Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Configure Active Directory for Authentication Services

To utilize full Active Directory functionality, when you install Authentication Services in your environment, One Identity recommends that you prepare Active Directory to store the configuration settings that it uses. Authentication Services adds the Unix properties of Active Directory users and groups to Active Directory and allows you to map a Unix user to an Active Directory user. This is a one-time process that creates the Authentication Services application configuration in your forest.

Note: To use the Authentication Services Active Directory Configuration Wizard, you must have rights to create a container in Active Directory.

If you do not configure Active Directory for Authentication Services, you can run your Authentication Services client agent in "Version 3 Compatibility Mode" which allows you to join a host to an Active Directory domain. See Version 3 Compatibility Mode in the Authentication Services Administration Guide for details.

When running Authentication Services in "Version 3 Compatibility Mode", you have the option in Management Console for Unix to set the schema configuration to use Windows 2003 R2. See Configuring Windows 2003 R2 schema for details. The Windows 2003 R2 schema option extends the schema to support the direct look up of Unix identities in Active Directory domain servers.

Configuring Active Directory for Authentication Services

This topic walks you through the Active Directory configuration process. If the Authentication Services application configuration already exits in your forest, skip this section.

To configure Active Directory for Authentication Services

  1. At the Authentication Services Active Directory Configuration Wizard Welcome dialog, click Next.

  2. At the Connect to Active Directory dialog:

    1. Provide Active Directory login credentials for the wizard to use for this task:

      • Select Use my current AD logon credentials if you are a user with permission to create a container in Active Directory.
      • Select Use different AD logon credentials to specify the Active Directory credentials of another user and enter the User name and Password.

      Note: The wizard does not save these credentials; it only uses them for this setup task.

    2. Indicate how you want to connect to Active Directory:

      Select whether to connect to an Active Directory Domain Controller or ActiveRoles Server.

      Note: If you have not installed the ActiveRoles Server MMC Console on your computer, the ActiveRoles Server option is not available.

    3. Optionally enter the Domain or domain controller and click Next.

  3. At the License Authentication Services dialog, browse to select your license file and click Next.

    Note: You can add additional licenses later. See Importing Authentication Services licenses for details.

  4. At the Configure Settings in Active Directory dialog, accept the default location in which to store the configuration or browse to select the Active Directory location where you want to create the container and click Setup.

    Note: You must have rights to create a container in the selected location.

  5. Once you have configured Active Directory for Authentication Services, click Close.

    The Control Center opens. You can now begin using Control Center to manage your Unix hosts.

  6. From the Control Center, click the Management Console navigation link to open the mangement console log in page.

    Note: Refer to Launching the Management Console for other ways to open the mangement console

  7. To take advantage of the additional Active Directory features you get when you use the mangement console with Authentication Services, log in as Active Directory account in the Manage Hosts role and proceed to Displaying Authentication Services agent information.

    If you have not configured the mangement console for Active Directory as explained in Active Directory configuration, you will have to log in as supervisor.

About Active Directory configuration

The first time you install or upgrade the Authentication Services 4.x Windows tools in your environment, One Identity recommends that you configure Active Directory for Authentication Services. This is a one-time Active Directory configuration step that creates the Authentication Services application configuration in your forest. Authentication Services uses the information found in the Authentication Services application configuration to maintain consistency across the enterprise.

Note: Without the Active Directory configuration you can join Unix machines to Active Directory and if your domain supports Windows 2003 R2 Unix naming attributes, you can store Unix identity information in Active Directory. See Configuring Windows 2003 R2 schema for details.

The Authentication Services application configuration stores the following information in Active Directory:

  • Application Licenses
  • Settings controlling default values and behavior for Unix-enabled users and groups
  • Schema configuration

The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.

The Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.

There can only be one Active Directory configuration per forest. If multiple configurations are found, Authentication Services uses the one created first as determined by reading the whenCreated attribute. If another group in your organization has already created an application configuration, use the existing configuration. The only time this would be a problem is if different groups are using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts. You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.

You can modify the settings using the Control CenterPreferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.

This table summarizes the required rights:

Table 3: Required rights
Rights Required For User Object Class Attributes
Create Child Object Authentication Services Administrators Only Container  
Write Attribute Authentication Services Administrators Only Container cn, displayName, description, showInAdvancedViewOnly
Read Attribute Authenticated Users Container cn, displayName, description, whenCreated

At any time you can completely remove the Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the Authentication Services application configuration (or Windows 2003 R2 schema),

  • Unix agents will not load Unix identity from Active Directory
  • The mangement console will not find any Authentication Services licenses
  • The mangement console will not know which schema to use; thus, it will run as if Authentication Services had never been installed.
  • Authentication Services Active Directory-based management tools will not function

Displaying Authentication Services agent information

If the information related to Authentication Services does not display in the mangement console, you can use the Columns menu in the View panel of the task bar to expose the Authentication Services-related columns in the mangement console; that is, the Authentication Services state column, represented with the icon, the Version, and Joined to Domain columns.

To display the Authentication Services-related information

  1. From the All Hosts view, open the Columns menu, in the View panel, and choose Authentication Services.

    The Authentication Services columns display in the mangement console; that is, the Authentication Services state column, represented with the icon, the Authentication ServicesVersion and Joined to Domain columns.

Note: Once you have opened (or closed) a column group, the mangement console remembers the setting from session to session. However, if you reinstall Management Console for Unix, it reverts back to the default of showing all columns.

Related Documents