Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Test the Mapped User Login

Once you have "mapped" a local user to an Active Directory user, you can log into the local Unix host using your local user name and the Active Directory password of the Active Directory user to whom you are "mapped". The Control Center offers a simple way to log into the host.

To test the mapped user login

  1. From the Control Center, under "Login to remote host", enter:
    • the Unix host name in the Host name box
    • the local user name, localuser, in the User name box

    and click Login to log onto the Unix host with your local user account.

  2. If the PuTTY Security Alert dialog opens, click Yes to accept the new key.
  3. Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected the Require an AD Password to logon to Host option on the user's properties.
  4. At the command line prompt, enter id to view the Unix account information.
  5. Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.
  6. Enter exit to close the command shell.

You just learned how to manage local users and groups from themangement console by mapping a local user account to an Active Directory user account. You tested this by logging into the Unix host with your local user name and the password for the Active Directory user account to whom you are "mapped".

Configuring the Console to Recognize Unix Attributes in AD

Configuring the mangement console to recognize Unix attributes in Active Directory, enables these features:

  • Unix Account tab on the user and group properties
  • Ability to query Unix-enabled users or groups
  • Reports that include Active Directory Unix information

There are two ways to configure the mangement console to recognize Unix attributes in Active Directory:

  1. Installing Authentication Services 4.0 or greater in your Active Directory domain and creating the Authentication Services application container in your forest. (See Configure Active Directory for Authentication Services for details.)

    Authentication Services adds the Unix properties of Active Directory users and groups to Active Directory and allows you to map a Unix user to an Active Directory user.

  2. If you are running Authentication Services without a Authentication Services application configuration in your forest, to configure the console to recognize Active Directory objects, enable Management Console for Unix to use the default Windows 2003 R2 schema to recognize Unix naming attributes. (See Configure Windows 2003 R2 Schema for details.)

    The Windows 2003 R2 schema option extends the schema to support the direct look up of Unix identities in Active Directory domain servers.

Unix-Enable an Active Directory Group

You can Unix-enable an Active Directory group from a group's properties on the Active Directory tab.

Note: This feature is only available if:

  • you have configured the mangement console to recognize Active Directory objects (See Configuring the Console to Recognize Unix Attributes in AD for details.)
  • you are logged into the mangement console as an Active Directory account in the Manage Hosts role
  • you have rights in Active Directory to Unix-enable groups

To Unix-enable an Active Directory group

  1. On the mangement console's Active Directory tab, open the Find box drop-down menu and choose Groups.
  2. Enter a group name, such as UNIX in the Search by name box and press Enter.
  3. Double-click the group name, such as UNIXusers to open its properties.

    Note: To set up the Active Directory group account, see Add an Active Directory Group Account.

  4. On the Unix Account tab, select the Unix-enabled option and click OK.

Review the Unix-enabled AD Groups Report

The Unix-enabled AD Groups report identifies all Active Directory groups that have Unix group attributes.

To create the Unix-enabled AD Groups report

  1. From the mangement console, navigate to Reporting.
  2. From the Reports view, double-click the Unix-enabled AD Groups report name.

    The report opens a new Unix-enabled AD Groups tab on the Reports view.

    Note: This report is only available if you have configured the mangement console to recognize Active Directory objects (see Configuring the Console to Recognize Unix Attributes in AD), and you are logged on as an Active Directory account in the Manage Hosts role.

  3. Choose the base container for the report.
  4. Open the Export drop-down menu and select the format you want to use for the report: PDF or CSV.

    It launches a new browser or application page and displays the report in the selected format.

Note: When generating multiple reports simultaneously or generating a single report that contains a large amount of data, One Identity recommends that you increase the JVM memory. (See JVM Memory Tuning Suggestions for details.)

Related Documents