Chat now with support
Chat with Support

The Quest and One Identity Support Portals will be unavailable on Friday July 10, 2020 from 5:30 PM to 6:30 PM for website maintenance.

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Managing Directories

Use the controls and tabbed pages on the Directories page to perform the following tasks to manage directories:

Adding a directory

It is the responsibility of the Directory Administrator to add directories to Safeguard for Privileged Passwords.

Use the Directories view to add new directories to Safeguard for Privileged Passwords.

To add a directory

  1. Navigate to Administrative Tools | Directories.
  2. Click (or tap)  Add Directory from the toolbar.
  3. In the Directory dialog, provide information in each of the tabs:
    General tab

    Where you select the type of directory and add its service account information.

    Attributes tab

    Where you synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.

When you create a new directory, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules.

Related Topics

Adding directory accounts to a directory

Adding accounts to a directory profile

Modifying a directory

General tab

Use the Directories | General tab to specify the type of directory to be searched and add the required service account information.

Table 96: Directory: General tab properties
Property Description
Product

Select a type of directory:

  • Microsoft Active Directory
  • OpenLDAP 2.4

Required

Service Account Domain Name

For Active Directory, enter the fully qualified Active Directory domain name, such as example.com.

Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE.

Important: The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers.

Limit: 255 characters

Required

Network Address

For OpenLDAP, enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network.

Limit: 255 characters

Required

Service Account Name

For Active Directory, enter an account for Safeguard for Privileged Passwords to use for management tasks. When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests. If you want the password to be available for release, click (or tap)Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request.

Important: Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords.

Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object which represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify.

Required

For more information, see About service accounts.

Service Account Distinguished Name

For OpenLDAP, enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com

Required

Limit: 255 characters

Service Account Password

Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory.

Limit: 255 characters

Required

Description

Enter information about this external identity provider.

Limit: 255 characters

Connect

Click (or tap) Connect to verify the credentials and load the schema attributes for this directory.

Advanced Open to reveal the following synchronization settings:
Port

For OpenLDAP, enter the port used for communication with the LDAP directory.

Important: The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

Use SSL Encryption For OpenLDAP, select to enable Safeguard for Privileged Passwords to encrypt communication with an LDAP directory .
Verify SSL Certificate

For OpenLDAP, select to verify the SSL certificate. This option is only available when the Use SSL Encryption option is selected.

Sync additions every

Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

Default: 15 minutes

Range: Between 1 and 2147483647

Sync deletions every

Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

Default: 15 minutes

Range: Between 1 and 2147483647

Attributes tab

On the Attributes tab, synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.

The Attributes tab displays the default directory attributes that are mapped to the Safeguard for Privileged Passwords properties, such as the user's first name.

To map the Safeguard for Privileged Passwords properties to different directory attributes

  1. Browse to select one or more object classes for the users, computers, and groups categories.

    Note: You can use or remove the default object class.

  2. If you do not want to use the default property, begin typing in the property box. Safeguard for Privileged Passwords's auto-complete feature immediately displays a list of attributes to choose. Safeguard for Privileged Passwords only allows you to choose attributes that are valid for the object classes you have selected for users, groups, and computers.
  3. Once you have set all the properties, click (or tap) Add Directory.

The following tables list the default directory attributes.

Table 97: Default directory attributes
Safeguard for Privileged Passwords Attribute Directory Attribute
Users
Object Class

Browse to select a class definition that defines the valid attributes for the user object class.

Default: user for Active Directory, inetOrgPerson for LDAP

User Name

sAMAccountName for Active Directory, cn for LDAP

Password

userPassword for LDAP

First Name

givenName

Last Name

sn

Work Phone

telephoneNumber

Mobile Phone

mobile

Email

mail

Description

description

Computers
Object Class

Browse to select a class definition that defines the valid attributes for the computer object class.

Default: computer for Active Directory, ipHost for LDAP

Name

cn

Network Address

dNSHostName for Active Directory, ipHostNumber for LDAP

Operating System

operatingSystem for Active Directory

Operating System Version

operatingSystemVersion for Active Directory

Description

description

Groups
Object Class

Browse to select a class definition that defines the valid attributes for the group object class.

Default: group for Active Directory, groupOfNames for LDAP

Name

sAMAccountName for Active Directory, cn for LDAP

Member

member

Description

description

Related Documents