Configuring Active Directory for Authentication Services
The first time you install Authentication Services in your environment, One Identity recommends that you perform this one-time Active Directory configuration step to utilize full Authentication Services 4.1 functionality.
|
|
Note: If you do not configure Active Directory for Authentication Services, you can run your Authentication Services client agent in "Version 3 Compatibility Mode" which allows you to join a host to an Active Directory domain. (For more information, see Version 3 Compatibility Mode in the Authentication ServicesInstallation Guide.) |
To configure Active Directory for Authentication Services
- At the Authentication Services Active Directory Configuration Wizard Welcome dialog, click Next.
- At the Connect to Active Directory dialog:
- Provide Active Directory login credentials for the wizard to use for this task:
- Select Use my current AD logon credentials if you are a user with permission to create a container in Active Directory.
- Select Use different AD logon credentials to specify the Active Directory credentials of another user, enter the User name and Password.
Note: The wizard does not save these credentials; it only uses them for this setup task.
- Indicate how you want to connect to Active Directory:
Select whether to connect to an Active Directory Domain Controller or One Identity Active Roles Server.
Note: If you have not installed the One Identity Active Roles Server MMC Console on your computer, the ActiveRoles Server option is not available.
- Optionally enter the Domain or domain controller and click Next.
- Provide Active Directory login credentials for the wizard to use for this task:
- At the License Authentication Services dialog, browse to select your license file and click Next.
Refer to Licensing Authentication Services for more information about licensing requirements.
Note: You can add additional licenses later from the Authentication Services Control Center Preferences Licensing dialog.
- At the Configure Settings in Active Directory dialog, accept the default location in which to store the configuration or browse to select the Active Directory location where you want to create the container and click Setup.
Note: You must have rights to create and delete all child objects in the selected location. For more information on the structure and rights required see Windows permissions.
- Once you have configured Active Directory for Authentication Services, click Close.
The Control Center opens. You are now ready to configure your Unix Agent Components.
(Refer to Configure Unix Agent Components in the Authentication Services Installation Guide for more information.)
About Active Directory configuration
The first time you install or upgrade the Authentication Services 4.1 Windows components in your environment, One Identity recommends that you configure Active Directory for Authentication Services to utilize full functionality. This is a one-time Active Directory configuration step that creates the application configuration in your forest. Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise. Without the application configuration, store UNIX attributes in the RFC2307 standard attributes to achieve the most functionality.
|
|
Note: If you do not configure Active Directory for Authentication Services, you can run your client agent in "Version 3 Compatibility Mode" which allows you to join a host to an Active Directory domain. (See Version 3 Compatibility Mode in the Authentication Services Installation Guide for details.) |
The Authentication Services application configuration stores the following information in Active Directory:
- Application Licenses
- Settings controlling default values and behavior for Unix-enabled users and groups
- Schema configuration
The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.
The Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.
There can only be one Active Directory configuration per forest. If Authentication Services finds multiple configurations, it uses the one created first as determined by reading the whenCreated attribute. The only time this would be a problem is if different groups are using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts. You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.
The first time you run the Control Center, the Authentication Services Active Directory Configuration Wizard walks you through the setup.
|
|
Note: You can also create the Authentication Services application configuration from the Unix command line, if you prefer. (For more information, see Creating the Application Configuration from the Unix Command Line in the Authentication Services Installation Guide.) |
You can modify the settings using the Authentication Services Control Center Preferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.
In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.
This table summarizes the required rights.
| Rights Required | For User | Object Class | Attributes |
|---|---|---|---|
| Create Child Object | Authentication Services Administrators Only | Container | cn, displayName, description, showInAdvancedViewOnly |
| Write Attribute | Authentication Services Administrators Only | Container | |
| Read Attribute | Authenticated Users | Container | cn, displayName, description, whenCreated |
At any time you can completely remove the Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the application configuration Authentication Services Active Directory-based management tools do not function.
Join the host to AD without the Authentication Services application configuration
You can install the Authentication Services Agent on a Unix system and join it to Active Directory without installing Authentication Services on Windows and setting up the Authentication Services Application Configuration.
The Authentication Services 4.x client-side agent required detection of a directory-based Application Configuration data object within the Active Directory forest in order to join the host computer to the Active Directory Domain. Authentication Services 4.0.2 removed this requirement for environments where directory-based User and/or Group identity information is not needed on the host Unix computer. These environments include full Mapped-User environments, GSS-API based authentication-only environments, or configurations where the Authentication Services agent will auto-generate posix attributes for Active Directory Users and Groups objects.
Configure Unix agent components
Setup Management Console for Unix
Configure the console for Active Directory logon
Set Supervisor Password dialog
Management Console for Unix log on page
The Control Center gives you access to the tools you need to perform Unix identity management tasks.
|
|
Note: If the Control Center is not currently open, you can either double-click the desktop icon or access it by means of the Start menu. |
Follow the steps outlined on the Control Center Home page to get your Unix agents ready.
|
|
Note: Of course, you can install Authentication Services without using Management Console for Unix. You can find those instructions in the Installing and Joining from the Unix Command Line section of the Authentication Services Installation Guide, located in Control Center Tools view or in the docs directory of the installation media. However, for the purposes of the examples in this guide, it is assumed that you will install and configure the Authentication Services Unix agent components by means of Management Console for Unix. |
To start the mangement console
- From the Control Center, click the Management Console link in the left-navigation pane.