug
other auth requisite pam_centrifydc.so deny debug
cron account sufficient pam_centrifydc.so debug
other account sufficient pam_centrifydc.so debug
other password sufficient pam_centrifydc.so debug
other session sufficient pam_centrifydc.so debug
By adding the appropriate lines to the beginning of the PAM configuration file, you ensure that Active Directory authentication takes precedence over other forms of authentication.
Editing the LAM configuration manually
To manually edit the LAM configuration for AIX computers, you need to add Delinea specific information to the /usr/lib/methods.cfg and /etc/security/user files.
In the /usr/lib/methods.cfg file, add the following lines to enable authentication through the Delinea Agent and Active Directory:
CENTRIFYDC:
program = /usr/lib/security/CENTRIFYDC program_64 =
/usr/lib/security/CENTRIFYDC64
options = noprompt
In the /etc/security/user file, you need to change the SYSTEM attribute for your users. The easiest way to do this is to change the SYSTEM attribute in the “default” stanza. For example:
...
SYSTEM = “CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND compat”
...
In addition, if any user has an explicit setting for the SYSTEM attribute, you should remove the setting. For example, by default, the root account has an explicit SYSTEM setting, so you should delete this line or comment it out.