Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Viewing the QAS status errors

After you have checked the status of the Authentication Services hosts, you can view the reported failures or warnings on the Host Notifications tab.

To view QAS agent status

  1. From the Host Notifications tab, select the QAS Status view.

    Note: If the Host Notifications tab is not currently available on the mangement console, open the Open Views menu and choose Host Notifications.

  2. Expand the host to see the warning and failure messages.

    The QAS Status view indicates the health status of the listed Authentication Services hosts using these icons:

    • - Critical Failure
    • - Failure
    • - Warning
  3. To list only the hosts of one or more status levels
    1. Open the QAS Status state column drop-down menu, indicated with icon.
    2. Navigate to the Filters option.
    3. Choose one or more of the status levels.

    Note: The mangement console does not preserve the filter settings across log-on sessions. To clear the filter settings, click the Clear column filters button in the toolbar. If the Clear column filters button is not enabled, no status filters are set.

  4. To see the details about a particular warning or failure message, double-click it and open the Properties window.

    Note: You can also click the icon in the toolbar to show status properties.

  5. To close the status Properties window, click the Show status properties icon.
  6. To re-check the QAS agent status for a host, select any warning or failure for that host and click the Check QAS agent status button on the toolbar.

    Note: The Check QAS Status button is only available when a warning or failure is selected.

  7. To change the auto-status configuration, open the Check menu and choose Check QAS agent status automatically....

    Note: You can also right-click any warning or failure to access the two Check QAS options.

Viewing the QAS status heartbeat errors

The host sends a heartbeat every four hours by default. If the server does not receive a heartbeat in over four hours, it displays an alert on the QAS Heartbeat tab.

Note: The QAS Status Heartbeat tab only lists hosts that fail to send a heartbeat in four hours.

To view QAS agent heartbeat

  1. From the Host Notifications tab, select the QAS Status Heartbeat view.

    The QAS Status Heartbeat view shows alerts for hosts that have failed to send a QAS agent status heartbeat using this icon:

    - No heartbeat received in over 4 hours

    Note: You can customize the heartbeat interval for the automatic QAS Status update. See Customize auto-task settings for details.

    When a host, configured for automatic checking, receives a QAS agent status heartbeat error, in addition to displaying the alert on the QAS Status Heartbeat view, it displays the icon in the Authentication Services state column on the All Hosts view.

Adding AD user to a local group

Once you have successfully joined a host to an Active Directory domain, use the Groups view on the host's properties to add an Active Directory user to a local group (or remove users from a group).

Note: This feature is only available when you are logged on as an Active Directory account in the Manage Hosts role. See Console Roles and Permissions system settings for details.

To add an Active Directory user to a local group

  1. On the All Hosts view, right-click a host that is joined to an Active Directory domain and choose the Groups.

    You can also double-click the host name to open its properties, then click the Groups tab.

  2. Double-click a local group name or right-click the group name and choose Properties to open its properties.

  3. On the group's properties, click the Members tab, open the Add menu and choose AD user.

  4. On the Select Unix-Enabled AD User dialog, search Active Directory to locate users to add.

    Note: When searching Active Directory, the mangement console only lists Unix-enabled users. See Unix-enable an Active Directory user for details.

    To find a particular user you can filter the list of users. Enter one or more characters in the Search by name box. The mangement console automatically displays the users whose name contains the characters you enter.

    You can also click to select the container where you want to being the search.

  5. Select one or more users from the list and click OK.

    The mangement console adds the selected users to the list on the Members tab with an icon.

  6. Click OK on the Members tab to save your selections.

  7. On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.

    This information is pre-populated if you saved the credentials for the host.

Note: To remove objects from a local group, select one or more objects from the list on the Members tab and click Remove User.

Mapping local users to Active Directory users

Management Console for Unix provides a feature called "Require AD Logon" where you can map local Unix user accounts to Active Directory users accounts. In other words, you can specify an Active Directory user account with which local users can authenticate, or login to a Unix host. Active Directory password policies are enforced requiring that these users use their Active Directory password with their local user name or Active Directory log on name. Local users retain all of their local Unix attributes such as UID Number and Login Shell, but they authenticate using their Active Directory password.

Note: This feature is only available if you meet these criteria:

  • Authentication Services 4.x is installed on the client host
  • Your client host is joined to Active Directory
  • You are logged on as an Active Directory account in the Manage Hosts role. See Console Roles and Permissions system settings for details.

Advantages of Requiring Users to Log in with Active Directory Authentication:

  • Provides a rapid deployment path to take advantage of Active Directory authentication
  • Kerberos authentication provides stronger security
  • Enables centralized access control
  • Enforces Active Directory Password policies
  • Provides a path for consolidating identities in Active Directory with the Ownership Alignment Tool (OAT)
  • Low impact to existing applications and systems on the Unix host
  • Easy to deploy with Authentication Services self enrollment

By "mapping" a local user to an Active Directory account, the user can log in with his Unix user name and Active Directory password.

Related Documents