One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Testing the Active Directory user login

Now that you have Unix-enabled an Active Directory user, you can log into a local Unix host using your Active Directory user name and password.

To test the Active Directory login

  1. From the Control Center, under Login to remote host:
    • Host name: Enter the Unix host name.
    • User name: Enter the Active Directory user name, such as ADuser.

    Click Login to log onto the Unix host with your Active Directory user account.

  2. Enter the password for the Active Directory user account.
  3. At the command line prompt, enter id to view the Unix account information.
  4. After a successful log in, verify that the user obtained a Kerberos ticket by entering:
    /opt/quest/bin/vastool klist

    The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves the local user is using the Active Directory user credentials.

  5. Enter exit to close the command shell.

You just learned how to manage Active Directory users and groups from the mangement console by Unix-enabling an Active Directory group and user account. You tested this out by logging into the Unix host with your Active Directory user name and password. Optionally, you can expand on this tutorial by creating and Unix-enabling additional Active Directory users and groups and by testing different Active Directory settings such as account disabled and password expired.

Privilege Manager integration

Management Console for Unix allows you to install the Privilege Manager Policy Server as well as the Privilege Manager Agent and the Sudo Plugin software to remote hosts; it also allows you to join hosts to a policy group activated in the Privilege Manager System Settings. See Configuring a service account for details.

The policy management and keystroke logging features are available when the mangement console is configured in System Settings for one or more policy groups.

Note: To use the policy editor, you must log in either as the supervisor or an Active Directory account with rights to manage policy; that is, an account in the Manage Sudo Policy or Manage PM Policy roles.

To replay keystroke logs, you must log in either as the supervisor or an Active Directory account with rights to audit policy; that is, an account in the Audit Sudo Policy or Audit PM Policy console roles.

After you install Management Console for Unix, you are ready to enable the Privilege Manager features.

Getting started

To enable the mangement console's Privilege Manager features

  1. Set up a user in the Manage Sudo Policy or Manage PM Policy role to edit the policy and a user in the Audit Sudo Policy or Audit PM Policy role to replay keystroke logs. See Adding (or Removing) role members for details.

    Note: The default supervisor account is a member of all roles and therefore has the permissions to both edit policy and replay keystroke logs.

  2. Download the Privilege Manager for Unix software packages to the server.

  3. Set the Privilege Manager software location in System Settings.

    See Setting the Privilege Manager software path.

  4. Configure the Primary Policy server:

    1. Add and profile a host intended to be the primary policy server.
    2. Check the server for configuration readiness. See Checking policy server readiness.
    3. Install the Privilege Manager Policy Server package. See Installing the Privilege Manager packages.
    4. Configure the primary policy server. See Configuring the primary policy server.
    5. Join the PM Agent or Sudo Plugin to the policy group. See Joining the host to a policy group.
  5. Configure a Secondary Policy server:

    1. Add and profile a host intended to be a secondary policy server used for load balancing.
    2. Check the server for configuration readiness. See Checking policy server readiness.
    3. Install the Privilege Manager Policy Server package. See Installing the Privilege Manager packages.
    4. Configure the secondary policy server. See Configuring a secondary policy server.
    5. Join the PM Agent or Sudo Plugin to the policy group. See Joining the host to a policy group.
  6. Install the PM Agent or Sudo Plugin software on a remote host:

    1. Add and profile a remote host where you plan to install the PM Agent or Sudo Plugin software.
    2. Configure a console service account on the primary policy server and activate the policy groups you want to use. See Configuring a service account for details.
    3. Check the remote host for policy readiness. See Checking client for policy readiness.
    4. Install the Privilege Manager software on the remote host. See Installing Privilege Manager agent or plugin software.
    5. Join the PM Agent or Sudo Plugin to the policy group. See Joining the host to a policy group.

Configure a primary policy server

The first thing you must do is configure the host you want to use as your primary policy server.

Related Topics

Checking policy server readiness

Installing the Privilege Manager packages

Configuring the primary policy server

Joining the host to a policy group

Documents connexes