adclient.autoedit

This configuration parameter specifies whether the agent is allowed to automatically edit the NSS and PAM configuration files on the local computer.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

The parameter value is set to true to allow the files to be edited or false to prevent the files from being edited. The following example allows both the NSS and PAM configuration files to be edited automatically:

adclient.autoedit: true

In most cases, this parameter should be set to true to allow the agent to maintain configuration files automatically. When this parameter is set to true, you can further control the specific individual files to be automatically edited in different operating environments through additional configuration parameters. For example, you can use the adclient.autoedit.nss to enable or disable automatic editing of the nsswitch.conf file or the adclient.autoedit.pam to enable or disable automatic editing of the PAM configuration file. These additional configuration parameters are ignored if the adclient.autoedit parameter is set to false. For more information about the configuration parameters to control the editing of specific files on different platforms, see Enabling automatic editing for specific files.

If you set the adclient.autoedit parameter to false, you must manually edit the appropriate configuration files to enable agent operation. For example, if you set this parameter to false, you should manually edit the nsswitch.conf and /etc/pam.d/systemauth or /etc/pam.d files to include Delinea information or authentication through Active Directory will fail and you may disable login access entirely.

If you want to manually edit the configuration files, you should first make a backup copy of the existing files. After you make a backup copy of the files, you can use the following examples to manually update the files with the configuration information for the agent.

If the adclient.autoedit parameter is not defined in the configuration file, its default value is true.

Enabling automatic editing for specific files

If you set the adclient.autoedit parameter to true, you can use the following parameters to identify the specific files to be automatically edited in different operating environments:

Specify whether you want to disable automatic editing of the nscd passwd and group cache (nscd.conf) on Solaris and Linux computers. By default, this parameter is set to false, which means automatic editing is disabled. Setting this parameter to true enables automatic editing. It is recommended that you change the default setting and enable automatic editing of the nscd caches; doing so reduces NSS response time substantially for large volumes of repeated queries.
Use this parameter To do this
adclient.autoedit.nss Specify whether you want to automatically edit the Name Service Switch configuration (nsswitch.conf) file on HP-UX, Solaris, and Linux computers. For example: adclient.autoedit.nss: true You can also use group policy to set this parameter.
adclient.autoedit.pam Specify whether you want to automatically edit the PAM configuration (pam.conf file or pam.d directory) on AIX, HP-UX, Solaris, Mac OS X, and Linux computers. For example: adclient.autoedit.pam: true You can also use group policy to set this parameter.
adclient.autoedit.centrifypam Specify whether to activate the Delinea authorization plug-in and add it to the authorization mechanism every time adclient starts. The default value is true. For example: adclient.autoedit.centrifypam: true
adclient.autoedit.centrifypam.restart.securityagent Specify whether to restart SecurityAgent after the authorization database is edited. The default value is true. For example: adclient.autoedit.centrifypam.restart.securityagent: true If this parameter is set to false, you must restart the SecurityAgent process or reboot the computer manually after the authorization database is edited. If you do not restart SecurityAgent or reboot, users might not be able to log in.
adclient.autoedit.nscd
Some operating systems do not install nscd by default; be sure that nscd is installed before configuring this setting. For example: adclient.autoedit.nscd: false You can also use group policy to set this parameter. | | adclient.autoedit.methods | Specify whether you want to automatically edit the Loadable Authentication Module (LAM) methods.cfg configuration file on AIX computers. For example: adclient.autoedit.methods: true You can also use group policy to set this parameter. | | adclient.autoedit.user | Specify whether you want to automatically edit the /etc/security/user file. The default value is true. For example: adclient.autoedit.user: true You can also use group policy to set this parameter. | | adclient.autoedit.user. root | Specify whether root login is controlled by the Centrify authentication mechanism. If this parameter is set to true, the root stanza 'SYSTEM = "compat"' in /etc/security/user will be commented out and root login must go through theCentrify authentication mechanism. The default value is false (so that by default, root login does not go through the <MadCap:variable name="server-company-vars.company-short-name" /> authentication mechanism). For example: adclient.autoedit.user.root: false | | adclient.autoedit.pwgrd | Specify whether you want to automatically edit the password and group hashing and caching daemon (pwgrd) on HP-UX computers. For example: adclient.autoedit.pwgrd: true You can also use group policy to set this parameter. |

Note that if you make any changes to any adclient.autoedit.* parameter, you must restart the adclient process for the change to take effect. Restarting adclient is required whether you set the parameters manually in the configuration file or by enabling a group policy.

Related topics

Editing the NSS configuration manually

Editing the PAM configuration manually

Editing the NSS configuration manually

To manually edit the NSS configuration, modify the /etc/nsswitch.conf file to include centrifydc as the first entry for the password and group lines as appropriate for your environment. For example:

passwd: centrifydcfiles
shadow: centrifydcfiles
group: centrifydcfiles

By placing centrifydc at the beginning of each line, you ensure that Active Directory authentication takes precedence over other forms of authentication.

Editing the PAM configuration manually

In most cases, you should not manually edit the PAM configuration on a computer unless absolutely necessary because changes can produce unexpected and undesirable results. If you choose to edit the file manually, you should use caution and limit the changes you make.

To manually edit the PAM configuration to use Delinea and Active Directory, you need to add several lines to the top of the appropriate PAM configuration file for the local operating environment.

For example, on Linux you need to add the following lines to the top of the /etc/pam.d/system-auth file:

auth sufficient pam_centrifydc.so debug
auth requisite pam_centrifydc.so deny debug
account sufficient pam_centrifydc.so debug
session sufficient pam_centrifydc.so homedir
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny

On Solaris and other platforms, you need to add the following lines to the top of the /etc/pam.conf file:

rlogin auth sufficient pam_centrifydc.so debug
rlogin auth requisite pam_centrifydc.so deny debug
login auth sufficient pam_centrifydc.so debug
login auth requisite pam_centrifydc.so deny debug
passwd auth sufficient pam_centrifydc.so try_first_pass debug
passwd auth requisite pam_centrifydc.so deny debug
other auth sufficient pam_centrifydc.so debug
other auth requisite pam_centrifydc.so deny debug
cron account sufficient pam_centrifydc.so debug
other account sufficient pam_centrifydc.so debug
other password sufficient pam_centrifydc.so debug
other session sufficient pam_centrifydc.so debug

In most operating environments, when new users log on successfully, the Delinea Agent automatically attempts to create the user’s home directory. In Solaris environments, however, the home directory is often automounted over NFS, so the attempt to automatically create a new home directory for new users typically fails. If you use NFS to automount home directories, you can turn off the automatic creation of the home directory by setting the pam.homedir.create parameter in the centrifydc.conf file to false. For more information about setting this parameter, see pam.homedir.create.

By adding the appropriate lines to the beginning of the PAM configuration file, you ensure that Active Directory authentication takes precedence over other forms of authentication.

Editing the LAM configuration manually

To manually edit the LAM configuration for AIX computers, you need to add Delinea specific information to the /usr/lib/methods.cfg and /etc/security/user files.

In the /usr/lib/methods.cfg file, add the following lines to enable authentication through the Delinea Agent and Active Directory:

CENTRIFYDC:
program = /usr/lib/security/CENTRIFYDC program_64 = /usr/lib/security/CENTRIFYDC64
options = noprompt

In the /etc/security/user file, you need to change the SYSTEM attribute for your users. The easiest way to do this is to change the SYSTEM attribute in the “default” stanza. For example:

...
SYSTEM = “CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND compat”
...

In addition, if any user has an explicit setting for the SYSTEM attribute, you should remove the setting. For example, by default, the root account has an explicit SYSTEM setting, so you should delete this line or comment it out.