One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Active Directory Group Properties

The Active Directory group properties displays when you right-click a group on the Active Directory tab and select Properties. This dialog displays the name of the selected group and consists of the following tabs:

  • General
  • Members
  • Members Of
  • Unix Account
General tab

Use the General tab to review or modify the general properties for the selected Active Directory group. The General tab contains the following information about the selected group:

Table 43: Active Directory Group Properties: General tab
Option Description
Group name (pre-windows 2000) The name of the group.
Description Comments describing the group.
Members tab

The Members tab displays the Active Directory users that are members of the selected group. Use this tab to add or remove members to this group.

Use the following toolbar buttons to define the selected user’s group membership or to search for a specific group:

Table 44: Active Directory Group Properties: Members tab toolbar
Option Description
Click the Add Members button to display the Add members to Group tab where you can identify a new member.
Click the Remove Members button to remove a member from the group's membership.
Use the Search for members box to filter the list of members displayed based on a text string. As you enter characters into the text box, the mangement console lists the members that match (contain) the criteria entered. Click to remove the filtering and redisplay the original list.
Member Of tab

The Members Of tab displays the Active Directory objects (users, groups, computers) that are members of the group.

Unix Account tab

When you have configured the mangement console to recognize Active Directory objects (see Configuring the console to recognize Unix attributes in AD), you can use the Unix Account tab to enable Unix access for the selected Active Directory group. Use this tab to define the Unix identity attributes of the selected group:

Table 45: Active Directory Group Properties: Unix Account tab
Option Description
Unix-enabled

Select this option to Unix-enable the selected user. When you select this option, the mangement console enables the following fields. Use this tab to assign these Unix identity attributes to the selected group.

NOTE: When enabled, the required fields are pre-populated with default values. Select OK to Unix-enable the group using these default settings.

Group Name This is a read-only field that displays the sAMAccountName assigned to the selected group.
GID Number The GID number for the group.
Generate unique ID Click this button to generate a unique GID number for the group.

Authentication Services integration

You can unlock these additional Active Directory features when you install Authentication Services 4.x on hosts you manage with the mangement console:

  • Join systems to Active Directory and implement AD-based authentication for Unix, Linux, and Mac systems.
  • Activate the Unix Account and Local User Accounts tabs on Active Directory user properties.
  • Activate the Unix Account tab on the Active directory group properties.
  • Map a Unix user to an Active Directory user.
  • Create reports about Unix-enabled Active Directory users and groups.
  • Create Logon Policy for AD User and Logon Policy for Unix Host reports that show which user is permitted to log into which Unix host.

Note: See Configure Active Directory for Authentication Services for more information about setting up the console for full Active Directory functionality.

After you install the core version of Management Console for Unix, add and profile at least one host, and enable the Active Directory features (as explained in Enabling Active Directory features), take these steps to configure the mangement console for Authentication Services:

  1. Install Authentication Services on the Active Directory domain for which the console is configured.
  2. Configure Active Directory for Authentication Services.
  3. Choose to view the Authentication Services information in the mangement console.
  4. Check for AD Readiness.
  5. Install Authentication Services Software Packages on Hosts.
  6. Discover the Authentication Services license in the mangement console.
  7. Join to Active Directory.
  8. Configure Host Access Control

The following topics walk you through these steps.

Installing Authentication Services

Install Authentication Services on each Windows workstation you plan to use to administer Unix data in Active Directory.

To install the Authentication Services Windows components

  1. Mount the distribution media.

    Autorun starts automatically.

    Note: To start the Autorun installation wizard, you can also navigate to the root of the distribution media and double-click autorun Application file.

  2. From the Autorun Setup tab, click Authentication Services to launch the Setup wizard.

    The Authentication Services Setup Wizard starts automatically.

  3. Click Next at the Welcome dialog and follow the wizard prompts.

    The wizard leads you through the following dialogs:

    • License Agreement
    • Choose Destination Location
    • Ready to Install the Program
    • InstallShield Wizard Complete
  4. Leave the Launch Authentication Services option selected on the InstallShield Wizard Complete dialog, and click Finish to automatically start the Control Center.

Note: The first time you install Authentication Services in your environment, the Authentication Services Active Directory Configuration Wizard starts automatically to walk you through the process of configuring Active Directory for Authentication Services. If the configuration has already been performed when you click Finish, the Control Center launches.

Configure Active Directory for Authentication Services

To utilize full Active Directory functionality, when you install Authentication Services in your environment, One Identity recommends that you prepare Active Directory to store the configuration settings that it uses. Authentication Services adds the Unix properties of Active Directory users and groups to Active Directory and allows you to map a Unix user to an Active Directory user. This is a one-time process that creates the Authentication Services application configuration in your forest.

Note: To use the Authentication Services Active Directory Configuration Wizard, you must have rights to create a container in Active Directory.

If you do not configure Active Directory for Authentication Services, you can run your Authentication Services client agent in "Version 3 Compatibility Mode" which allows you to join a host to an Active Directory domain. See Version 3 Compatibility Mode in the Authentication Services Administration Guide for details.

When running Authentication Services in "Version 3 Compatibility Mode", you have the option in Management Console for Unix to set the schema configuration to use Windows 2003 R2. See Configuring Windows 2003 R2 schema for details. The Windows 2003 R2 schema option extends the schema to support the direct look up of Unix identities in Active Directory domain servers.

Related Documents