One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Active Directory configuration

To configure the mangement console for Active Directory

  1. From the top-level Settings menu, navigate to System settings | Active Directory.

  2. On the AD Configuration dialog, click the Configure console for Active Directory link next to Forest.

    Note:

    If a domain name is displayed instead of the link, the mangement console is already configured for Active Directory. To limit how the console accesses Active Directory, refer to Configuring advanced settings for information about limited the sites, domains, domain controllers, or global catalogs you want the console to contact.

  3. On the Configure console for Active Directory Logon dialog,

    1. Enter a domain in the forest.

    2. Enter the Active Directory credentials.

      The wizard uses these credentials to configure the mangement console for use with Active Directory.

    3. Click Connect to Active Directory.

    4. When you see the message that indicates your console connected to Active Directory successfully, click Next.

  4. On the Set up console access by role dialog, click Add to specify the Active Directory users and groups that you want to have access to the features available in Management Console for Unix.

    The Select Users and Groups dialog opens:

    1. Use the search controls to find and select Active Directory users or groups. Select one or more objects from the list and click OK.

      The mangement console adds the selected object(s) to the list on the Set up console access by role dialog.

      By default the mangement console assigns users to All Roles, which gives those accounts permissions to access and perform all tasks within the console. See Console Roles and Permissions system settings for more information.

      Note: During the initial set up, you can only assign one role per user. Use System Settings to add additional roles to a user. See Adding (or Removing) role members for details.

    2. Click in the All Roles cell to activate the drop-down menu from which you can choose a role for the user account.

    3. Click Finish to save your selections and return to System Settings.

  5. Click OK to close System Settings and return to the mangement console.

    The additional features are now unlocked; however, you must be logged on as an Active Directory user to perform Active Directory tasks.

  6. Navigate to the User menu in the upper right-hand region of the screen and click Sign out. Then sign back on using an Active Directory account that has been granted access to the mangement console (that is, an account that was added to the list on the Set up console access by role dialog).

Configure Console for Active Directory Dialog

During the initial mangement console configuration, when you select Walk me through the configuration steps for using AD user accounts for logon to the console on the Set Up Management Console for Unix dialog, the wizard displays the Configure Console for Active Directory dialog. This dialog also displays when you click Configure for Active Directory on the Active Directory view of the System Settings.

On this view enter the following information:

Table 83: Configure Console for Active Directory dialog
Option Description

Domain

Enter an Active Directory domain in the forest using the following format: domain.com.

User name

Enter the user name to be used to authenticate to and browse Active Directory during the setup of the mangement console and to check for One Identity product licenses.

Password

Enter the password associated with the user name entered above.

Connect to Active Directory

Click this button to verify the user credentials entered.

Configuring advanced settings

By default, the mangement console contacts Active Directory through any site, domain, domain controller, or global catalog that is available. To limit how the console contacts Active Directory, click Advanced Settings and specify which sites, domains, domain controllers, or global catalogs you want the console to contact.

To configure advanced Active Directory settings

  1. Log into the mangement console with the supervisor account or an Active Directory account rights to change System Settings; that is, an account in the Console Administration role.

  2. From the top-level Settings menu, navigate to System settings | Active Directory and click the Advanced Settings button.

    Note: If the Advanced Settings button is not enabled, you must first configure the console for Active Directory. See Active Directory configuration for details.

    If the Active Directory configuration has become invalid (for example, the console is restricted to a domain that no longer exists), refer to Unable to configure Active Directory for information about temporarily setting the domain and site settings until you can reset the configuration from the Advanced Settings dialog.

  3. On the Active Directory Credentials dialog, enter credentials to log into Active Directory and click OK.

    The Active Directory Forest Configuration dialog opens which allows you to configure which sites, domains, domain controllers, or global catalogs you want the mangement console to contact for all Active Directory related tasks.

  4. Choose either the Sites or the Domains option.

    The Sites option allows you to select and deselect only sites. The Domains option allows you to select or deselect individual domain controllers.

  5. Expand the tree view and select which site, domain, domain controller, or global catalog node you want the console to contact for all Active Directory related tasks.

  6. Click Verify configuration. (Note: You must test before you can save the change.).

  7. Click OK to return to System Settings.

To remove a console access restriction in Advanced Settings

  1. Expand the tree view and deselect site, domain, domain controller, or global catalog node.
  2. Click Verify configuration. (Note: You must test before you can save the change.).
  3. Click OK to save the change and return to System Settings.

Setting the default logon domain

The mangement console uses the default log-on domain to authenticate the user name you use when logging onto the console.

To set the default log-on domain

  1. Log into the mangement console with the supervisor account or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role.
  2. From the top-level Settings menu, navigate to System settings | Active Directory and click the Advanced Settings button.
  3. On the Active Directory Credentials dialog, enter a user name and password to authenticate to Active Directory.

    The Active Directory Forest Configuration dialog displays.

  4. Next to Default logon Domain (at the bottom of the dialog), choose the default domain to use when logging onto the console.

    This allows you to log onto the mangement console using a simple name instead of "user@domain".

  5. Click Verify configuration. (Note: You must test before you can save the change.).
  6. Click OK to return to System Settings.
Documents connexes