Indexing certain attributes used by the Safeguard Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project.
The Control Center, Preferences | Schema Attributes | Unix Attributes panel displays a warning if the Active Directory configuration is not optimized according to best practices.
One Identity recommends that you index the following attributes in Active Directory:
- User UID Number
- User Unix Name
- Group GID Number
- Group Unix Name
Note: LDAP display names vary depending on your Unix attribute mappings.
It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Safeguard Authentication Services Unix agents.
Click the Optimize Schema link to run a script that updates these attributes as necessary. The Optimize Schema option is only available if you have not optimized the Unix schema attributes defined for use in Active Directory.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
You can specify the user mobile number and user email address attributes to be used by the Starling push notifications.
Modifications to the Starling schema attributes configuration are global and apply to all Safeguard Authentication Services clients in the forest. For users configured to use Starling, this could cause user logins to fail.
To configure custom LDAP attributes for use with Starling push notifications
- From the Control Center, navigate to the Starling Attributes in one of the following two ways:
- Preferences | Starling Two-Factor Authentication and click the Starling Attributes link.
- Preferences | Schema Attributes
- Click the Unix Attributes link in the upper right to display the Customize Schema Attributes dialog.
-
Enter the LDAP display name for one or both of the Starling attributes used by the Starling push notifications:
- User Mobile Number
- User Email Address
- Click OK.
- Click Yes to confirm that you want to modify the Starling schema attributes configuration.
- Back on the Starling Two-Factor Authentication preference pane, the Starling attributes to be used are displayed.
Management Console for Unix allows you to centrally manage Safeguard Authentication Services agents running on Unix, Linux, and macOS systems.
With the management console you can:
- Remotely deploy the Safeguard Authentication Services agent software.
- Manage local user and group accounts.
- Configure account mappings from local users to Active Directory accounts.
- Report on a variety of security and host access related information.
You can install the management console on supported Unix, Linux, and macOS platforms. Once installed, you can access it from a browser using default port of 9443 or from the Control Center.
You can run the One IdentityManagement Console for Unixmanagement console within the Control Center or you can run it separately in a supported web browser. The management console is a separate install on Windows, Unix, Linux, or macOS that you can launch from the ISO.
Typically, you install one management console per environment to avoid redundancy. One Identity does not advise managing a Unix host by more than one management console in order to avoid redundancy and inconsistencies in stored information. If you manage the same Unix host by more than one management console, you should always re-profile that host to minimize inconsistencies that may occur between instances of the management consoles.
Install instance of Management Console for Unix
You must install an instance of Management Console for Unix in your environment in order to access the Management Console. The installation can be accessed from the Safeguard Authentication Services distribution media:
- Double click autorun.exe.
- Select Setup | Management Console for Unix.
Access the MCU configuration from the Control Center
From the Control Center, select Preferences then Management Console for Unix Configuration. The configuration for the Management Console for Unix displays. If the Management Console cannot be located, you will see a message like: The Management Console could not be located. Specify a URL where Management Console for Unix is running. The URL can be specified on this page.
Specify the following:
- Protocol: Enter the SSL/TLS protocol, TCP or UPD. For details, see Network port requirements.
- Hostname: Enter the host name, for example localhost.
- Port: The port for the Management Console installation. The default SSL port number is 9443. For details, see Network port requirements.
- Path: Enter the path. On Unix, the install location is /opt/quest/mcu and you cannot specify an alternate path.
- URL: Enter the https URL, for example https://<Hostname or IP address>:<port>. Management Console for Unix requires that all connections to the browser are secured with the SSL/TLS protocol. Therefore, you must use the https URL. A http protocol may result in unexpected behavior.
Click Apply.
For more information
For details, go to these sections of this documentation:
Also see the One Identity Management Console for Unix - Administration Guide available on the Safeguard for Authentication Services Technical Documentation page, along with the latest Release Notes.
The topics in this section help you learn how to do some basic system administration tasks using the Control Center and Management Console for Unix.
Note: The exercises in this section assume that you have successfully installed Safeguard Authentication Services and Management Console for Unix and have added a host to the console and joined it to Active Directory. For more information, see Prepare Unix hosts.
This section shows you how to create the following test user and group accounts used in various examples:
- A local group name called localgroup
- A local user object called localuser
- An Active Directory group object called UNIXusers
- An Active Directory user object called ADuser
One Identity recommends that you work through the topics in this section in order as a self-directed "test drive" of some of the key product features. You will learn how easy it is to manage your users and groups from the management console.