Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Log Receiver Service database

Log Receiver Service database

The Log Receiver Service uses .sdf files to store logs received from Defender Security Servers. For each Defender Security Server, the Log Receiver Service creates a separate .sdf file.

These .sdf files are called the Log Receiver Service database and contain data used by the Defender Management Portal to display authentication log-related data, including the authentication statistics provided on the Dashboard tab of the portal.

On the Defender Management Portal computer, you can find these .sdf files in the following folder:

%ProgramFiles%\One Identity\Defender\Management Portal\WWW\App_Data

The name of each .sdf file has the following format: <DSS name>.<domain>.sdf

where

  • <DSS name>  is the name of the corresponding Defender Security Server.
  • <domain>  is the name of the Active Directory domain where the corresponding Defender Security Server resides.

Securing PAM-enabled services

The Defender Pluggable Authentication Module (PAM) is a UNIX/Linux module that authenticates the users of PAM-enabled services (such as ftp, sshd, and su) via Defender. To authenticate users, the Defender PAM module uses the RADIUS protocol and the Defender Security Servers deployed in your environment.

Installing Defender PAM

Installing Defender PAM

To install the Defender PAM on your UNIX or Linux system, use the appropriate platform-specific files such as .rpm, .pkg, .deb, .depot, or .bff supplied with Defender. In the Defender distribution package, you can find these files in the Setup\Unix PAM folder.

For example, on a Linux x86_64 system, use the Linux RPM program to install the pamdefender-<version>.x86_64.rpm package. In addition to installing the Defender PAM, the package installs PAM Defender configuration scripts into the /opt/quest/libexec/defender directory.

Because all Defender token information is associated with user objects in Active Directory, an Active Directory user must be given a UNIX identity on the local system before the Defender PAM can validate any security tokens for the user. You can create a UNIX identity for an Active Directory user manually or by using a Name Service Switch (NSS) module that provides UNIX identity information directly from Active Directory.

To manually create a UNIX identity for an Active Directory user, modify the /etc/passwd file so there exists a user who has a local user name that exactly matches the value stored in the user ID attribute of your Active Directory user. The user ID attribute is configurable when you create an Access Node. Usually, it is samAccountName, defender ID, or userPrincipalName.

Alternatively, you can use the Defender PAM in conjunction with the NSS module supplied with the product. With this method, Authentication Services provide UNIX identity information to any UNIX-enabled Active Directory user. To use Authentication Services for getting UNIX identity information for Active Directory users, use the vastool join command to join your UNIX/Linux computer to the Active Directory domain. For more information, see the vastool man page.

Configuring Defender PAM

Configuring Defender PAM

After installing the PAM Defender package on your UNIX or Linux system, you need to complete the following steps to enable Defender authentication for the users of PAM-enabled services:

You can considerably simplify these steps by using Authentication Services and Group Policy. To find out more about Authentication Services, please visit https://www.oneidentity.com/products/authentication-services/.

Documentos relacionados