Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Enabling Active Directory features

If you initially configured the Management Console for Unix core features to manage local Unix users and groups and now want to use the Active Directory features, you must configure the mangement console for Active Directory.

Note: See Active Directory configuration for more information.

When you configure the mangement console for Active Directory, you can perform these basic Active Directory operations:

  • Search for Active Directory objects
  • View or modify Active Directory user, security group, and computer object properties

    Note: You must have permissions in Active Directory to modify Active Directory object properties.

You can unlock these additional Active Directory features when you install Authentication Services 4.x on hosts you manage with Management Console for Unix:

  • Join systems to Active Directory and implement AD-based authentication for Unix, Linux, and Mac systems.
  • Activate the Unix Account and Local User Accounts tabs on Active Directory user properties dialog.
  • Activate the Unix Account tab on the Active Directory group properties dialog.
  • Map a Unix user to an Active Directory user.
  • Create reports about Active Directory Unix-enabled users and groups.
  • Create Logon Policy for AD User and Logon Policy for Unix Host reports that show which user is permitted to log into which Unix host.

Note: See Configure Active Directory for Authentication Services for more information about setting up the console for full Active Directory functionality.

Adding an Active Directory group account

Note: The following procedure instructs you to use ADUC (Active Directory Users and Computers) to set up an Active Directory group by the name of "UNIXusers" referred to by other examples in this guide.

To create a new group in Active Directory

  1. From the Start menu navigate to Administrative Tools | Active Directory Users and Computers.

    The Active Directory Users and Computers Console opens.

    Note:

    • Windows Vista/Windows 7 or 8: You must have the Remote Server Administration Tools installed and enabled.
    • Windows 2003/Windows XP: You must have the Windows 2003 Server Administration Tools installed.
  2. Expand the domain folder and select the Users folder.

  3. Click the New Group button.

    The New Object - Group dialog opens.

  4. Enter UNIXusers in the Group name box and click OK.

Authentication Services provides additional tools to help you manage different aspects of migrating Unix hosts into an Active Directory environment. Links to these tools are available from Tools in the Control Center.

Adding an Active Directory user account

Note: The following procedure instructs you to use ADUC (Active Directory Users and Computers) to set up an Active Directory user by the name of "ADuser" referred to by other examples in this guide.

To create an Active Directory user account

  1. In the Active Directory Users and Computers console, select the Users folder and click the New User button.

  2. On the New Object - User dialog, enter information to define a new user named ADuser and click Next.

    The New Object - User wizard guides you through the user setup process.

  3. When you enter a password, clear the User must change password at next logon option, before you click Next.

  4. Click Finish.

  5. Close Active Directory Users and Computers and return to the mangement console.

Searching for Active Directory objects

Using the controls at the top of the mangement console's Active Directory tab, you can search Active Directory for users, groups and computers. With proper credentials, you can also search for Unix-enabled users and groups (requires Authentication Services 4.x).

Note: The Active Directory tab is only available when you are logged onto the console as an Active Directory user. See Active Directory configuration for details.

To search for Active Directory objects

  1. On the Active Directory tab of the mangement console, place your cursor in the Search by name box and enter a search expression to locate Active Directory objects. By default, when you click the button without entering any search criteria, Management Console for Unix searches for all users in the forest.

    Note: The mangement console uses Ambiguous Name Resolution (ANR) as the search algorithm to search Active Directory. This allows you to enter limited or partial input to find multiple objects in Active Directory. Use one of the following methods to enter your search expression:

    • Enter a partial string to return exact matches or a list of possible matches
    • Enter a string preceded by the equal sign to return only exact matches, for example, =Administrator

    See Ambiguous Name Resolution for more information.

  2. In the Find box, open the drop-down menu and select the type of Active Directory object to locate:
    1. Users (default)
    2. Groups
    3. Computers
    4. Users, Groups, Computers
    5. Unix-enabled Users
    6. Unix-enabled Groups
    7. Non Unix-enabled Users
    8. Non Unix-enabled Groups

    To search for all objects matching the object type you specify in the Find box, do not enter any characters in the Search by name field.

    For example, to search for all groups in the forest, do not enter anything in the Search by name box, select Groups from the Find box menu, and click .

  3. To narrow the search, select the container where you would like to start the search, by clicking the button next to the In box.

    By default, the mangement console searches the entire forest configured for Active Directory.

  4. Once you have defined your search expression, the type of objects to locate, and where you want to conduct your search, click the button to initiate the search.
  5. The mangement console displays the Active Directory objects whose names match (starts with) the characters you entered, are of the object type you specified, and are located in the directory or container you specified.

    Note: To clear the search criteria and results, click the button.

Documents connexes