Chat now with support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Management Console for Unix server and console

Access to the Management Console for Unix server is controlled by the supervisor account when using the core version; or with Active Directory credentials when the mangement console is configured for Active Directory. When you enable Active Directory log on, you can configure access to the mangement console to allow individual users or members of Active Directory groups to access the mangement console. See Console Roles and Permissions system settings for details on how to enable access for users and groups.

Note: Since Active Directory supports nested groups, a user may be granted access even if they are not a direct member of the nominated group, but are a member of one or more child groups. Care should be taken when using nested groups to ensure that access is not accidentally granted to the wrong users.

When authenticating with Active Directory credentials, you may

Authenticating the supervisor user

When a user logs on as 'supervisor', the password is hashed on the client with a known salt and compared with the stored value in the Management Console for Unix database. The plain text password is never stored on the server. The password encryption is irreversible. As a result, if the supervisor password is lost it cannot be recovered, but may be reset by a user with logon access to the machine where the Management Console for Unix server is running. See Reset the supervisor password for details.

Authenticating Active Directory users using Windows Integrated Authentication

Windows Integrated Authentication (WIA) allows a user to securely reuse their desktop credentials to log onto the mangement console when using a browser that supports WIA. Using WIA requires that the console server is installed and running on a Windows machine that is joined to the forest which you have chosen to manage, or is installed and running on a Unix machine that is running Authentication Services and is joined to the forest which you have chosen to manage. The client browser must also be joined to the same forest.

Authenticating Active Directory users using a username and password

When authenticating Active Directory users using a username and password, the credentials are used to obtain a Kerberos Ticket Granting Ticket (TGT) from Active Directory. If the Management Console for Unix server is running on a machine that is joined to a domain in a managed Active Directory forest (either on Windows or using Authentication Services on Unix or Linux), a Kerberos service ticket is also obtained for the host account. This second step is necessary to ensure that the TGT has not been falsified and to map any Domain Local Groups to the server's domain.

If the server has not been joined, or is joined to a different forest than the one being managed, an attacker could subvert the logon security by spoofing fake responses from Active Directory (for example, by hijacking DNS to point to a rogue Active Directory service). This is because the security guarantees of the Kerberos protocol require proof of a shared key between Active Directory and the server, before it can be proven that a given TGT is valid; and this proof requires obtaining a service ticket encrypted in the server's key.

Note: While you can run the Management Console for Unix server on a computer that is not joined to the forest, One Identity recommends that you run the Management Console for Unix server on a machine joined to the Active Directory forest you are managing to ensure that Active Directory users can be securely authenticated

Documents connexes