Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Evaluation Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Getting started with Authentication Services

Enable local user for AD authentication

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unix user. Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantage of the benefits of Active Directory security and access control.

To enable a local user for Active Directory authentication

  1. From the mangement console Host tab's All Hosts view, double-click a host to open its properties.
  2. Select the Users tab and double-click the localuser account to open its properties.

    Note: To set up this local user account, see Add local user account.

  3. On the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.
  4. On the Select AD User dialog, click the Search button to populate the list of Active Directory users, select the ADuser account, and click OK.

    Note: To set up this Active Directory user, see Add an Active Directory user account.

  5. On the localuser's properties, click OK.
  6. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    You have now "mapped" a local user to an Active Directory user and the mangement console indicates that the local user account requires an Active Directory password to log onto the Host in the AD User column.

You can also map multiple Unix users to use a single Active Directory account using the Require AD Logon pane on the All Local Users tab.

To assign (or "map") a Unix user to an Active Directory user

  1. From the All Local Users tab, select one or more local Unix users.
  2. In the Require AD Logon pane, click the Search button to populate the list of Active Directory users.

    (Click the Directory button to search in a specific folder.)

  3. Select an Active Directory user and click the Require AD Logon to Host button at the bottom of the Require AD Logon pane.
  4. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    Note: This task requires elevated credentials.

The Active Directory user assigned to the selected local Unix user(s) displays in the AD User column of the All Local Users tab.

Test the mapped user login

Once you have "mapped" a local user to an Active Directory user, you can log into the local Unix host using your local user name and the Active Directory password of the Active Directory user to whom you are "mapped".

To test the mapped user login

  1. From the Control Center, under "Login to remote host", enter:
    • the Unix host name in the Host name box
    • the local user name, localuser, in the User name box

    and click Login to log onto the Unix host with your local user account.

  2. If the PuTTY Security Alert dialog opens, click Yes to accept the new key.
  3. Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected the Require an AD Password to logon to Host option on the user's properties.
  4. At the command line prompt, enter id to view the Unix account information.
  5. Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.
  6. Enter exit to close the command shell.

You just learned how to manage local users and groups from Management Console for Unix by mapping a local user account to an Active Directory user account. You tested this by logging into the Unix host with your local user name and the password for the Active Directory user account to whom you are "mapped".

Unix-enable an Active Directory group

To Unix-enable an Active Directory group

  1. On the mangement console's Active Directory tab, open the Find box drop-down menu and choose Groups.
  2. Enter a group name, such as UNIX, in the Search by name box and press Enter.
  3. Double-click the group name, such as UNIXusers, to open its properties.

    Note: To set up this Active Directory user account, see Add an Active Directory group account.

  4. On the Unix Account tab, select the Unix-enabled option and click OK.

Unix-enable an Active Directory user

To Unix-enable an Active Directory user

  1. On the mangement console's Active Directory tab, open the Find box drop-down menu and choose Users.
  2. Click next to the Search by name box to search for all Active Directory users. Or, enter a portion of your ADuser log on name in the Search by name box and press Enter.
  3. Double-click ADuser, the Active Directory user name, to open its properties.
  4. On the Unix Account tab, select the Unix-enabled option.

    It populates the properties with default Unix attribute values.

  5. Make other modifications to these settings, if necessary, and click OK to Unix-enable the user.

    Note: There are additional settings that you can set using PowerShell which allows you to validate entries for the GECOS, Home Directory, and Login Shell attributes. Refer to Use Authentication Services PowerShell to learn more about that.

    Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.

Related Documents