Converse agora com nosso suporte
Chat com o suporte

Safeguard Authentication Services 5.0.2 - Upgrade Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Upgrade the web console Upgrade Windows components Configure Active Directory Configure Unix agent components Upgrade client components manually Getting started with Safeguard Authentication Services
Getting acquainted with the Control Center Learning the basics
Troubleshooting

About Active Directory configuration

The first time you install or upgrade the Safeguard Authentication ServicesWindows components in your environment, One Identity recommends that you configure Active Directory for Safeguard Authentication Services to utilize full functionality. This is a one-time Active Directory configuration step that creates the application configuration in your forest. Safeguard Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise. Without the application configuration, store UNIX attributes in the RFC2307 standard attributes to achieve the most functionality.

Note: If you do not configure Active Directory for Safeguard Authentication Services, you can run your client agent in Version 3 Compatibility Mode, which allows you to join a host to an Active Directory domain.

See Version 3 Compatibility Mode in the Safeguard Authentication Services Installation Guide for details.

The Safeguard Authentication Services application configuration stores the following information in Active Directory:

  • Application Licenses
  • Settings controlling default values and behavior for Unix-enabled users and groups
  • Schema configuration

The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.

The Safeguard Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.

There can only be one Active Directory configuration per forest. If Safeguard Authentication Services finds multiple configurations, it uses the one created first as determined by reading the whenCreated attribute. The only time this would be a problem is if different groups were using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts. You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.

The first time you run the Control Center, the Safeguard Authentication Services Active Directory Configuration Wizard walks you through the setup.

Note: You can also create the Safeguard Authentication Services application configuration from the Unix command line, if you prefer.

You can modify the settings using Safeguard Authentication ServicesControl Center| Preferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.

The following table summarizes the required rights.

Table 10: Safeguard Authentication Services Required rights
Rights required For user Object class Attributes
Create Child Object Safeguard Authentication Services Administrators Only Container cn, displayName, description, showInAdvancedViewOnly
Write Attribute Safeguard Authentication Services Administrators Only Container  
Read Attribute Authenticated Users Container cn, displayName, description, whenCreated

At any time you can completely remove the Safeguard Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the application configuration, Safeguard Authentication Services Active Directory-based management tools do not function.

Join the host to AD without the Safeguard Authentication Services application configuration

You can install the Safeguard Authentication Services Agent on a Unix system and join it to Active Directory without installing Safeguard Authentication Services on Windows and setting up the Safeguard Authentication Services Application Configuration.

The Safeguard Authentication Services 4.x client-side agent required detection of a directory-based Application Configuration data object within the Active Directory forest in order to join the host computer to the Active Directory Domain. Safeguard Authentication Services 4.0.2 removed this requirement for environments where directory-based User and/or Group identity information is not needed on the host Unix computer. These environments include full Mapped-User environments, GSSAPI based authentication-only environments, or configurations where the Safeguard Authentication Services agent will auto-generate posix attributes for Active Directory Users and Groups objects.

Version 3 Compatibility Mode

When upgrading to or installing Safeguard Authentication Services 4.x, you can choose not to configure Active Directory for Safeguard Authentication Services and run your Safeguard Authentication Services client agent in Version 3 Compatibility Mode. While this prevents you from running the Control Center and accessing its many features and tools, you can join a host to an Active Directory domain when operating in Version 3 Compatibility Mode.

Note: When you run the join command without first creating a One Identity Application Configuration, Safeguard Authentication Services displays a warning.

Without the Safeguard Authentication Services application configuration the following information is stored locally:

  • Application Licenses
  • Settings controlling default values and behavior for Unix-enabled users and groups
  • Schema configuration
Best practice

Because Version 3 Compatibility Mode does not allow you run the Control Center and access its many features and tools, One Identity recommends that you create the application configuration so you can utilize full Safeguard Authentication Services functionality.

There are two ways to create the application configuration:

  • When you start the Control Center from a Windows workstation, the Set up Safeguard Authentication Services Active Directory Configuration Wizard starts automatically to lead you through the process of configuring Active Directory for Safeguard Authentication Services.
  • Alternatively, you can run vastool configure ad from the Unix command line to create the One Identity Application Configuration in Active Directory.

Configure Unix agent components

The Control Center gives you access to the tools you need to perform Unix identity management tasks.

Note: If the Control Center is not currently open, you can either double-click the desktop icon or access it by means of the Start menu.

Follow the steps outlined on the Control CenterHome page to get your Unix agents ready.

To start the management console

  1. From the Control Center, click the Management Console link in the left navigation pane.
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação