Chat now with support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Auto profiling returns an error

If you receive an error when auto-profiling a host after a recent upgrade from 1.0.x, verify the console host address in System Settings.

To validate the console host address

  1. From the Settings menu, navigate to System Settings | General | Console Information.
  2. Verify that the host address in the Console host address box is the Fully Qualified Domain Name address.

    The host address in the Console host address box on the Console Information settings may have been entered as a simple address in version 1.0. To perform some tasks in version 2.x without error, such as auto-profiling, the Console host address must be a Fully Qualified Domain Name.

Note: Setting up automatic profiling on a host with Security-Enhanced Linux (SELinux) enabled will fail due to the enhanced security-related restrictions on the system. Please contact Technical Support at https://support.oneidentity.com/ for instructions on how to either work-around the issues or disable SELinux.

Active Directory Issues

The following topics may help you resolve some problems related to Active Directory.

Active Directory connectivity issues

Certain environmental changes cause Active Directory connectivity issues.

To verify you are communicating with Active Directory

  1. If the DNS server changes, restart the server because the Java Naming and Directory Interface (JNDI) caches information about the Active Directory domain for which that the host is configured at server start up.
  2. If the Active Directory servers change, restart the servers due to SRV record caching in ActiveDirectoryInfoManager.
  3. Verify that time is synchronized between the Management Console for Unix server and the Active Directory domain.

    Kerberos requires that the Management Console for Unix server and Active Directory domain controller clocks are within five minutes of each other.

Unable to configure Active Directory

You specify the Active Directory configuration (that is, the set of domains, sites, and servers that you want the mangement console to contact) from System Settings | Active Directory | Advanced Settings. To access the Advanced Settings dialog, you must provide Active Directory credentials; then, once the console verifies the configuration, it saves the settings to the database.

There may be an occasion when the Active Directory configuration becomes invalid. Perhaps you set the AD configuration to specifically restrict login to a specific domain. Then later, you receive a network error saying the Active Directory credentials you provided to perform an action have been revoked because that domain no longer exists. If the Active Directory configuration becomes invalid for any reason, you will not be able to access the Advanced Setting dialog to change the AD configuration.

This topic explains how to temporarily set the ad.config.domain or ad.config.site system properties in the custom.cfg file to specify a temporary configuration to use until you can reset the AD configuration from System Settings | Active Directory | Advanced Settings.

  • ad.config.domain system property contains the name of a single Active Directory domain. When specified, the mangement console will only contact Active Directory servers in this domain.

    Note: Do not configure the console for a domain outside of the current forest.

  • ad.config.site system property contains the name of a single Active Directory site. When specified, the mangement console will only contact Active Directory servers in this site.

Note: Do not attempt to change the domain you are joined to with this method. You can only change the configuration within the same domain.

To reset Active Directory domain or site settings

  1. Stop the Management Console for Unix service.

    See Start/stop/restart Management Console for Unix service for details.

  2. Locate the custom.cfg file.

    See Setting custom configuration settings for more information about customizing configuration settings for the mangement console.

  3. Add one of the following properties:
    -Dad.config.domain=<domain>

    -OR-

    -Dad.config.site=<site>

    Note: Only specify the ad.config.domain or the ad.config.site system property. If you specify both, the console will ignore the ad.system.domain setting.

  4. Save the custom.cfg file.
  5. Restart the Management Console for Unix service.
  6. Navigate to System Settings | Active Directory | Advanced Settings to specify which sites, domains, domain controllers, or global catalogs you want the console to contact.

    See Configuring advanced settings for details.

  7. Stop the Management Console for Unix service.
  8. Locate the custom.cfg file.
  9. Remove the temporary properties you added in Step #3. Either:
    ad.config.domain=<domain>

    -OR-

    ad.config.site=<site>
  10. Save the custom.cfg file.
  11. Restart the Management Console for Unix service.
Documents connexes