Chatta subito con l'assistenza
Chat con il supporto

Safeguard Authentication Services 5.1 - Upgrade Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Upgrade Windows components Configure Active Directory Configure Unix agent components Upgrade client components manually Getting started with Safeguard Authentication Services Troubleshooting

Active Directory optimization

Indexing certain attributes used by the Safeguard Authentication Services Unix agent can have a dramatic effect on the performance and scalability of your Unix and Active Directory integration project.

The Control Center, Preferences | Schema Attributes | Unix Attributes panel displays a warning if the Active Directory configuration is not optimized according to best practices.

One Identity recommends that you index the following attributes in Active Directory:

  • User UID Number
  • User Unix Name
  • Group GID Number
  • Group Unix Name

Note: LDAP display names vary depending on your Unix attribute mappings.

It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active Directory lookups that need to be performed by Safeguard Authentication Services Unix agents.

Click the Optimize Schema link to run a script that updates these attributes as necessary. The Optimize Schema option is only available if you have not optimized the Unix schema attributes defined for use in Active Directory.

This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator who has rights to make the necessary changes.

All schema optimizations are reversible and no schema extensions are applied in the process.

Use Safeguard Authentication Services PowerShell

Safeguard Authentication Services includes PowerShell modules that provide a "scriptable" interface to many Safeguard Authentication Services management tasks. You can access a customized PowerShell console from the Control Center Tools navigation link.

You can perform the following tasks using PowerShell cmdlets:

  • Unix-enable Active Directory users and groups
  • Unix-disable Active Directory users and groups
  • Manage Unix attributes on Active Directory users and groups
  • Search for and report on Unix-enabled users and groups in Active Directory
  • Install product license files
  • Manage Safeguard Authentication Services global configuration settings
  • Find Group Policy objects with Unix/macOS settings configured

Using the Safeguard Authentication Services PowerShell modules, it is possible to script the import of Unix account information into Active Directory.

Unix-enabling a user and user group (PowerShell Console)

The following procedure explains how to Unix-enable a user and user group using the Authentication Services PowerShell Console.

To Unix-enable a user and user group

  1. From the Control Center, navigate to Tools | Safeguard Authentication Services.
  2. Click Safeguard Authentication Services PowerShell Console.

    Note: The first time you launch the PowerShell Console, it asks you if you want to run software from this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your system as a trusted entity. Once you have done this, you will never be asked this question again on this machine.

  3. At the PowerShell prompt, enter the following:
    Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567

    Note: You created the UNIXusers group in a previous exercise. See Adding an Active Directory group account.

    Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured earlier and look similar to the following:

    ObjectClass              : group
    DistinguishedName        : CN=UNIXusers,CN=Users,DC=example,DC=com
    ObjectGuid               : 71aaa88-d164-43e4-a72a-459365e84a25
    GroupName                : UNIXusers
    UnixEnabled              : True
    GidNumber                : 1234567
    AdsPath                  : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
                               DC=example,DC=com
    CommonName               : UNIXusers
  4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:
    Enable-QasUnixUser ADuser | Seet-QasUnixUser -PrimaryGidNumber 1234567

    The Unix properties of the user display:

    ObjectClass              : user
    DistinguishedName        : CN=ADuser,CN=Users,DC=example,DC=com
    ObjectGuid               : 5f83687c-e29d-448f-9795-54d272cf9f25
    UserName                 : ADuser
    UnixEnabled              : True
    UidNumber                : 80791532
    PrimaryGidNumber         : 1234567
    Gecos                    :
    HomeDirectory            : /home/ADuser
    LoginShell               : /bin/sh
    AdsPath                  : LDAP://windows.example.com/CN=ADuser,CN=Users,
                               DC=example,DC=com
    CommonName               : ADuser
  5. To disable the ADuser user for Unix login, at the PowerShell prompt enter:
    Disable-QasUnixUser ADuser

    Note: To clear all Unix attribute information, enter:

    Clear-QasUnixUser ADuser

    Now that you have Unix-disabled the user, that user can no longer log in to systems running the Safeguard Authentication Services agent.

  6. From the Control Center, under Login to remote host, enter:
    • Host name: The Unix host name.
    • User name: The Active Directory user name, ADuser.

    Click Login to log in to the Unix host with your Active Directory user account.

    A PuTTY window displays.

    Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos is not enabled or properly configured for the remote SSH service.

  7. Enter the password for the Active Directory user account.

    You will receive a message that says Access denied.

PowerShell cmdlets

Safeguard Authentication Services supports the flexible scripting capabilities of PowerShell to automate administrative, installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Safeguard Authentication Services.

Table 21: PowerShell cmdlets
cmdlet name Description

Add-QasLicense

Installs an Safeguard Authentication Services license file in Active Directory. Licenses installed this way are downloaded by all Unix clients.

Clear-QasUnixGroup

Clears the Unix identity information from group object in Active Directory. The group is no longer Unix-enabled and will be removed from the cache on the Safeguard Authentication Services Unix clients.

Clear-QasUnixUser

Clears the Unix identity information from a user object in Active Directory. The user is no longer Unix-enabled will be removed from the cache on the Safeguard Authentication Services Unix clients.

Disable-QasUnixGroup

Unix-disables a group and will be removed from the cache on the Safeguard Authentication Services Unix clients. Similar to Clear-QasUnixGroup except the Unix group name is retained.

Disable-QasUnixUser

Removes an Active Directory user‘s ability to log in on Unix hosts. (The user will still be cached on the Safeguard Authentication Services Unix clients.)

Enable-QasUnixGroup

Enables an Active Directory group for Unix by giving a Unix GID number. The GID number is automatically generated.

Enable-QasUnixUser

Enables an Active Directory user for Unix. The required account attributes UID number, primary GID number, GECOS, login shell, and home directory are generated automatically.

Get-QasConfiguration

Returns an object representing the Safeguard Authentication Services application configuration data stored in Active Directory.

Get-QasGpo

Returns a set of objects representing GPOs with Unix and/or macOS settings configured. This cmdlet is in the Quest.AuthenticationServices.GroupPolicy module.

Get-QasLicense

Returns objects representing the Safeguard Authentication Services product licenses stored in Active Directory.

Get-QasOption

Returns a set of configurable global options stored in Active Directory that affect the behavior of Safeguard Authentication Services.

Get-QasSchema

Returns the currently configured schema definition from the Safeguard Authentication Services application configuration.

Get-QasSchemaDefinition

Returns a set of schema templates that are supported by the current Active Directory forest.

Get-QasUnixGroup

Returns an object that represents an Active Directory group as a Unix group. The returned object can be piped into other cmdlets such as Clear-QasUnixGroup or Enable-QasUnixGroup.

Get-QasUnixUser

Returns an object that represents an Active Directory user as a Unix user. The returned object can be piped into other cmdlets such as Clear-QasUnixUser or Enable-QasUnixUser.

Get-QasVersion

Returns the version of Safeguard Authentication Services currently installed on the local host.

Move-QasConfiguration

Moves the Safeguard Authentication Services application configuration information from one container to another in Active Directory.

New-QasAdConnection

Creates an object that represents a connection to Active Directory using specified credentials. You can pass a connection object to most Safeguard Authentication Services cmdlets to execute commands using different credentials.

New-QasArsConnection

Creates an object that represents a connection to an Active Roles Server using the specified credentials. You can pass a connection object to most Safeguard Authentication Services cmdlets to execute commands using different credentials.

New-QasConfiguration

Creates a default Safeguard Authentication Services application configuration in Active Directory and returns an object representing the newly created configuration.

Remove-QasConfiguration

Accepts a Safeguard Authentication Services application configuration object as input and removes it from Active Directory. This cmdlet produces no output.

Remove-QasLicense

Accepts an Safeguard Authentication Services product license object as input and removes the license from Active Directory. This cmdlet produces no output.

Set-QasOption

Accepts an Safeguard Authentication Services options set as input and saves it to Active Directory.

Set-QasSchema

Accepts an Safeguard Authentication Services schema template as input and saves it to Active Directory as the schema template that will be used by all Safeguard Authentication Services Unix clients.

Set-QasUnixGroup

Accepts a Unix group object as input and saves it to Active Directory. You can also set specific attributes using command line options.

Set-QasUnixUser

Accepts a Unix user object as input and saves it to Active Directory. You can also set specific attributes using command line options.

Safeguard Authentication Services PowerShell cmdlets are contained in PowerShell modules named Quest.AuthenticationServices and Quest.AuthenticationServices.GroupPolicy. Use the Import-Module command to import the Safeguard Authentication Services commands into an existing PowerShell session.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione