Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Evaluation Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Getting started with Authentication Services

Install software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the mangement console.

To install Authentication Services software on hosts

  1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

    Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

    The tool bar button will not be active if

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (added, profiled, or joined).

  2. On the Install Software dialog, select the Authentication Services software products you want to install and click OK.
    • Authentication Services Agent (Required) - Select to allow Active Directory users access to selected host. Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include: vasd, nss_vas, pam_vas, and vastool.
    • Authentication Services for Group Policy (Required) - Select to install the Group Policy component which provides Active Directory Group Policy support for Unix, Linux, and Mac OS X platforms.
    • Authentication Services for NIS - Select to install the NIS Proxy component which provides the NIS compatibility features for Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
    • Authentication Services for LDAP - Select to install the LDAP Proxy component which provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
    • Dynamic DNS Updater - Select to install the Dynamic DNS Updater component which provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
    • Defender PAM Module - Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

    Note: You must install the Authentication Services Agent and the Group Policy packages.

    Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. (Refer to Set the Authentication Services Client Software Location on the Server in the mangement console online help for details.)

  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Join hosts to Active Directory

In order to manage access to a host using Authentication Services for Active Directory, you must join the host to an Active Directory domain. Joining a host to a domain creates a computer account for that host. Once you have deployed and installed the Authentication Services Agent software on a host, use the Join to Active Directory command on the All Hosts view's Join menu to join the host to an Active Directory domain.

To join hosts to Active Directory

  1. Select one or more hosts from the list on the All Hosts view, open the Join or Configure menu tool bar button and select Join to Active Directory.

    Note: The Join to Active Directory tool bar menu is enabled when you select hosts that have the Authentication Services Agent installed and are not joined Active Directory.

    The tool bar button will not be active if:

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (joined, not joined).

  2. On the Join Host to Active Directory dialog, enter the following information to define how and where you want to join the host to Active Directory:
    1. Select the Active Directory domain to use for the join operation or enter the FQDN of the Active Directory domain.

      Use the same domain you entered when you performed the Check for AD Readiness.

    2. Optionally enter a name for the computer account for the host.

      Leave this field blank to generate a name based on the host's DNS name.

    3. Click the button to locate and select a container in which to create the host computer account.
    4. Enter the optional join commands to use.

      See Optional Join Commands in the mangement console online Help for a list of commands available.

    5. Enter the user name and password to log onto Active Directory.

      The user account you enter must have elevated privileges in Active Directory with rights to create a computer account for the host.

  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials. The mangement console pre-populates this information.

    The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.

Getting started with Authentication Services

Once you have successfully installed Authentication Services you will want to learn how to do some basic system administration tasks using the Control Center and Management Console for Unix.

Getting acquainted with the Control Center

Authentication Services consists of plugins, extensions, security modules and utilities spread across nearly every operating system imaginable. The Control Center pulls those parts together and provides a single place for you to find the information and resources you need.

Control Center installs on Windows and is a great starting place for new users to get comfortable with some of Authentication Services‘ capabilities.

You can launch the Control Center from the Start menu or by double-clicking the desktop icon, or by double-clicking the Control Center application file from %SystemDrive% :\Program Files (x86)\Quest Software\Authentication Services.

Table 11: Control Center: Navigation links
Control Center Section Description
Home

The "Welcome" page provides information about how to use the Control Center tools and features.

Management Console You can run the One Identity Management Console for Unix mangement console within the Control Center or you can run it separately in a supported web browser. The mangement console is a separate install on Windows, Unix, Linux, or Mac OS X that you can launch from the ISO. Typically you install one mangement console per environment to avoid redundancy. One Identity does not advise managing a Unix host by more than one mangement console in order to avoid redundancy and inconsistencies in stored information. If you manage the same Unix host by more than one mangement console, you should always re-profile that host to minimize inconsistencies that may occur between instances of the mangement consoles.
Group Policy The Control Center provides the ability to search on Active Directory Group Policy Objects that have Unix and Mac OS X settings defined. Also provides links to edit these GPO‘s and run reports that show the detailed settings of the Group Policy Objects.
Tools The Control Center provides links to additional tools and resources available with Authentication Services – a great starting place for anyone new to the product.
Preferences

The Control Center allows you to centrally manage the default values generated by the various Authentication Services management tools, including the ADUC snap-in, the PowerShell cmdlets, and the Unix command-Line tools.

Log into remote host The Control Center provides a simple SSH client (built on PuTTY) for remote access to Unix systems – simplifies new installs from having to find and install a separate PuTTY client.

To run Control Center you must be logged in as a domain user. To make changes to global settings you must have rights in Active Directory to create, delete, and modify objects in the Authentication Services configuration area of Active Directory.

Related Documents