One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Optional Join commands

You can enter one or more of the following join commands on the Join Host to Active Directory dialog. Separate multiple commands with a single space.

Table 50: Optional join commands
Option Description
-I cache export filename Load users and groups from the specified cache export file instead of from the network.
-c computer_name

Specify a different name for the computer object than the one usually generated from your host name. Specify either the FQDN or NetBIOS name for the computer object.

NOTE: If you specified a computer account on the Join Host to Active Directory dialog, the mangement console ignores this command and uses the computer account you specify on the dialog.
-c container

Specify the LDAP DN of the container where the computer will be created.

NOTE: If you specified a container on the Join Host to Active Directory dialog, the mangement console ignores this command and uses the container you specify on the dialog.
-l Do not apply Group Policy Settings (if Authentication Services for Group Policy is installed).
-w Enable workstation mode where users are not cached until they log on.
-U Load all users from the global catalog. The mangement console loads all Unix-enabled users in the forest, regardless of location and domain.
-G Load all groups from the global catalog. The mangement console loads all Unix-enabled groups in the forest, regardless of location and domain.
-r domain_list Specify a comma-separated list of alternate authentication domains, used for resolving simple names.
-u search_path Specify an alternate search path from which to populate the user's cache. You must specify a container object within your Active Directory forest in this search path.
-g search_path Specify an alternate search path from which to populate the group's cache. You must specify a container object within your Active Directory forest in this search path.
-s siteName Manually specify the site name for the selected host.
-p UPM_search_path Specify the path of the Primary Personality Container. This command supersedes the -u and -g settings. If the specified UPM search path does not exist, the join command will fail.
--skip-config Skip automatic system configuration of PAM, NSS, LAM and SIA subsystems.
--preload-nested-memberships After loading users or groups, query tokenGroups for all cached users to process nested group membership information.
--site-only-usn For USN queries, only use site servers. Use this command when non-site servers are unavailable, for example, blocked by a firewall.
--no-timesync Skip automatic time synchronization.

Unjoining host from Active Directory

Unjoining a host from the mangement console removes the computer object from Active Directory, preventing further Active Directory user log on. This task does not remove the Authentication Services Agent software installed on the unjoined host.

Note: This task is only available when you are logged on as an Active Directory account in the Manage Hosts role.

To unjoin hosts from Active Directory

  1. Select one or more hosts from the list on the All Hosts view, open the Unjoin menu toolbar button and choose Unjoin from Active Directory.

    Note: If unjoining multiple hosts, all hosts must be joined to the same domain.

  2. On the Unjoin Host from Active Directory dialog, enter the user credentials of an Active Directory user that has rights to delete computer objects from the Active Directory domain and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: To unjoin the host from Active Directory, Authentication Services requires you to have elevated (root) credentials to complete the task on the host side.

    A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered. If successfully unjoined, the Active Directory domain, previously listed in the Joined to Domain column, is replaced with the Ready to join icon if you have previously run Check for AD readiness; otherwise the Joined to Domain column is left empty.

Unjoin Host from Active Directory dialog

The Unjoin Host from Active Directory dialog displays when you click the Unjoin from Active Directory toolbar button on the All Hosts view. This dialog prompts you to enter Active Directory user credentials of the domain from which you want to unjoin the selected hosts.

Table 51: Unjoin Host from Active Directory dialog
Option Description
User Name Enter the name of the an Active Directory user that has rights to delete computer objects from the joined domain.
Password Enter the password associated with the Active Directory user account.

Configuring host access control

The mangement console allows you to modify Authentication Services access settings. You can add Active Directory users or groups to the users.allow file for a single host or a selected group of hosts. This allows you to control Active Directory user access on Authentication Services hosts.

Note: The mangement console does not allow you to view or modify the users.deny file.

To view the users.allow file for a single host

  1. From the All Hosts view, right-click a host that is joined to an Active Directory domain.
  2. Select the Host Access Control option from the context menu.

    The Host Access Control tab lists the content of the users.allow file.

    Note: Users and Groups displayed in red text indicate that Authentication Services could not resolve the user/group in Active Directory.

To allow additional Active Directory users or groups to access a single host

  1. From the Host Access Control tab, click Manage Access.
  2. On the Host Access Control dialog, specify the names you want to allow access to the selected host.

    You can either:

    • Type a name into the text box and click Add.

      -OR-

    • Click Select to browse for the Active Directory user or group name.

      Clicking Select opens the Select AD Object dialog.

    Once you have the names listed on the Host Access Control dialog, click OK.

  3. On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.

    The console updates the users.allow file and the database accordingly.

To add or remove access for Active Directory users or groups on multiple hosts

  1. From the All Hosts view, select and right-click multiple hosts that are joined to an Active Directory domain.
  2. Select the Host Access Control option from the context menu.

    The Host Access Control dialog displays two list boxes: one in which to add users or groups, the other to specify users and groups to remove from the users.allow file.

  3. Specify or select names to add or remove and click OK.
  4. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    The console updates the users.allow file and the database accordingly.

Documents connexes