Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Unix-Enable an Active Directory User

An Active Directory user object is considered to be Unix-enabled when it has the following Unix user attributes assigned: UID Number, Primary GID Number, Home Directory and Login Shell.

Note: This feature is only available if:

  • you have configured the mangement console to recognize Active Directory objects (See Configuring the Console to Recognize Unix Attributes in AD for details.)
  • you are logged into the mangement console as an Active Directory account in the Manage Hosts role
  • you have rights in Active Directory to Unix-enable users.

To Unix-enable an Active Directory user

  1. On the mangement console's Active Directory tab, open the Find box drop-down menu and choose Users.
  2. Click the Search by name box to search for all Active Directory users. Or, enter a portion of your ADuser log on name in the Search by name box and press Enter.
  3. Double-click ADuser, the Active Directory user name, to open its Properties.
  4. On the Unix Account tab, select the Unix-enabled option.

    It populates the Properties with default Unix attribute values.

  5. Make other modifications to these settings, if necessary, and click OK to Unix-enable the user.

    Note: You can use PowerShell to apply additional settings. PowerShell allows you to validate entries for the GECOS, Home Directory and Login Shell attributes. Please refer to the Authentication Services user documentation for more information on defining these additional settings using PowerShell cmdlets.

    Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.

You can also Unix-enable Active Directory users from the Require AD Logon pane on the All Local Users tab.

To Unix-Enable an Active Directory user

  1. In the Require AD Logon pane, click the Search button to populate the list of Active Directory users.

    (Click the Directory button to search in a specific folder.)

  2. Select an Active Directory user and click the Properties button at the bottom of the Require AD Logon pane.
  3. Select the Unix Account tab from the user's properties.
  4. Select the Unix-enabled option and click OK.

Review the Unix-enabled AD Users Report

The Unix-enabled AD Users report identifies all Active Directory users with Unix user attributes.

To create the Unix-enabled AD Users report

  1. From the mangement console, navigate to Reporting.
  2. From the Reports view, double-click the Unix-enabled AD Users report name.

    The report opens a new Unix-enabled AD Users tab on the Reports view.

    Note: This report is only available if you have configured the mangement console to recognize Active Directory objects (see Configuring the Console to Recognize Unix Attributes in AD), and you are logged on as an Active Directory account in the Manage Hosts role.

  3. Choose the base container for the report.
  4. Open the Export drop-down menu and select the format you want to use for the report: PDF or CSV.

    It launches a new browser or application page and displays the report in the selected format.

Note: When generating multiple reports simultaneously or generating a single report that contains a large amount of data, One Identity recommends that you increase the JVM memory. (See JVM Memory Tuning Suggestions for details.)

Test the Active Directory User Login

Now that you have Unix-enabled an Active Directory user, you can log into a local Unix host using your Active Directory user name and password.

To test the Active Directory login

  1. From the Control Center, under "Login to remote host", enter:
    • the Unix host name in the Host name box
    • the Active Directory user name, such as ADuser, in the User name box

    and click Login to log onto the Unix host with your Active Directory user account.

  2. Enter the password for the Active Directory user account.
  3. At the command line prompt, enter id to view the Unix account information.
  4. After a successful log in, verify that the user obtained a Kerberos ticket by entering:
    /opt/quest/bin/vastool klist

    The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves the local user is using the Active Directory user credentials.

  5. Enter exit to close the command shell.

You just learned how to manage Active Directory users and groups from the mangement console by Unix-enabling an Active Directory group and user account. You tested this out by logging into the Unix host with your Active Directory user name and password. Optionally, you can expand on this tutorial by creating and Unix-enabling additional Active Directory users and groups and by testing different Active Directory settings such as account disabled and password expired.

Privilege Manager Integration

Management Console for Unix allows you to install the Privilege Manager Policy Server as well as the Privilege Manager Agent and the Sudo Plugin software to remote hosts; it also allows you to join hosts to a policy group activated in the Privilege Manager System Settings. (See Configure a Service Account for details.)

The policy management and keystroke logging features are available when the mangement console is configured in System Settings for one or more policy groups.

Note: To use the policy editor, you must log in either as the supervisor or an Active Directory account with rights to manage policy; that is, an account in the Manage Sudo Policy or Manage PM Policy roles.

To replay keystroke logs, you must log in either as the supervisor or an Active Directory account with rights to audit policy; that is, an account in the Audit Sudo Policy or Audit PM Policy console roles.

After you install Management Console for Unix, you are ready to enable the Privilege Manager features.

Related Documents