One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Enabling local user for AD authentication

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unix user. Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantage of the benefits of Active Directory security and access control.

To enable a local user for Active Directory authentication

  1. In the mangement console, navigate to Hosts | All Hosts.

  2. Double-click a host to open its properties.

  3. From a host's properties, select the Users tab and double-click a local user account to open its Properties.

    Note: To set up the local user, see Adding a local user.

  4. On the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.

  5. On the Select AD User dialog, select the ADuser account and click OK.

    Note: To set up the Active Directory user, see Adding an Active Directory user account.

  6. On the local user's properties, click OK.

  7. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    Note: This task requires elevated credentials.

    You have now "mapped" a local user to an Active Directory user and the mangement console indicates that the local user account requires an Active Directory password to log onto the Host in the AD User column.

You can also map multiple Unix users to use a single Active Directory account using the Require AD Logon pane on the All Local Users tab.

To assign (or "map") a Unix user to an Active Directory user

  1. From the All Local Users tab, select one or more local Unix users.
  2. In the Require AD Logon pane, click the Search button to populate the list of Active Directory users.

    (Click the Directory button to search in a specific folder.)

  3. Select an Active Directory user and click the Require AD Logon to Host button at the bottom of the Require AD Logon pane.
  4. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    Note: This task requires elevated credentials.

The Active Directory user assigned to the selected local Unix user displays in the AD User column of the All Local Users tab.

Listing local users required to use AD authentication

You can view a list of the host accounts that are required to log on using a particular Active Directory account from the All Local Users tab of the mangement console.

Note: This feature is only available when you are logged on as an Active Directory account in the Manage Hosts role. See Console Roles and Permissions system settings for details.

To view local user accounts required to log on with an Active Directory Account

  1. From the All Local Users tab of the mangement console, click the AD User column title to sort the list of users by those required to log on with an Active Directory user account.
  2. Right-click a user name and choose Properties to open its properties.
  3. Select the AD Logon tab to view or modify the Active Directory user properties.

To see which local user accounts are enabled to use Active Directory account credentials

  1. From the Active Directory tab, search for users.
  2. Double-click a user name to open its properties.
  3. Select the Local User Accounts tab to display a list of all the local user accounts that are required to log on using the selected Active Directory user account.

Note: The Local Unix Users with AD Logon report is another way to identify the local user accounts that are required to use Active Directory credentials. See Reports.

Testing the mapped user login

Once you have "mapped" a local user to an Active Directory user, you can log into the local Unix host using your local user name and the Active Directory password of the Active Directory user to whom you are "mapped". The Control Center offers a simple way to log into the host.

To test the mapped user login

  1. From the Control Center, under Login to remote host:
    • Host name: Enter the Unix host name.
    • User name: Enter the local user name, localuser.

    Click Login to log onto the Unix host with your local user account.

  2. If the PuTTY Security Alert dialog opens, click Yes to accept the new key.
  3. Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected the Require an AD Password to logon to Host option on the user's properties.
  4. At the command line prompt, enter id to view the Unix account information.
  5. Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.
  6. Enter exit to close the command shell.

You just learned how to manage local users and groups from themangement console by mapping a local user account to an Active Directory user account. You tested this by logging into the Unix host with your local user name and the password for the Active Directory user account to whom you are "mapped".

Configuring the console to recognize Unix attributes in AD

Configuring the mangement console to recognize Unix attributes in Active Directory, enables these features:

  • Unix Account tab on the user and group properties
  • Ability to query Unix-enabled users or groups
  • Reports that include Active Directory Unix information

There are two ways to configure the mangement console to recognize Unix attributes in Active Directory:

  1. Installing Authentication Services 4.0 or greater in your Active Directory domain and creating the Authentication Services application container in your forest. See Configure Active Directory for Authentication Services for details.

    Authentication Services adds the Unix properties of Active Directory users and groups to Active Directory and allows you to map a Unix user to an Active Directory user.

  2. If you are running Authentication Services without a Authentication Services application configuration in your forest, to configure the console to recognize Active Directory objects, enable Management Console for Unix to use the default Windows 2003 R2 schema to recognize Unix naming attributes. See Configuring Windows 2003 R2 schema for details.

    The Windows 2003 R2 schema option extends the schema to support the direct look up of Unix identities in Active Directory domain servers.

Documents connexes