Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Configuring Active Directory for Authentication Services

This topic walks you through the Active Directory configuration process. If the Authentication Services application configuration already exits in your forest, skip this section.

To configure Active Directory for Authentication Services

  1. At the Authentication Services Active Directory Configuration Wizard Welcome dialog, click Next.

  2. At the Connect to Active Directory dialog:

    1. Provide Active Directory login credentials for the wizard to use for this task:

      • Select Use my current AD logon credentials if you are a user with permission to create a container in Active Directory.
      • Select Use different AD logon credentials to specify the Active Directory credentials of another user and enter the User name and Password.

      Note: The wizard does not save these credentials; it only uses them for this setup task.

    2. Indicate how you want to connect to Active Directory:

      Select whether to connect to an Active Directory Domain Controller or ActiveRoles Server.

      Note: If you have not installed the ActiveRoles Server MMC Console on your computer, the ActiveRoles Server option is not available.

    3. Optionally enter the Domain or domain controller and click Next.

  3. At the License Authentication Services dialog, browse to select your license file and click Next.

    Note: You can add additional licenses later. See Importing Authentication Services licenses for details.

  4. At the Configure Settings in Active Directory dialog, accept the default location in which to store the configuration or browse to select the Active Directory location where you want to create the container and click Setup.

    Note: You must have rights to create a container in the selected location.

  5. Once you have configured Active Directory for Authentication Services, click Close.

    The Control Center opens. You can now begin using Control Center to manage your Unix hosts.

  6. From the Control Center, click the Management Console navigation link to open the mangement console log in page.

    Note: Refer to Launching the Management Console for other ways to open the mangement console

  7. To take advantage of the additional Active Directory features you get when you use the mangement console with Authentication Services, log in as Active Directory account in the Manage Hosts role and proceed to Displaying Authentication Services agent information.

    If you have not configured the mangement console for Active Directory as explained in Active Directory configuration, you will have to log in as supervisor.

About Active Directory configuration

The first time you install or upgrade the Authentication Services 4.x Windows tools in your environment, One Identity recommends that you configure Active Directory for Authentication Services. This is a one-time Active Directory configuration step that creates the Authentication Services application configuration in your forest. Authentication Services uses the information found in the Authentication Services application configuration to maintain consistency across the enterprise.

Note: Without the Active Directory configuration you can join Unix machines to Active Directory and if your domain supports Windows 2003 R2 Unix naming attributes, you can store Unix identity information in Active Directory. See Configuring Windows 2003 R2 schema for details.

The Authentication Services application configuration stores the following information in Active Directory:

  • Application Licenses
  • Settings controlling default values and behavior for Unix-enabled users and groups
  • Schema configuration

The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.

The Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.

There can only be one Active Directory configuration per forest. If multiple configurations are found, Authentication Services uses the one created first as determined by reading the whenCreated attribute. If another group in your organization has already created an application configuration, use the existing configuration. The only time this would be a problem is if different groups are using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts. You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.

You can modify the settings using the Control Center Preferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.

This table summarizes the required rights:

Table 46: Required rights
Rights Required For User Object Class Attributes
Create Child Object Authentication Services Administrators Only Container  
Write Attribute Authentication Services Administrators Only Container cn, displayName, description, showInAdvancedViewOnly
Read Attribute Authenticated Users Container cn, displayName, description, whenCreated

At any time you can completely remove the Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the Authentication Services application configuration (or Windows 2003 R2 schema),

  • Unix agents will not load Unix identity from Active Directory
  • The mangement console will not find any Authentication Services licenses
  • The mangement console will not know which schema to use; thus, it will run as if Authentication Services had never been installed.
  • Authentication Services Active Directory-based management tools will not function

Displaying Authentication Services agent information

If the information related to Authentication Services does not display in the mangement console, you can use the Columns menu in the View panel of the task bar to expose the Authentication Services-related columns in the mangement console; that is, the Authentication Services state column, represented with the icon, the Version, and Joined to Domain columns.

To display the Authentication Services-related information

  1. From the All Hosts view, open the Columns menu, in the View panel, and choose Authentication Services.

    The Authentication Services columns display in the mangement console; that is, the Authentication Services state column, represented with the icon, the Authentication Services Version and Joined to Domain columns.

Note: Once you have opened (or closed) a column group, the mangement console remembers the setting from session to session. However, if you reinstall Management Console for Unix, it reverts back to the default of showing all columns.

Setting Authentication Services software path

During the installation process, the setup wizard copies the Authentication Services software packages to a default location on the local computer

The default client directories are:

  • On Windows platforms:
    %SystemDrive%:\Program Files\Quest Software\Management Console for Unix\software\qas\<version#>
  • On Unix/Linux platforms:
    /opt/quest/mcu/software/qas/<version#>

If you plan to install Authentication Services or Defender client software packages, or run the AD Readiness check, you must ensure the path to the software packages is correctly set in System Settings.

To ensure the path to the Authentication Services software packages is correctly set

  1. Make note of where your Authentication Services client software packages are located.

  2. Ensure that System Settings points to that location:

    1. Log in with the supervisor account or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role. See Console Roles and Permissions system settings for details.
    2. From the top-level Settings menu, navigate to System settings | Authentication Services.

    3. In the Path box, enter the path where the Authentication Services client software packages are located on the server and click OK.

    NoteS: The path to the software packages must point to the folder containing the client directory. If the path to the software packages is not pointing to where the client files are, you can either change the path or copy the files to the location.

    When running Management Console for Unix on Windows, the location of the Authentication Services software packages must be accessible to the mangement console service which runs as 'NT AUTHORITY\NetworkService'.

Related Documents