AuthenticationServices_4.0_EvalGuide

Quest Authentication Services 4.0

Evaluation Guide

Copyright (c) 2011 Quest Software, Inc.ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnishedunder a software license or nondisclosure agreement. This software may be used or copied only in accordance with theterms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal usewithout the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppelor otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATINGTO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSSOF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THISDOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representationsor warranties with respect to the accuracy or completeness of the contents of this document and reserves the right tomake changes to specifications and product descriptions at any time without notice. Quest does not make any commitmentto update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: [email protected]

Refer to our Web site for regional and international office information.

PatentsProtected by U.S. Patent # 7,617,501. Additional patents pending.

TrademarksQuest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, BigBrother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery,Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert,Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech,LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic,SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, StorageHorizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger,vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, VizioncorevWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Incin the United States of America and other countries. Other trademarks and registered trademarks are property of theirrespective owners.

Third Party ContributionsThis product may contain one or more of the following third party components. For copies of the text of any license listed,please go to http://www.quest.com/legal/third-party-licenses.aspx .

NotesComponentApache LicenseApache Commons 1.2Version 2.0, January 2004Boost Software LicenseBoostVersion 1.0, August 2003© 1998, 1999, 2000 Thai Open Source Software Center LtdExpat 2.0.0© 2004 - 2007 Kungliga Tekniska HögskolanHeimdal Krb/GSSapi 1.2(Royal Institute of Technology, Stockholm, Sweden).All rights reserved.This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit (http://www.openssl.org/)

OpenSSL 0.9.8d

© 1998-2008 The OpenSSL Project. All rights reserved.

http://www.quest.com/legal/third-party-licenses.aspx

Contents

Chapter 1: About This Guide......................................................................7About Quest Software.......................................................................................................................................................8Quest One Identity Solution............................................................................................................................................8Conventions..........................................................................................................................................................................8Contacting Quest Support...............................................................................................................................................9

Chapter 2: Introducing Quest Authentication Services.........................11Licensing QAS....................................................................................................................................................................12System Requirements.....................................................................................................................................................12

Windows Management Tools Requirements...........................................................................................12Unix Agent Requirements...............................................................................................................................14Quest Identity Manager for Unix Requirements.....................................................................................19

Network Requirements...................................................................................................................................................20

Chapter 3: Installing and Configuring QAS.............................................21Install the Management Console................................................................................................................................22

Install and Configure the Management Console....................................................................................22Install QAS Windows Components............................................................................................................................22

Installing QAS Windows Components.......................................................................................................22Configure Active Directory for QAS...........................................................................................................................23

Configuring Active Directory for QAS.........................................................................................................23Configure Unix Agent Components..........................................................................................................................25

Setup Quest Identity Manager for Unix ....................................................................................................26Quest Identity Manager for Unix Log On Page........................................................................................27Prepare Unix Hosts.............................................................................................................................................28

Chapter 4: Getting Started with QAS.......................................................35Getting Acquainted with the QAS Control Center...............................................................................................36

Management Console......................................................................................................................................37Group Policy.........................................................................................................................................................37Tools........................................................................................................................................................................38Preferences...........................................................................................................................................................38

Learning the Basics..........................................................................................................................................................43Add a Local Group Account............................................................................................................................43Add Local User Account...................................................................................................................................43Add an Active Directory Group Account...................................................................................................44Add an Active Directory User Account.......................................................................................................44Change the Default Unix Attributes............................................................................................................45

Authentication Services 4.0 Evaluation Guide | TOC | 5

Active Directory Account Administration.................................................................................................45Run Reports..........................................................................................................................................................48Use QAS PowerShell..........................................................................................................................................55Quest ChangeAuditor for Active Directory...............................................................................................58Quest Defender...................................................................................................................................................59

6 | Authentication Services 4.0 Evaluation Guide | TOC

Chapter

1About This Guide

Welcome to the Quest Authentication Services Evaluation Guide.Topics:

This is a self-directed, hands-on evaluation of Quest Authentication Services(QAS). The content includes a product overview, installation instructions, and

• About Quest Software• Quest One Identity Solution a "Getting Started" section that will help you get acquainted with the QAS• Conventions Control Center, and how to use QAS to accomplish basic system administration

tasks.• Contacting Quest Support

The guide is divided into three sections:

• Introducing Quest Authentication Services on page 11• Installing and Configuring QAS on page 21• Getting Started with QAS on page 35

About Quest Software

Note: Quest Authentication Services (QAS), formerly Vintela Authentication Services (VAS), was re-brandedfor the 4.0 release.

Quest Software, Inc. simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide.Our innovative solutions make solving the toughest IT management problems easier, enabling customers to savetime and money across physical, virtual and cloud environments. Contact Quest for more information:

Contacting Quest Software

949.754.8000 (United States and Canada)Phone:

[email protected]:

Quest Software, Inc.Mail:

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656 USA

www.quest.comWeb site:

Quest One Identity Solution

This product is a component of the Quest One Identity Solution, a set of enabling technologies, products, andintegration that empowers organizations to simplify identity and access management by:

• Reducing the number of identities• Automating identity administration• Ensuring the security of identities• Leveraging existing investments, including Microsoft Active Directory

Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance byaddressing identity and access management challenges as they relate to:

• Single sign-on• Directory consolidation• Provisioning• Password management• Strong authentication• Privileged account management• Audit and compliance

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventionsapply to procedures, icons, keystrokes and cross-references.

8 | Authentication Services 4.0 Evaluation Guide | About This Guide

http://www.quest.com

ConventionElement

This word refers to actions such as choosing orhighlighting various interface elements, such as files andradio buttons.

Select

Used to indicate elements that appear in the graphicaluser interface that you are to select such as the OKbutton.

Bold text

Interface elements that appear in Quest products, suchas menus and commands.

Italic text

Used to indicate host names, file names, program names,command names, and file paths.

courier text

Indicates an interactive link to a related topic.Blue Text

Used to highlight additional information pertinent to theprocess or topic being described.

A plus sign between two keystrokes means that you mustpress them at the same time.

+

A pipe sign between elements means that you mustselect the elements in that particular sequence.

|

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Questproduct and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, ourself-service portal.

Contact PointsInformation Sources

SupportLink: support.quest.comQuest Support

Quest SupportLink gives you access to these tools and resources:

• Product Information

Most recent product solutions, downloads, documentation, notifications andproduct lifecycle table.

• Product Downloads

Download the latest Quest product releases and patches.

• Product Documentation

Download Quest product documentation, such as installation, administrator, userguides and release notes.

• Search KnowledgeBase

Search our extensive repository for answers to Quest-product related issues orquestions.

• Case Management

Create new support cases and manage existing cases.

Authentication Services 4.0 Evaluation Guide | About This Guide | 9

http://support.quest.com

Contact PointsInformation Sources

Email: [email protected]

Phone: 1.800.306.9329

The Community site is a place to find answers and advice, join a discussion forum,or get the latest documentation and release information: All Things Unix Community.

Public Forum

View the Global Support Guide for a detailed explanation of support programs, onlineservices, contact information, policies and procedures. The guide is available atsupport.quest.com.

Global Support Guide

10 | Authentication Services 4.0 Evaluation Guide | About This Guide

mailto://[email protected]

http://allthingsunix.inside.quest.com

http://support.quest.com

Chapter

2Introducing Quest Authentication Services

Quest Authentication Services is patented technology that enablesorganizations to extend the security and compliance of Active Directory to

Topics:

• Licensing QAS Unix, Linux, and Mac platforms and enterprise applications. It addresses the• System Requirements compliance need for cross-platform access control, the operational need for

centralized authentication and single sign-on, and enables the unification ofidentities and directories for simplified identity and access management.

• Network Requirements

Licensing QAS

Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Machosts.

Note: While you can install and configure QAS on Windows and use the included management tools toUnix-enable users and groups in Active Directory without installing a license, you must have the QASlicense installed for full QAS functionality.

Note: If you are using Quest Identity Manager for Unix, any time there is a change to the QAS licensing,you must also log into the management console with the supervisor account, navigate to Preferences| System settings | Authentication Services and click the Check for licenses button to refresh thelicense information. Quest Identity Manager for Unix does not automatically check for new QAS licenses.

Contact your account representative for a license.

System Requirements

Prior to installing Quest Authentication Services, ensure your system meets the minimum hardware and softwarerequirements for your platform. QAS consists of Windows management tools and Unix client agent components.

Windows Management Tools Requirements

The following are the minimum requirements for installing QAS in your Windows environment:

Table 1: QAS Windows Requirements

System Requirements:

Can be installed on 32-bit or 64-bit editions of thefollowing configurations:

Supported Windows Platforms

• Windows XP SP2 (or later)• Windows Vista• Windows 7• Windows 2003 SP1 (or later)• Windows 2008• Windows 2008 R2

Note: Due to tightened security on theWindows 2008 operating system, whenrunning QAS Control Center on Windows2008 R2, functioning as a domaincontroller, the process must be elevatedor you must add Authenticated Users tothe Distributed COM Users group on thecomputer. As a best practice, Quest doesnot recommend that you install or run theQAS Windows components on ActiveDirectory domain controllers. Therecommended configuration is to install

12 | Authentication Services 4.0 Evaluation Guide | Introducing Quest Authentication Services


the QAS Windows components on anadministrative workstation.

Note: Microsoft does not support GroupPolicy Management Console (GPMC) on64-bit platforms of Windows; thus, Questdoes not support managing grouppolicies through the QAS Control Centeron Windows 2003 64-bit, Windows 2003R2 64-bit, and XP 64-bit platforms. (SeeGroup Policy Management Console withService Pack 1 for more information.)

You can download all of the following prerequisitesoftware free from the Microsoft website:

Prerequisite Windows Software

• Windows Installer 3.1(http://support.microsoft.com/kb/893803)

• Microsoft .NET Framework 3.5 SP1 or higher• Windows PowerShell 1.0 or higher

(http://support.microsoft.com/kb/968929)

If any of the prerequisites are missing, the QASinstaller suspends the installation process to allowyou to download the required component; it thencontinues the install.

QAS Windows Components

QAS includes the following Windows components:

Table 2: Windows Components

DescriptionWindows Component

A single console to provide access to all of the tools andconfiguration settings for QAS

QAS Control Center

Provides Unix management extensions for ActiveDirectory users and groups

Active Directory Users and Computers MMC SnapinExtensions

Provides Group Policy management for Unix, Linux andMac

Group Policy Management Editor MMC Snapin Extensions

Provides the ability to manage NIS data in Active DirectoryRFC2307 NIS Map Editor MMC Snapin

Import NIS data into Active DirectoryNIS Map Import Wizard

Import Unix identity data into Active DirectoryUnix Account Import Wizard

Provides the ability to script Unix management tasksQAS PowerShell cmdlets

Full product documentation and online helpDocumentation

Authentication Services 4.0 Evaluation Guide | Introducing Quest Authentication Services | 13

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887


http://support.microsoft.com/kb/893803

http://support.microsoft.com/kb/968929

Windows Permissions

To install QAS on Windows, you must have:

• Local administrator rights• Rights to create a container and a child container in Active Directory (first-time only)

Authenticated Users must have rights to read cn, displayName, description, and whenCreated attributes for containerobjects in the application configuration location. To change Active Directory configuration settings, Administratorsmust have rights to Create Child Object (container) and Write Attribute for cn, displayName, description,showInAdvancedViewOnly in the application configuration location.

Table 3: Required Windows Permissions

AttributesObject ClassFor UserRightsRequired

ContainerQAS Administrators OnlyCreateChildObject

cn, displayName, description,showInAdvancedViewOnly

ContainerQAS Administrators OnlyWriteAttribute

cn, displayName, description,whenCreated

ContainerAuthenticated UsersReadAttribute

Unix Agent Requirements

Note: To install QAS on Unix, Linux, or Mac, you must have root access rights.

Click here to view a list of supported Unix and Linux platforms that run Quest Authentication Services.

For maximum security and performance, before you begin the installation, make sure that you have the latest patchesfor your operating system version.

Table 4: Patch-Level Requirements

Patch LevelPlatform

glibc 2.3.3-74 or greaterFedora

Patch 108993-01 or greater on SPARCPatch 108994-01 or greater on x86

Solaris 8

OS level 5100-09 or greaterAIX 5.1



QPK1100 B.11.00.62.4 or greaterHPUX 11.00

GOLDQPK11i (i.e. GOLDAPPS11i and GOLDBASE11i)BUNDLE11ild(1) and linker tools cumulative patch (PHSS_30970 or greater)

HPUX 11.11


http://www.quest.com/authentication-Services/supported-platforms.aspx

Patch LevelPlatform

MAINTPACK E0306 or greaterHPUX 11.22

Note:

Quest recommends that you run the Preflight utility to check for supported operating system and correctoperating system patches.

(See Running Preflight in the QAS Installation Guide for details.)

QAS Unix Components

QAS includes the following Unix components:

Table 5: QAS Unix Components

DescriptionUnix Component

The QAS agent background process that manages the persistent cache of Active Directoryinformation used by the other QAS components. vasd is installed as a system service. You

vasd

can start and stop vasd using the standard service start/stop mechanism for your platform.vasd is part of the vasclnt package.

The QAS command line administration utility that allows you to join a Unix host to an ActiveDirectory Domain; access and modify information about users, groups and computers in

vastool

Active Directory; and configure the QAS components. vastool is installed at/opt/quest/bin/vastool. vastool is part of the vasclnt package.

A command line utility that allows you to manage the application of Group Policy settingsto QAS clients. vgptool is installed at /opt/quest/bin/vgptool. vgptool is partof the vasgp package.

vgptool

A command line utility that allows you to modify file ownership on local Unix hosts to matchuser accounts in Active Directory. oat is installed at /opt/quest/libexec/oat/oat.oat is part of the vasclnt package.

oat (OwnershipAlignment Tool)

A background process that secures the authentication channel for applications using LDAPbind to authenticate users without introducing the overhead of configuring secure LDAP(LDAPS). The LDAP proxy is installed by the vasclnt package.

LDAP proxy

A background process that acts as a NIS server which can provide backwards compatibilitywith existing NIS infrastructure. The NIS proxy is installed by the vasyp package.

NIS proxy

The vasdev package, the QAS programming API.SDK package

QAS Permissions Matrix

The following table details the permissions required for full QAS functionality.

Table 6: QAS Permissions

Local Client Req'd PermissionsAD Req'd PermissionsFunction

NALocation in Active Directory with CreateContainer Object rights

QASApplicationConfiguration:creation



NAUpdate permission to the containers createdabove (no particular permissions if you are theone who created it)

QASApplicationConfiguration:changes

• Unix GlobalSettings

• Licensing• Custom

UnixAttributes

NASchema Administrator rightsSchemaoptimization

NAEnterprise Administrator rightsDisplaySpecifierRegistration

NAAdministrator rightsEditing Users

NAGroup Policy Creator Owners rightsCreate anygroup policyobjects

NALocation in Active Directory with CreateContainer Object rights (you create containersfor each NIS map)

RFC 2307 NISImport MapWizard

NAAdministrator rights (you are creating newaccounts)

Unix AccountImport Wizard

NAWrite permissions to the file system folder whereyou want to create the logs

LoggingOptions

vasd must run as rootThe client computer object is expected to haveread access to user and group attributes, whichis the default.

vasd daemon

In order for QAS to update the host objectoperating system attributes automatically, setthe following rights for "SELF" on the clientcomputer object: Write Operating System,Write operatingSystemHotfix, and WriteoperatingSystemServicePack.

Any local userNA (updated by means of vasd)QAS/VAS PAMmodule

Any local userNA (updated by means of vasd)QAS/VAS NSSmodule

vastool nss

Any local user for most commandsDepends on which vastool command is runvastoolcommand-linetool



rootcomputer creation or deletion permissions inthe desired container

vastooljoin

vastoolunjoin

rootNAvastoolconfigure

vastoolunconfigure

Any local userread permission for the desired objects (regularActive Directory user)

vastoolsearch

vastoolattrs

Any local userwrite permissions for the desired objectvastoolsetattrs

Run as root if you want all tables includingauthcache

NAvastoolcache

Any local user; root needed to create a new localcomputer

permissions to create new users, groups, andcomputers as specified

vastoolcreate

Any local userpermissions to delete existing users, groups, orcomputers as specified; permissions to remove

vastooldelete

the keytab entry for the host object created (rootor write permissions in the directory and the file)

rootThe client computer object is expected to haveread access to user and group attributes, whichshould be the default

vastoolflush

Any local userpermission to modify group membershipvastoolgroup add

vastoolgroup del


vastoolgrouphasmember

Any local userNAvastoolinfo { site| domain |domain -n |forest-root|forest-root-dn |server |acl }




vastoolinfo { id |domains |domains -dn|adsecurity| toconf }

Any local userNAvastoolisvas

vastoolinspect

vastoollicense

Any local userlocal client needs permissions to modify thekeytab specified, default is the computer objectwhich is root.

vastoolkinit

vastoolklist

vastoolkdestroy

root if you are using the default host.keytabfile

NAvastoolktutil


vastoollist (with -loption)

Any local userpermissions to create users and groups in thedesired container

vastoolload

rootNAvastoolmerge

vastoolunmerge

Any local userRegular Active Directory uservastoolpasswd

Any local userActive Directory user with password resetpermission

vastoolpasswd <ADuser>

Any local userRegular Active Directory uservastoolschema list

vastoolschemadetect



root (to modify the local cache file)Regular Active Directory uservastoolschemacache

Any local userRegular Active Directory uservastoolservicelist

NAActive Directory user with permission tocreate/delete service principals in desiredcontainer

vastoolservice {create |delete }

rootNAvastoolsmartcard

rootNAvastoolstatus

root, if you only query the time from AD, you canrun as any local user

NAvastooltimesync

Any local userneeds modify permissions on the AD Objectvastooluser {enable |disable }

Any local userNAvastooluser {checkaccess|checkconflict}

Any local userAccess to Active Directory users passwordvastooluserchecklogin

Quest Identity Manager for Unix Requirements

Quest recommends that you install Quest Identity Manager for Unix. This provides a management console that is apowerful and easy-to-use tool that dramatically simplifies deployment, enables management of local Unix usersand groups, provides granular reports on key data and attributes, and streamlines the overall management of yourUnix, Linux, and Mac OS X hosts.

These are the requirements if you intend to install the management console.


Click here to view a list of supported Unix and Linux platforms that run the web server; thatis, hosts that you can manage from the management console.

Client Agent SystemRequirements

Note: Quest Identity Manager for Unix does not support hosting themanagement console on AIX operating systems.

Note: You must have JRE (Java runtime Environment) 1.6 installed on thesupported platform to run Quest Identity Manager for Unix.


http://www.quest.com/authentication-Services/supported-platforms.aspx


Minimum memory requirement: 512 MB

The management console officially supports the following web browsers:Web Browsers

• Microsoft Internet Explorer 7 (or greater)• Mozilla Firefox 3 (or greater)• Apple Safari 4 (or greater) (Mac only; Windows not supported)

Network Requirements

QAS must be able to communicate with Active Directory including domain controllers, global catalogs and DNSservers using Kerberos, LDAP and DNS protocols. The following table summarizes the network ports that must beopen and their function.

Table 7: Network Ports

FUNCTIONPORT

Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used,but UDP is used when detecting the Active Directory site membership.

389

Used for LDAP searches against Active Directory Global Catalogs. TCP is always used whensearching against the Global Catalog.

3268

Used for Kerberos authentication and Kerberos service ticket requests against Active DirectoryDomain Controllers. UDP is used by default, but TCP is also used if the Kerberos ticket is toolarge for UDP transport.

88

Used for changing and setting passwords against Active Directory using the Kerberos changepassword protocol. QAS always uses TCP for password operations.

464

Used for DNS. Since QAS uses DNS to locate domain controllers, DNS servers used by theUnix hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used.

53

UDP only. Used for time-synchronization with Active Directory.123

CIFS port used to enable the client to retrieve configured group policy.445


Chapter

3Installing and Configuring QAS

To extend the authentication, authorization, and administration infrastructureof Active Directory to the rest of your enterprise, allowing Unix, Linux, and

Topics:

• Install the Management Console Mac systems to act as full citizens within Active Directory, you must installand configure Quest Authentication Services.• Install QAS Windows Components

• Configure Active Directory for QAS This section explains the steps you must take in detail:• Configure Unix Agent Components

1. Install Quest Identity Manager for Unix.2. Install Quest Authentication Services Windows components.3. Configure Active Directory for QAS (one time, only).4. Configure Unix Agent Components

a. Configure the management console for Active Directory.b. Prepare the Unix hosts for Active Directory user access:

• Add and profile a host.• Check the host for readiness to join Active Directory.• Install QAS agent software packages on the host to allow Active

Directory user access.

Note: For users to authenticate on Unix, Linux, andMac hosts with Active Directory credentials, your Unixhosts must have the QAS agent installed.

• Join the host to Active Directory.

Install the Management Console

In preparing for your Quest Authentication Services installation, Quest recommends that you install Quest IdentityManager for Unix. This provides a management console that is a powerful and easy-to-use tool that dramaticallysimplifies deployment, enables management of local Unix users and groups, provides granular reports on key dataand attributes, and streamlines the overall management of your Unix, Linux, and Mac OS X hosts.

Of course, you can install QAS without using Quest Identity Manager for Unix. You can find those instructions in theInstalling and Joining from the Unix Command Line section of the QAS Installation Guide, located in QAS Control CenterTools page or in the docs directory of the installation media. However, for the purposes of the examples in thisguide, it is assumed that you will install and configure QAS Unix agent components by means of the Quest IdentityManager for Unix.

Install and Configure the Management Console

The easiest way to install and configure QAS Unix agent components is by means of the Quest Identity Manager forUnix.

To install the management console on a supported Windows platform

1. From the Quest Authentication Services Autorun Home page, click the Setup tab.

Note: To start the Autorun installation wizard, navigate to the root of the distribution media anddouble-click autorun.exe.

2. From the Setup page, click Quest Identity Manager for Unix.The install wizard guides you through the rest of the setup pages:

• Quest Identity Manager for Unix License Agreement• Installation Directory• Configure TCP/IP Port• Completing the Quest Identity Manager for Unix installation

3. On the Complete page, leave the Launch the Management Console option deselected and click Finish to exit theinstall wizard and return to the Quest Authentication Services Autorun Setup tab.Once you have installed Quest Identity Manager for Unix, you are ready to install or upgrade the QAS Windowscomponents.

Install QAS Windows Components

Quest recommends that you install the Windows components and configure Active Directory before you install theUnix components.

Installing QAS Windows ComponentsInstall Quest Authentication Services on each Windows Workstation you plan to use to administer Unix data in ActiveDirectory.

To install the QAS Windows components

1. From the Autorun Setup page, click Quest Authentication Services to launch the setup wizard.2. Click Next at the Welcome page and follow the wizard prompts.

The wizard leads you through the following pages:

22 | Authentication Services 4.0 Evaluation Guide | Installing and Configuring QAS

• License Agreement• Choose Destination Location• Ready to Install the Program• InstallShield Wizard Complete

3. On the Complete page, leave the Launch Quest Authentication Services Control Center option selected andclick Finish to automatically start the QAS Control Center.

Note: The first time you launch the QAS Control Center, the Set up QAS Active DirectoryConfiguration Wizard starts automatically to walk you through the process ofconfiguring Active Directory for QAS. If the configuration has already been performedwhen you click Finish, theQAS Control Center launches.

Configure Active Directory for QASTo use QAS 4.0 with Active Directory, you must first prepare Active Directory to store the configuration settings thatit uses. This is a one-time process that creates the QAS application configuration in your forest.

Note: To use the QAS Active Directory Configuration Wizard, you must have rights to create a containerin Active Directory.

You can also create the QAS application configuration from the Unix command line, if you prefer. See Creating theApplication Configuration from the Unix Command Line in the QAS Installation Guide for more information.

Configuring Active Directory for QAS

The first time you install QAS in your environment, Quest recommends that you perform this one-time Active Directoryconfiguration step to utilize full QAS 4.0 functionality.

Note:

If you do not configure QAS for Active Directory, you can run your QAS client agent in "Version 3Compatibility Mode" which allows you to join a host to an Active Directory domain.

(See Version 3 Compatibility Mode in the Administrator's Guide for details.)

To configure Active Directory for QAS

1. At the QAS Active Directory Configuration Wizard Welcome page, click Next.2. At the Connect to Active Directory page:

a) Provide Active Directory login credentials for the wizard to use for this task:

• Select Use my current AD logon credentials if you are a user with permission to create a container inActive Directory.

• Select Use different AD logon credentials to specify the Active Directory credentials of another user andenter the User name and Password.

Note: The wizard does not save these credentials; it only uses them for this setup task.

b) Indicate how you want to connect to Active Directory:Select whether to connect to an Active Directory Domain Controller or ActiveRoles Server.

Note: If you have not installed the ActiveRoles Server MMC Console on your computer, theActiveRoles Server option is not available.

Authentication Services 4.0 Evaluation Guide | Installing and Configuring QAS | 23

c) Optionally enter the Domain or domain controller and click Next.

3. At the License QAS page, browse to select your license file and click Next.

Refer to Licensing QAS on page 12 for more information about licensing requirements.

Note: You can add additional licenses later from the QAS Control Center Preferences Licensing page.

4. At the Configure Settings in Active Directory page, accept the default location in which to store the configurationor browse to select the Active Directory location where you want to create the container and click Setup.

Note: You must have rights to create a container in the selected location. For more information onthe structure and rights required see Windows Permissions on page 14.

5. Once you have configured Active Directory for QAS, click Close.

The QAS Control Center opens. You are now ready to configure your Unix Agent Components. (Proceed toConfigure Unix Agent Components on page 25.)

About Active Directory Configuration

The first time you install or upgrade the QAS 4.0 Windows components in your environment, you must configureActive Directory for QAS to utilize full QAS 4.0 functionality. This is a one-time Active Directory configuration stepthat creates the QAS application configuration in your forest. QAS uses the information found in the QAS applicationconfiguration to maintain consistency across the enterprise. Without the Active Directory configuration you cannotstore Unix identity information in Active Directory. However, you can still join Unix machines to Active Directory.

Note:

If you do not configure QAS for Active Directory, you can run your QAS client agent in "Version 3Compatibility Mode" which allows you to join a host to an Active Directory domain.

(See Version 3 Compatibility Mode in the Administrator's Guide for details.)

The QAS application configuration stores the following information in Active Directory:

• Application Licenses• Settings controlling default values and behavior for Unix-enabled users and groups• Schema configuration

The Unix agents use the Active Directory configuration to validate license information and determine schemamappings. Windows management tools read this information to determine the schema mappings and the defaultvalues it uses when Unix-enabling new users and groups.

The QAS application configuration information is stored inside a container object with the specific naming of:cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=QuestSoftware,cn=Authentication Services,dc=<your domain>. This location is configurable.

There can only be one Active Directory configuration per forest. If QAS finds multiple configurations, it uses the onecreated first as determined by reading the whenCreated attribute. The only time this would be a problem is if differentgroups are using different schema mappings for Unix attributes in Active Directory. In that case, standardize on oneschema and use local override files to resolve conflicts. You can use the Set-QasUnixUser andSet-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another.Refer to the PowerShell help for more information.

The first time you run the QAS Control Center, the QAS Active Directory Configuration Wizard walks you through thesetup.

Note: You can also create the QAS application configuration from the Unix command line, if you prefer.(See Creating the Application Configuration from the Unix Command Line in the QAS Installation Guide formore information.)


You can modify the settings using the QAS Control Center Preferences page. To change Active Directory configurationsettings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description,showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName,description, and whenCreated attributes for container objects in the application configuration. For most ActiveDirectory configurations, this does not require any change.

This table summarizes the required rights:

AttributesObject ClassFor UserRights Required

ContainerQAS Administrators OnlyCreate Child Object

cn, displayName,description,showInAdvancedViewOnly

ContainerQAS Administrators OnlyWrite Attribute

cn, displayName,description, whenCreated

ContainerAuthenticated UsersRead Attribute

At any time you can completely remove the QAS application configuration using the Remove-QasConfigurationcmdlet. However, without the QAS application configuration QAS Active Directory-based management tools do notfunction.

Join the Host to AD Without the QAS Application Configuration

You can install the QAS Agent on a Unix system and join it to Active Directory without installing QAS on Windowsand setting up the QAS Application Configuration.

The QAS 4.0 client-side agent required detection of a directory-based Application Configuration data object withinthe Active Directory forest in order to join the host computer to the Active Directory Domain. QAS 4.0.2 removesthis requirement for environments where directory-based User and/or Group identity information is not needed onthe host Unix computer. These environments include full Mapped-User environments, GSS-API basedauthentication-only environments, or configurations where the QAS agent will auto-generate posix attributes forActive Directory Users and Groups objects.

Configure Unix Agent Components

The QAS Control Center gives you access to the tools you need to perform Unix identity management tasks.

Note: If the QAS Control Center is not currently open, you can either double-click the desktop icon oraccess it by means of the Start menu.

Follow the steps outlined on the QAS Control Center Home page to get your Unix agents ready.

Note: Of course, you can install QAS without using Quest Identity Manager for Unix. You can find thoseinstructions in the Installing and Joining from the Unix Command Line section of the QAS Installation Guide,located in QAS Control Center Tools page or in the docs directory of the installation media. However,for the purposes of the examples in this guide, it is assumed that you will install and configure the QASUnix agent components by means of the Quest Identity Manager for Unix.

To start the management console

1. From the QAS Control Center, click the Management Console link in the left-navigation pane.


Setup Quest Identity Manager for Unix

The first time you launch the management console, the Setup Quest Identity Manager for Unix wizard leads youthrough some post-installation configuration steps. Choose one of these options:

• Skip the Active Directory configuration, I'll do that later from the console

This option allows you to use the core features of the console.

• Walk me through the configuration steps for using AD user accounts for logon to the console

When you configure the console for Active Directory, you unlock additional Active Directory features.

Note: To use the management console with Quest Authentication Services, you must configure theconsole for Active Directory log on.

Choose an option and click Next.

Note:

If you choose the "Skip" option, the Identify Console page displays. (See Identify Console on page 27.)

If you choose the "Walk" option, it allows you to configure the console for Active Directory log on. (SeeConfigure the Console for Active Directory Logon.)

Note: If you can not configure the console for Active Directory during your initialinstallation of Quest Identity Manager for Unix, choose the "Skip" option. After theinstallation, log into the console as supervisor and configure the console for ActiveDirectory from System Settings in the Preferences menu later. (See Active DirectoryConfiguration in the management console online Help for more information.)

Configure the Console for Active Directory

The setup wizard displays the Configure console for Active Directory Logon page during the post-installationconfiguration steps.

To configure the management console for Active Directory

1. On the Configure console for Active Directory Logon page, enter a valid Active Directory domain in the forest, inthe form example.com.

2. Enter the Active Directory credentials.The wizard uses these credentials to verify the QAS configuration and license in Active Directory and to configurethe management console for use with Active Directory.

3. Click Connect to Active Directory.4. When you see the message that indicates the console connected to Active Directory successfully, click Next.

The Set up console access by role page opens.

Setup Console Access by Role

After you complete the Configure Console for Quest Authentication Services page, the setup wizard displays the Setup console access by role page.

To add Active Directory users or groups to the console access list

1. On the Set up console access by role page, click Add... to specify the Active Directory users and groups that youwant to have access to the features available in Quest Identity Manager for Unix.


2. On the Select Users and Groups page, use the search controls to find and select Active Directory user(s) or group(s).Select one or more objects from the list and click OK.The management console adds the selected object(s) to the list on the Set up console access by role page.

By default the management console assigns users to All Roles, which gives those accounts permissions to accessand perform all tasks within the console. (See Roles and Permissions in the management console online Help formore information.)

Note: During the initial set up, you can only assign a user to one role. Use System Settings to addadditional roles to a user. (See Add Role Members in the management console online Help for moreinformation.)

3. Click in the Roles cell to activate a drop-down menu from which you can choose a role for the user account.4. Click Next to save your selections.

The Identify Console page opens.

Identify Console

The setup wizard displays the Identify Console page during the post-installation configuration steps.

To identify the management console

On the Identify Console page, modify the information about this management console, if necessary, and clickNext to open the Set supervisor password page.

Note: You can modify these settings from Preferences | System settings | General | ConsoleInformation.

Set Supervisor Password Page

The supervisor is the only account by default that has rights to modify system settings in Quest Identity Managerfor Unix. The supervisor has all permissions in the management console. That is, he can do anything, and nopermissions can be removed from supervisor.

To set the supervisor password

On the Set supervisor password page, enter a password for the supervisor account and click Next.The Summary page displays.

Summary Page

To complete the Setup Quest One Management Console for Unix wizard

On the Summary page, click Finish.The Quest Identity Manager for Unix log-in screen opens.

Quest Identity Manager for Unix Log On Page

Whenever you launch the management console, you must enter an authorized account to proceed. The QuestIdentity Manager for Unix features that are available depend on the account with which you log in.

To use the core version to manage local Unix users and groups and to access the management console systemsettings, you must use the supervisor account (that is, you must log on with the supervisor user name). However,to use the Active Directory features of Quest Identity Manager for Unix, you must log on with an Active Directoryaccount that has been granted access to the management console. That is, defined during the post-installationconfiguration on the Setup console access by Role page. To add additional accounts to this access list, see ChangeRole Properties in the management console online Help for more information.


To log on to the management console

1. Enter a user name and password and click Log on.

Enter one of the following:

• the supervisor account name• a sAMAccountName, which uses the default domain• a net bios name in the form, domain\username• a User Principal Name in the form, username@domain

The management console opens and displays the user name you specified in the upper right-hand corner of thescreen.

2. To log on using a different account, select Log out in the upper right-hand region of the window.The Log-on page redisplays, allowing you to enter a different account.

Prepare Unix Hosts

Once you have successfully installed Quest Identity Manager for Unix, you must add your hosts to the managementconsole, and profile them to gather system information. Then you can manage users and groups on the hosts andrun reports from the console.

Using Quest Identity Manager for Unix with a licensed version of Quest Authentication Services, not only allows youto centrally manage your hosts, but it allows you to do these additional features for managing Unix systems withActive Directory:

• Remotely install QAS agents, join systems to Active Directory, and implement AD-based authentication for Unix,Linux, and Mac systems.

• Generate reports about both local Unix users and groups and Unix-enabled users and groups in Active Directory.• Generate access control reports that show which user is permitted to log into which Unix host.

Add Host(s) to the Management Console

In order to manage a Unix host from the management console, you must first add the host. Go to the Hosts tab ofthe management console to either manually enter hosts or import them from a file.

To add host(s) to the management console

1. Click the Add Hosts tool bar button to display the Add Hosts page.2. To manually add one or more hosts, enter the FQDN, IP address, or short name of a host you want to add to the

management console and either press Enter or click the icon.

Note:

Once added, the Host column displays the value you enter. The management console uses that valueto connect to the host. The only way to change what is displayed in the Host column is to removethe host from the console and re-add it. For example, if you add a host by its IP address, the IP addressdisplays in the Host column (as well as in the IP Address column); to change what is displayed in theHost column, you must use the Remove from console tool bar button to remove the host from theconsole; then use the Add Hosts button to re-add the client by its host name. If you had profiled thehost before removing it, you will have to re-profile it after re-adding it.

Repeat this step to add additional hosts.3. To add hosts from a known_hosts file, click the Import button.

a) On the Import hosts from file page, browse to select a .txt file containing a list of host addresses to import.

Once imported, the host addresses display in Add Host page.


Note:

The valid format for an import file is:

• .txt file - contains the IP address or DNS name, one per line• known_hosts file - contains address algorithm hostKey (separated by a space), one entry per

line

For more details about the supported known_hosts file format, see Known_hosts File Format inthe management console online Help for more information.

4. Once you have a list of one or more hosts to add, click OK.

If you do not wish to profile the host(s) at this time, clear the Profile hosts after adding option before you clickOK.

Note: If you add more than 50 hosts to the list, this option is disabled.

5. If you do not clear the Profile hosts after adding option on the Add Hosts page, when you click OK, the ProfileHost page prompts you to enter the user credentials to access the host(s) and automatically leads you throughthe profile steps. (Refer to Profile Host(s) which walks you through the tasks to profile the host(s).)

6. If you clear the Profile hosts after adding option on the Add Hosts page, when you click OK, the Add Hosts pagecloses and control returns to the management console from which you can profile the hosts later manually.

The management console lists hosts that were successfully added on the All Hosts page.

Profile Host(s)Profiling imports information about the host, including local users and groups, into the management console. It isa read-only operation and no changes are made to the host during the profiling operation. Profiling does not requireelevated privileges.

To profile host(s)

1. Select one or more hosts on the All Hosts tab, open the Profile menu and choose Profile.2. In the Profile Host page, enter user credentials to access the host(s).

If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) orenter different credentials for each host.

3. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter the followinginformation:a) Enter the user name and password to log onto the selected host(s).b) Optionally enter the SSH port to use. It uses port 22 by default.c) To save the credentials entered for the host, select the Save my credentials on the server option.

Once saved, the management console uses these credentials to access the host during this and subsequentsessions.

Note:

If you do not save a password to the server, the user name and password fields will be blank the firsttime the management console needs credentials to complete a task on the host during a log onsession. Once entered, the management console caches the user name and password and reusesthese credentials during the current session, and pre-populates the user name and password fieldsin subsequent tasks during the current log on session.

If you choose to save a host's credentials to the server, the management console encrypts thecredentials and saves them in the database. Saved user names and passwords persist across log onsessions, and when needed, the management console pre-populates the user name and password


fields the first time and subsequent times it needs them to perform a task. For more information, seeCaching of Unix Host Credentials in the online Help.

4. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displaysallowing you to enter different credentials and specify different settings for each host.a) To enter different credentials, place your cursor in the Username and Password columns to the right of the

Host column and enter the credentials to use.b) To change the SSH port for a host, place your cursor in the SSH Port column and enter the new SSH port

number.c) To save the credentials entered for a host, select the check box in the Save column.

5. If you do not trust the selected hosts' SSH keys and want the management console to prompt you to review andaccept new SSH keys, clear the Automatically accept SSH keys option before you click OK .Before the profile process begins, Quest Identity Manager for Unix checks the SSH key for the selected host(s).By default, the Automatically accept SSH keys option is selected to enable the management console toautomatically accept SSH keys and cache them on the server. When you clear this option, if the managementconsole finds SSH keys on the hosts that are not cached on the server, or if it finds new keys that are differentfrom keys cached on the server, it displays the Validate Host SSH Keys dialog which allows you to manually acceptthe new fingerprint for each host and cache them on the server.

Note: When profiling one or more hosts, you must accept at least one key before continuing. Themanagement console only profiles hosts with accepted keys.

Note: When you select the Automatically accept SSH keys option and a modified key is encountered,the profile task will prompt you to accept the new changed key(s). (See Managing SSH Host Keys inthe management console online Help for more information on uploading a host's SSH key.)

A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, includingany errors encountered.SSH Terminal Access to Host

Quest Identity Manager for Unix uses SSH as the network protocol to provide secure remote access and administrationof Unix hosts. By default, new SSH keys will be automatically accepted prior to initiating the profiling process.However, if you do not trust the selected hosts' SSH keys and want to be prompted to review and accept new SSHkeys, clear the Automatically accept SSH keys check box on the Profile Host page. With this option cleared, profilinga host for the first time will now prompt you to validate and accept the SSH key for the selected hosts. Once accepted,the fingerprint will be cached on the Quest Identity Manager for Unix server. Once a fingerprint is cached, you willonly be asked to validate and accept new fingerprints that are different than those cached on the server.

Note: When the Automatically accept SSH keys option is selected and a modified key is encountered,the profile task will prompt you to accept the new changed key(s).

To upload a host's SSH key, use one of the following methods:

• Profile a host. When profiling a host, new SSH keys are automatically accepted for the selected host. However,you can clear the Automatically accept SSH keys option on the Profile Hosts page if you want to be promptedto validate the host's SSH key if it is not already cached or if it is different than the one stored on the server. Youmust accept a host's new fingerprint in order to proceed with the profiling process.

• Import hosts. When adding hosts, you can use the Import option to add hosts from a known_host file whichcontains the host addresses and public key data for known server hosts. When these hosts are profiled, new SSHkeys are automatically accepted unless you clear the Automatically accept SSH keys option on the Profile Hostpage. When this option is cleared, you will be prompted to validate each hosts' fingerprint.

• Import SSH Host Keys. You can use the Import SSH Host Key tool bar command to upload a new public SSHkey for a selected host. When using this command, you are prompted to accept the new fingerprint for theselected host.

You can view the SSH fingerprint and algorithm used to access a host on the Details page of a host's properties tab.


By default, Quest Identity Manager for Unix prevents you from adding hosts with the same SSH public key to themanagement console. This is to ensure uniqueness of hosts since a host can have more than one resolvable DNSname and multiple IP addresses. There should only be one public key returned for whichever DNS name or IP addressis used to access the host. However, if you want to allow hosts with the same SSH key to be added to the managementconsole, you can enable the Duplicate SSH Public Keys setting on the General page of the System Settings dialog,which is accessed in the Preferences menu.Profile Automatically

To keep the Quest Identity Manager for Unix database up to date with accurate information about users and groups,you can configure the management console to profile hosts automatically.

Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changeson the host, it triggers a profile operation.

The cron job detects changes to the following:

• local users, groups, or shells• installed QAS or Privilege Manager for Sudo software• QAS access control lists• QAS mapped user information• Privilege Manager for Sudo configuration• QAS configuration• Privilege Manager for Sudo licenses

The cron job also sends a heartbeat every day at midnight. This updates the Last profiled date displayed on the host

properties page. If the Last profiled date is more than 24 hours, the host icon changes to indicate: .

Note: Automatic Profile does not detect QAS product license changes. Any time there is a change toQAS licensing, click the Check for licenses button in the Authentication Services page of System Settingsto refresh the license information in management console. (See Check for QAS Licenses in the managementconsole online Help for details.)

To configure automatic profiling

1. Select one or more hosts on the All Hosts tab, open the Profile menu from the Prepare panel of the tool bar, andchoose Profile Automatically...

Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same‘Auto-profile’ state; that is, they all have ‘Auto-profile’ turned on, or they all have ‘Auto-profile’ turnedoff.

2. In the Profile Automatically page, select the Profile the host automatically option.3. Choose the user account you want to use for profiling, either:

• Create a Quest user service account on the host

-OR-

• Use an existing user account (user must exist on all selected hosts)

(Click Select to browse for a user.)

4. Click OK on the Profile Automatically page.

When you auto-profile a host, if you choose to create the Quest user service account on the host, the managementconsole,

1. creates "questusr", the Quest Service User account, and a corresponding "questgrp" account on the host thatthe management console uses for automatic profiling.

2. adds questusr as an implicit member of questgrp.


Then, whether you choose to create the Quest user service account or use an existing user account, themanagement console,

3. adds the user account (the "questusr" or your existing user account) to the cron.allow file.4. adds the auto-profile SSH key to that user's authorized_keys file.

The authorized_keys file for "questusr" is at:/var/opt/quest/home/questusr/.ssh/authorized_keys.

Note:

The questusr account is a non-privileged account that does not require root-level permissions. Thisaccount is used by the console to gather information about existing user and groups in a read-onlyfashion, however, the management console does not use questusr account to make changes to anyconfiguration files.

If questusr is inadvertently deleted, the console turns ‘Auto-profiling’ off. To recreate the "questusr"account,

1. Re-profile the host.2. Configure the host for automatic profiling again.

5. On the Log on to Host page, enter the user credentials to access the selected host(s) and click OK.

Note: This task requires elevated credentials.

If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) orenter different credentials for each host.a) If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your

credentials to log on to access the selected host(s) and click OK.b) If you selected multiple hosts and the Enter different credentials for each selected host option, it displays

a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the gridto activate it and enter the data.

To disable automatic profiling

1. Select one or more hosts on the All Hosts tab and choose Profile Automatically...2. Clear the Profile the host automatically option and click OK.3. On the Log on to Host page, enter the user credentials to access the selected host(s) and click

OK.

When you disable auto-profiling for a host, the management console,

1. leaves the "questusr" and the corresponding "questgrp" accounts on the host, if they werepreviously created.

2. leaves questusr as an implicit member of questgrp, if it exists.3. removes the user account (the "questusr" or your existing user account) from the

cron.allow file.4. removes the auto-profile SSH key from that user's authorized_keys file.

Check Readiness

Once you add and profile hosts, the Quest Identity Manager for Unix allows you to perform a series of tests to verifythat a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks doesNOT require elevated privileges.

To check host(s) for Active Directory Readiness


1. Select one or more hosts on the All Hosts page of the Hosts tab, open the Check menu from the Prepare panel ofthe tool bar, and choose Check for AD Readiness.

2. In the Check AD Readiness page, enter the Active Directory domain to use for the readiness check.3. Enter Active Directory user credentials, and click OK.4. On the Log on to Host page, enter the user credentials to access the selected host(s) and click OK.

If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) orenter different credentials for each host.a) If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your



A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, includingany failures or advisories encountered.

Install Software on Host(s)Once a you have successfully added and profiled one or more hosts, you can remotely deploy software products tothem from the management console.

To install software on host(s)

1. Select one or more profiled hosts on the All Hosts page and click the Install Software tool bar button.2. On the Install Software page, select the software products you want to install and click OK.

• Quest Privilege Manager Plugin for Sudo• Quest Authentication Services Agent (required)• Quest Authentication Services for Group Policy (required)• Quest Authentication Services for NIS (optional)• Quest Authentication Services for LDAP (optional)• Dynamic DNS Updater (optional)• Quest Defender Pam Module (optional)

Note: If you do not see all of these software packages, verify the path to the software packages iscorrectly set in System settings. (See Set the Client Software Location on the Server in the managementconsole online Help for more information.)

3. On the Log on to Host page, enter the user credentials to access the selected host(s) and click OK.

Note: To install Quest Authentication Services software packages, you must have elevated privilegeson the host and in Active Directory with rights to install software and configure the join to ActiveDirectory.

If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) orenter different credentials for each host.a) If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your



A progress bar and the final status of the task(s) display in the Task Progress pane on the All Hosts page, includingany errors encountered.


Chapter

4Getting Started with QAS

Once you have successfully installed QAS you will want to learn how to dosome basic system administration tasks using the QAS Control Center andQuest Identity Manager for Unix.

Topics:

• Getting Acquainted with the QASControl Center

• Learning the Basics

Getting Acquainted with the QAS Control Center

Quest Authentication Services consists of plug ins, extensions, security modules and utilities spread across nearlyevery operating system imaginable. The QAS Control Center pulls those parts together and provides a single placefor you to find the information and resources you need.

Control Center installs on Windows and is a great starting place for new users to get comfortable with some ofAuthentication Services‘ capabilities.

You can launch the QAS Control Center from the Start menu or by double-clicking the desktop icon, or

Table 8: Quest Authentication Services Control Center

DescriptionControl CenterSection

"Introduction" section contains information about what‘s new in Authentication Services4.0.

Home

The "Get Started with QAS" sections provide the steps needed to authenticate an ActiveDirectory user to a Unix system using the Quest Authentication Services' web-basedadministration console—Quest Identity Manager for Unix.

"How Do I…" section provides additional information about tools and features to solvecommon tasks with Quest Authentication Services.

You can run the new management console (Quest Identity Manager for Unix) within theQAS Control Center or you can run it separately in a supported web browser. The console

Management Console

is a separate install that you can launch from the ISO. You can install it on Windows, Unix,Linux, or Mac. Typically you install one management console per environment to avoidredundancy. Quest does not advise managing a Unix host by more than one managementconsole in order to avoid redundancy and inconsistencies in stored information. If youmanage the same Unix host by more than one management console, you should alwaysre-profile that host to minimize inconsistencies that may occur between instances of themanagement consoles.

Provides the ability to search on Active Directory Group Policy Objects that have Unix andMac settings defined. Also provides links to edit these GPO‘s and run reports that show thedetailed settings of the Group Policy Objects.

Group Policy

Contains links to tools and resources additionally available with Quest AuthenticationServices – a great starting place for anyone new to the product.

Tools

Centrally manage the default values generated by the various Authentication Servicesmanagement tools, including the ADUC snap-in, the PowerShell cmdlets, and the Unixcommand-Line tools (for example /opt/quest/bin/vastool).

Preferences

A simple SSH client (built on PuTTY) for remote access to Unix systems – simplifies newinstalls from having to find and install a separate PuTTY client.

Log into remote host

To run QAS Control Center you must be logged in as a domain user. To make changes to global settings you musthave rights in Active Directory to create, delete, and modify objects in the QAS configuration area of Active Directory.

36 | Authentication Services 4.0 Evaluation Guide | Getting Started with QAS

Management Console

Quest Identity Manager for Unix allows you to centrally manage Quest Authentication Services agents running onUnix, Linux and Mac OS X systems.

With the management console you can:

• Remotely deploy the QAS agent software.• Manage local user and group accounts.• Configure account mappings from local users to Active Directory accounts.• Report on a variety of security and host access related information.

You can install the management console on any operating system. Once installed, you can access it from a browserusing default port of 9443 or from the QAS Control Center.

Group Policy

Microsoft Group Policy provides excellent policy-based configuration management tools for Windows. QAS GroupPolicy enables you to manage Unix resources in much the same way. QAS Group Policy allows you to consolidateconfiguration management tasks by using the Group Policy functionality of Microsoft Windows Server to manageUnix operating systems and Unix application settings.

To open QAS Group Policy, click Group Policy on the left navigation panel of the QAS Control Center.

Filter Options

To filter the list of GPOs

1. Expand the Filter Options section.2. Enter all or part of a name to filter the list of GPOs.3. Open the Domain drop down menu to choose a domain.4. Select the Unix Settings or Mac Settings List Only options to further filter the GPO list.

If you select both options, only the GPOs configured for both Unix and Mac display.

Edit GPO

To edit a group policy object

From the Group Policy window, select a GPO in the list and click Edit GPO... from the Actions menu.The Group Policy Object Editor opens for the selected GPO.

Note: For more information about the Group Policies, refer to the QAS Administrator's Guide, locatedin QAS Control Center Tools page in the Documentation section, or in the docs directory of theinstallation media.

Settings Report

A settings report displays all of the Quest Authentication Services group policy object settings that apply to Unix orMac systems.

To generate a Unix settings report

From the Group Policy window, select a GPO Name and click Settings Report... from the Actions menu.

An HTML report of the currently configured Unix and Mac settings displays.

Authentication Services 4.0 Evaluation Guide | Getting Started with QAS | 37

Note: You can select multiple GPOs to run several reports simultaneously.

Show Files

To open the Windows Explorer

From the Group Policy window, select a GPO in the list and click Show Files... from the Actions menu.The Windows Explorer opens and displays the Group Policy Templates for the selected GPO.

Launch GPMC

Note: Microsoft does not support Group Policy Management Console (GPMC) on 64-bit platforms ofWindows; thus, Quest does not support managing group policies through the QAS Control Center onWindows 2003 64-bit and Windows 2003 R2 64-bit, XP 64-bit platforms. (See Group Policy ManagementConsole with Service Pack 1 for more information.)

To launch the Group Policy Management Console

From the Group Policy window, click Launch GPMC... from the Actions menu.

Tools

The Tools link on the QAS Control Center gives you access to

• Quest Authentication Services

Direct links to installed applications and tools related to Quest Authentication Services.

• Additional Quest Products

Direct links to other Quest product plug ins.

Note: The Additional Quest Products link is only available if you have installed other Quest productssuch as Quest Defender, Authentication Services for Smart Cards, or ActiveRoles Server.

• Other Tools

Direct links to tools related to Quest Authentication Services.

Note: The Other Tools link is only available if you have installed the Group Policy ManagementConsole.

• Documentation

Direct links to Quest Authentication Services documentation.

Preferences

Quest Authentication Services stores certain preferences and settings in Active Directory. This information is usedby QAS clients and management tools so that behavior remains consistent across all platforms and tools. ThePreferences window allows you to configure these settings and preferences.

Licensing

The Licensing section of the Preferences window in the QAS Control Center displays a list of installed license files. Youcan add and remove license files at any time. The license files are stored in Active Directory and QAS Unix hostsautomatically download and apply new license files from Active Directory.

(Refer to Licensing QAS on page 12 for more information about licensing requirements.)




Note: If you are running the Quest Identity Manager for Unix with a licensed version of QAS, any timeyou make a change to the QAS licensing, navigate to Preferences | System Settings | AuthenticationServices page in the management console and click the Check for licenses button to refresh the productlicense information in Quest Identity Manager for Unix.

To Add Licenses Using the Control Center

1. Click the Preferences navigation button on the left panel of the QAS Control Center.2. Expand the Licensing section.

The list box displays all licenses currently installed in Active Directory.

3. Click Add a license... from the Actions menu.4. Browse for the license file and click Open.

The license appears in the list box.

Note: Unix hosts check for new licenses when the host is joined to the domain or every 24 hours bydefault. This can be changed by modifying the configuration-refresh-interval settingin vas.conf.

To remove a license, select it and click Remove license.

To restore a removed license, click Undo Remove.

Global Unix Options

The Global Unix Options section displays the currently configured options for Unix-enabling users and groups.

Click Modify Global Options... to change these settings.

Note: QAS uses the Global Unix Options when enabling users and groups for Unix log in.

Table 9: Unix User Defaults

DescriptionOption

Select to require a unique user login name attribute within the forest.Require unique user loginnames

Select to require a unique user's Unix ID (UID) number within the forest.Require unique UID on users

Enter a minimum value for the Unix User ID (UID) number. Typically you set this to avalue higher than the highest UID among local Unix users to avoid conflicts withusers in Active Directory and local user accounts.

Minimum UID Number

Enter a maximum value for the Unix User ID (UID) number. Typically you would notchange this value unless you have a legacy Unix platform that does not support thefull 32-bit integer range for UID number.

Maximum UID Number

Enter the default value for the Primary GID number when Unix-enabling a user.Primary GID Number

Select to set the primary GID number to the User ID number.Set primary GID to UID

Enter any text in this box.Default Comments (GECOS)

Enter the default value for the login shell used when Unix-enabling a user.Login Shell

Enter the default prefix used when generating the home directory attribute whenUnix-enabling a user. The default value is /home/; use a different value if your Unix

Home Directory

user home directories are stored in another location on the file system. QAS uses theuser's effective Unix name when generating the full home directory path.


DescriptionOption

Select to use a lower-case representation of the user's effective Unix name whengenerating the full home directory path as a user is Unix-enabled.

Use lowercase user name forhome directory

Table 10: Unix Group Defaults

DescriptionOption

Select to require a unique Unix group name attribute within the forest.Require unique GroupNames

Select to require a unique Unix Group ID (GID) attribute within the forest.Require unique GID Number

Enter the minimum value for the Unix Group ID (GID). Typically this is set to a valuehigher than the highest GID among local Unix groups to avoid conflicts with groupsin Active Directory and local group accounts.

Minimum GID Number

Enter the maximum value for the Unix Group ID (GID). Typically you would not changethis value unless you have a legacy Unix platform that does not support the full 32-bitinteger range for GID.

Maximum GID Number

Table 11: Unique IDs

DescriptionSub-OptionOption

These options control the algorithmsused to generate unique user andgroup IDs:

Generate based on

An ID generated from a hash of theuser or group object GUID attribute.

Object GUID Hash

This is a fast way to generate an IDwhich is usually unique. If thegenerated value conflicts with anexisting value, the ID is re-generatedby searching the forest.

An ID generated from the SID of thedomain and the RID of the user or

Samba Algorithm

group object. This method works wellwhen there are few domains in theforest. If the generated value conflictswith an existing value, the ID isre-generated by searching the forest.

An ID generated by searching forexisting ID values in the forest. This

Legacy Search Algorithm

method generates an ID that is notcurrently in use.

Modifications you make to these Global Unix Options take effect after you restart the Microsoft Management Console(MMC).

Note: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the twomethods can lead to ID conflicts.


Logging Options

The Logging Options section allows you to enable logging for all Quest Authentication Services Windows components.This setting only applies to the local computer. Logging can be helpful when trying to troubleshoot a particularproblem. Because logging causes components to run slower and use more disk space, you should set the Log Levelto disabled when you are finished troubleshooting.Enable Debug Logging on Windows

To enable debug logging for all Quest Authentication Services Windows components

1. Open QAS Control Center and click the Preferences navigation button on the left panel.2. Expand the Logging Options section.3. Open the Log level drop-down menu and set the log level to Debug.

Debug generates the most log output. Higher levels generate less output. You can set the Log level to Disabledto disable logging.

4.Click to specify a folder location where you want to write the log files.Quest Authentication Services Windows components log information into the specified log folder the next timethey are loaded. Each component logs to a text file named after the DLL or EXE that generates the log message.

Custom Unix Attributes

The Unix schema attributes are fully customizable in Quest Authentication Services. The Custom Unix Attributessection allows you to see which LDAP attributes are mapped to Unix attributes. You can modify this mapping toenable QAS to work with any schema configuration. To customize the mapping, you select a schema template orspecify your own custom attributes. A schema template is a pre-defined set of common mappings which adhere tocommon schema extensions for storing Unix data in Active Directory. QAS supports the following schema templatesif the required schema is installed:

Table 12: Unix Schema Attributes

DescriptionSchema Template

A template that encodes Unix attribute data in an existing multi-valued attribute.Schemaless

A template that uses attributes from the Windows 2003 R2 schema extension.Windows 2003 R2

A template that uses attributes from the SFU 2.0 schema extension.Services for Unix 2.0

A template that uses attributes from the SFU 3.0 schema extension.Services for Unix 3.0

Note: It is a best practice to use a schema designed for storing Unix data in Active Directory wheneverpossible. Schemas designed for storing Unix data in Active Directory include: Windows 2003 R2, SFU 2,and SFU 3. Only use "schemaless" or custom mappings if it is impossible to make schema extensions inyour environment.

Active Directory Schema Extensions

Quest Authentication Services stores Unix identity and login information in Active Directory. Quest designed QASto provide support for the following standard Active Directory schema extensions:

Table 13: Active Directory Schema Extensions

DescriptionSchema Extension

This schema extension is provided by Microsoft and adds support for the PosixAccountauxiliary class, used to store Unix attributes on user and group objects.

Windows 2003 R2 Schema


DescriptionSchema Extension

Microsoft provides this schema extension with the Services for Unix 2.0 set of tools.It adds custom attributes to user and group objects, used to store Unix accountinformation.

Services for Unix 2.0

Microsoft provides this schema extension with the Services for Unix 3.0 set of tools.It adds custom attributes to user and group objects, used to store Unix accountinformation.

Services for Unix 3.0

Tt is possible to customize the schema setup to work with any schema configuration with QAS. No schema extensionsare necessary with the new "schemaless" storage feature. When you configure QAS for the first time, QAS attemptsto auto-detect the best schema configuration for your environment. The schema configuration is a global applicationsetting that applies to all QAS management tools and Unix agents. You can change the detected settings at anytime using QAS Control Center.Configure a Custom Schema Mapping

If you do not have a schema that supports Unix data storage in Active Directory, you can configure QAS to useexisting, unused attributes of users and groups to store Unix information in Active Directory.

To configure a custom schema mapping

1. Open the QAS Control Center and click the Preferences on the left navigation panel.2. Expand the Custom Unix Attributes.3. Click Customize....4. Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type

attributes except User ID Number, User Primary Group ID and Group ID Number which may be integers. If anattribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute isinvalid.

Note:

When customizing the schema mapping, ensure that the attributes used for User ID Number andGroup ID Number are indexed and replicated to the global catalog.

See Active Directory Optimization (Best Practice) in the QAS Control Center online help for details.

5. Click OK to validate and save the specified mappings in Active Directory.

Active Directory Optimization

Indexing certain attributes used by the Quest Authentication Services Unix agent can have a dramatic effect on theperformance and scalability of your Unix and Active Directory integration project. The Custom Unix Attributespanel in the Preferences section of QAS Control Center displays a warning if the Active Directory configuration isnot optimized according to best practices.

Quest recommends that it is a best practice to index the following attributes in Active Directory. Note: LDAP displaynames vary depending on your Unix attribute mappings.

• User UID Number• User Unix Name• Group GID Number• Group Unix Name

It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of ActiveDirectory lookups that need to be performed by QAS Unix agents.

Click the Optimize Schema link to run a script that updates these attributes as necessary.

Note: The Optimize Schema option is only available if you have not optimized the Unix schema attributesdefined for use in Active Directory.


This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimizeyour schema, it generates a schema optimization script. You can send the script to an Active Directory administratorwho has rights to make the necessary changes.

All schema optimizations are reversible and no schema extensions are applied in the process.

Learning the Basics

The topics in this section help you learn how to do some basic system administration tasks using the new QAS ControlCenter and Quest Identity Manager for Unix.

Note:

The exercises in this section assume that you have successfully installed Quest Authentication Servicesand Quest Identity Manager for Unix and have added a host to the console and joined it to Active Directory.(See Prepare Unix Hosts on page 28.)

The topics in this section show you how to create the following test user and group accounts used in various examples:

• A local group name called "localgroup"• A local user object called "localuser"• An Active Directory group object called "UNIXusers"• An Active Directory user object called "ADuser"

Quest recommends that you work through the topics in this section in order as a self-directed "test drive" of someof the key product features. You will learn how easy it is to manage your users and groups from the managementconsole

Add a Local Group Account

Note: This topic instructs you to set up a local group by the name of "localgroup" referred to by otherexamples in this guide.

To add a local group to the host

1. From the All Hosts tab, double-click a host name to open its property page.2. Select the Groups tab and click Add Group.3. In the Add New Group dialog, enter localgroup as a local group name in the Group Name box and click Add

Group.4. In the Log on to Host dialog, enter your credentials and click OK.

Note: This task requires elevated credentials. Credential information is entered by default from thecache.

The new local group account is added to the system and management console.

Add Local User Account

Note: This topic instructs you to set up a local user by the name of "localuser" referred to by otherexamples in this guide.

To add a local user account

1. Select the Users tab from the host properties page and click Add User.


2. In the Add New user page,a) Enter localuser as a new local user name in the User name box.b)

Click , the browse button next to the Primary group box, to find and select the localgroup account youset up in Add a Local Group Account on page 43.Use can also the navigation buttons at the bottom of the list to find and select a group.

c) Enter and re-enter a password of your choice and click Add User to add this new local user.

3. On the Log on to Host page, enter your credentials to log onto the host and click OK.

Note: This task requires elevated credentials. The management console enters this information bydefault from the cache.

The new local user account is added to the system and management console.

At this point the new local user is valid for local authentication with the password you just set.

Add an Active Directory Group AccountQuest Authentication Services provides additional tools to help you manage different aspects of migrating Unixhosts into an Active Directory environment. Links to these tools are available from Tools in the QAS Control Center.

Note: This topic instructs you to set up an Active Directory group by the name of "UNIXusers" referredto by other examples in this guide.

To create a new group in Active Directory

1. From the QAS Control Center Welcome page, navigate to Tools and click the link for QAS Extensions for ActiveDirectory Users and Computers.The Active Directory Users and Computers Console opens.

Note: Windows Vista/Windows 7: You must have the Remote Server Administration Tools installedand enabled.

Note: Windows 2003/Windows XP: You must have the Windows 2003 Server Administration Toolsinstalled.

2. Expand the domain folder and select the Users folder.3. Click the New Group button.

The New Object - Group dialog opens.4. Enter UNIXusers in the Group name box and click OK.

Add an Active Directory User Account

Note: This topic instructs you to set up an Active Directory user by the name of "ADuser" referred to byother examples in this guide.

To create an Active Directory user account

1. From the QAS Control Center Welcome page, navigate to Tools and click the link for QAS Extensions for ActiveDirectory Users and Computers.

2. In the Active Directory Users and Computers console, select the Users folder and click the New User button.3. On the New Object - User page, enter information to define a new user named ADuser and click Next.

The New Object - User wizard guides you through the user setup process.

4. When you enter a password, deselect the User must change password at next logon option, before you click Next.


5. Click Finish.6. Double-click ADuser, your new Active Directory user account, to open its Properties.7. Select the Member Of tab and click Add.8. Add UNIXusers to the Member of list of this Active Directory user account and click OK.

Note: To set up the Active Directory group account, see Add an Active Directory Group Account onpage 44.

9. Close Active Directory Users and Computers and return to the management console.

Change the Default Unix AttributesYou can modify the Unix attributes that are generated by default when users are Unix-enabled. To change the LoginShell you must have rights to create and delete child objects in the QAS application configuration in Active Directory.

To change the default Unix attributes

1. Click the Preferences navigation button on the left panel of the QAS Control Center.2. Expand Global Unix Options.

The window displays the current settings for Unix-enabling users, groups and the method used for creatingunique IDs.

3. Click Modify Global Unix Options… on the right side of the window.The Modify Global Options dialog opens.

4. Change the Login Shell to /bin/bash and click OK.The defaults are saved to Active Directory.

Note: Now, when you Unix-enable a user from Active Directory Users and Computers, PowerShell, orthe Unix command line, the login shell defaults to /bin/bash. You can customize the other Unixdefaults similarly.

Active Directory Account Administration

The topics that follow show you how to perform Active Directory account administration from the Quest IdentityManager for Unix.

Enable Local User for AD Authentication

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unixuser. Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantageof the benefits of Active Directory security and access control.

To enable a local user for Active Directory authentication

1. From the QAS Control Center, open the Management Console.2. In the management console, navigate to the Hosts | All Hosts tab.3. Double-click a host to open its properties page.4. From a host's property page, select the Users tab and double-click the localuser account to open its Properties

page.

Note: To set up this local user account, see Add Local User Account on page 43.

5. On the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.6.

On the Select AD User page, click the Search button to populate the list of Active Directory users, select theADuser account, and click OK.


Note: To set up this Active Directory user, see Add an Active Directory User Account on page 44.

7. On the localuser's properties page, click OK.8. On the Log on to Host page, verify your credentials to log onto the host and click OK.

You have now "mapped" a local user to an Active Directory user and the management console indicates that thelocal user account requires an Active Directory password to log onto the Host in the AD User column.

You can also map multiple Unix users to use a single Active Directory account using the RequireAD Logon pane on the All Local Users page.

To assign (or "map") a Unix user to an Active Directory user

1. From the All Local Users tab, select one or more local Unix users.2.

In the Require AD Logon pane, click the Search button to populate the list of ActiveDirectory users.

(Click the Directory button to search in a specific folder.)

3. Select an Active Directory user and click the Require AD Logon to Host button at the bottomof the Require AD Logon pane.

4. On the Log on to Host page, verify your credentials to log onto the host and click OK.

Note: This task requires elevated credentials.

The Active Directory user assigned to the selected local Unix user displays in the AD User columnof the All Local Users page.

Test the Mapped User Login

Once you have "mapped" a local user to an Active Directory user, you can log into the local Unix host using yourlocal user name and the Active Directory password of the Active Directory user to whom you are "mapped".

To test the mapped user login

1. From the QAS Control Center, under "Login to remote host", enter:

• the Unix host name in the Host name box• the local user name, localuser, in the User name box

and click Login to log onto the Unix host with your local user account.

2. If the PuTTY Security Alert page opens, click Yes to accept the new key.3. Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected

the Require an AD Password to logon to Host option on the user's property page.4. At the command line prompt, enter id to view the Unix account information.

5. Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.

6. Enter exit to close the command shell.

You just learned how to manage local users and groups from the Quest Identity Manager forUnix by mapping a local user account to an Active Directory user account. You tested this bylogging into the Unix host with your local user name and the password for the Active Directoryuser account to whom you are "mapped".


Unix-Enable a Group

To Unix-enable an Active Directory group

1. On the management console's Active Directory tab, open the Find box drop-down menu and choose Groups.2. Enter UNIX in the Search by name box and press Enter.

3. Double-click the UNIXusers group to open its properties.

Note: To set up this Active Directory user account, see Add an Active Directory Group Account on page44.

4. On the Unix Account tab, select the Unix-enabled option and click OK.

Unix-Enable a User

To Unix-enable an Active Directory user

1. On the management console's Active Directory tab, open the Find box drop-down menu and choose Users.2.

Click to the Search by name box to search for all Active Directory users. Or, enter a portion of your ADuserlog on name in the Search by name box and press Enter.

3. Double-click ADuser, the Active Directory user name, to open its Property page.

Note: To set up this Active Directory user account, see Add an Active Directory User Account on page44.

4. On the Unix Account tab, select the Unix-enabled option.It populates the Properties page with default Unix attribute values.

5. Make other modifications to these settings, if necessary, and click OK to Unix-enable the user.

Note: There are additional settings that you can set using PowerShell which allows you to validateentries for the GECOS, Home Directory, and Login Shell attributes. Refer to Use QAS PowerShell onpage 55 to learn more about that.

Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.

Test the Active Directory User Login

Now that you have Unix-enabled an Active Directory user, you can log into a local Unix host using your ActiveDirectory user name and password.

To test the Active Directory login


• the Unix host name in the Host name box• the Active Directory user name, ADuser, in the User name box

and click Login to log onto the Unix host with your Active Directory user account.

2. Enter the password for the Active Directory user account.3. At the command line prompt, enter id to view the Unix account information.

4. After a successful log in, verify that the user obtained a Kerberos ticket by entering:

/opt/quest/bin/vastool klist

The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves thelocal user is using the Active Directory user credentials.


5. Enter exit to close the command shell.

You just learned how to manage Active Directory users and groups from the Quest IdentityManager for Unix by Unix-enabling an Active Directory group and user account. You tested thisout by logging into the Unix host with your Active Directory user name and password. Optionally,you can expand on this tutorial by creating and Unix enabling additional Active Directory usersand groups and by testing different Active Directory settings such as account disabled andpassword expired.

Run Reports

QAS allows you to run various reports to capture key information about your Unix hosts and the Active Directorydomains joined to these hosts.

To run reports

1. From the management console, click the Reporting tab.2. From the Reports tab, expand the report group names to view the available reports, if necessary.

• Host Reports

Unix host information gathered during the profiling process

• User Reports

Local and Active Directory Unix user information

• Group Reports

Local and Active Directory Unix group information

• Access & Privileges Reports

User access information

3. Use one of the following methods to select a report to run:

• Double-click a report name in the list (such as the Unix Host Profiles report).• Right-click a report name and select Run report.• Click the report icon next to a report.

The selected report name opens a new tab which describes the report and provides some report parameters youcan select or deselect to add or exclude details on the report.

4. Optionally deselect parameters to exclude information from the report.5. Open the Generate report as drop-down menu and select the format you want to use for the report: HTML

(default), PDF, or CSV.

Note: When generating multiple reports simultaneously or generating a single report that containsa large amount of data, Quest recommends that you increase the JVM memory. (See Tune JVM Memoryto Resolve Reporting Issues in the management console online help for details.)

It launches a new browser or application page and displays the report in the selected format.

Quest Identity Manager for Unix report names and descriptions

The management console provides comprehensive reporting which includes reports that can help you plan yourdeployment, consolidate Unix identity, secure your hosts and troubleshoot your identity infrastructure. The followingtable lists the reports that are available in Quest Identity Manager for Unix.


Note:

Report availability depends on several factors:

• User Log-on Credentials: While some reports are available when you are logged in as supervisor,there are some reports that are only available when you are logged on as an Active Directory user.(See Configure the Console for Active Directory in the management console online Help for moreinformation.)

• Roles and Permissions: Reports are hidden if they are not applicable to the user's role. (See Rolesand Permissions in the management console online Help for more information.)

• Licensing: Some reports are not available if there is no license for the respective product. For example,if you do not have a Quest One Privilege Manager for Sudo license, then the sudo-related reports arenot available.

Table 14: Reports

DescriptionReport

Host Reports

Returns all Unix computers in Active Directory in the requested scope.Unix Computers in AD

By default, this report is generated using the default domain as the base container.Browse to search Active Directory to locate and select a different base container tobegin the search.

Note: This report is only available with a licensed version of QuestAuthentication Services 4.0 and when you are logged on as an ActiveDirectory account in the Manage Hosts role.

Provides a snapshot of the readiness of each host. This report is best used for planningand monitoring the readiness of each host to track progress of migration projects.The basic report includes the following information:

Unix Host MigrationPlanning

• Total number of hosts• Total number, percentage and names of the hosts ready to join• Total number, percentage and names of the hosts ready to join with advisories• Total number, percentage and names of the hosts not ready to join• Total number of hosts not checked for AD readiness

Use the following report parameters to define details to include in the report.

• Joined to AD• Ready to Join AD• Ready to Join AD with Warnings• Not Ready to Join AD• Not Checked for Readiness

Note: This report is available when you are logged on as the supervisoror an Active Directory account in the Manage Hosts role.

Summarizes information gathered during the profiling process of each managedhost. This report includes the following information:

Unix Host Profiles

• Total number of hosts included in the report• Host Name, IP Address, OS, Hardware


DescriptionReport

• Sudo version number

Use the following report parameters to define details to include for each host.

• QAS Properties• Local Users• Local Groups• Host SSH Keys


User Reports

Returns all users with Unix User ID numbers (UID numbers) assigned to other Unixor Linux-enabled user accounts.

AD User Conflicts

By default, it generates this report using the default domain as the base container.Browse to search Active Directory to locate and select a different base container tobegin the search.


Identifies local user accounts that would conflict with a specified user name and UIDon other hosts. You can use this report for planning user consolidation across yourhosts. This report includes the following information:

Local Unix User Conflicts

• Host Name, DNS Name or IP Address where a conflict would occur• User Name, UID Number, Primary GID Number, Comment (GECOS), Home Directory

and Login Shell for each host where conflicts exist

Use the following report parameters to define the user name and UID number thatwould cause a conflict with existing local user accounts:

• User Name is• UID Number is


Lists all users on all hosts or lists the hosts where a specific user account exists in/etc/passwd. This report includes the following information:

Local Unix Users

• Host Name, DNS Name or IP Address where the user exists• User Name, UID Number, Primary GID Number, Comment (GECOS), Home

Directory, and Login Shell for each host where the user exists

If you do not define a specific user, it includes all local users on each profiled host inthe report.

To locate a specific user, use the following report parameters:

• User Name contains• UID Number is


DescriptionReport

• Primary GID Number is• Comment (GECOS) contains• Home Directory contains• Login Shell contains

Note: When you specify multiple report parameters, it uses the ANDexpression; therefore, ALL of the selected parameters must be met inorder to locate the user account.


Identifies the local user accounts that are required to use Active Directory credentialsto log onto the Unix hosts. This report includes the following information for hoststhat are joined to an Active Directory domain:

Local Unix Users with ADLogon

• Host Name, DNS Name or IP Address of hosts where users exist that are requiredto log on using their AD credentials

• User Name, UID Number, Primary GID Number and Comment (GECOS) of localuser account

• The sAMAccountName of the Active Directory account that the local user accountmust use to log on

Note: This report only includes hosts joined to an Active Directory domainwith a QAS 4.0 agent.


Returns all Active Directory users that have Unix user attributes.Unix Enabled AD Users

Note:

• A User object is considered to be 'Unix-enabled' if it has values for theUID Number, Primary GID Number, Home Directory and Login Shell.

• If Login Shell is /bin/false, the user is considered to be disabledfor Unix or Linux logon.

• Account Disabled indicates whether the Active Directory User accountis enabled or disabled.



Group Reports

Lists all Active Directory groups with Unix Group ID (GID) numbers assigned to otherUnix-enabled groups.

AD Group Conflicts


DescriptionReport

By default, it generates this report using the default domain as the base container.Browse to search Active Directory to locate and select the base container to beginthe search.


Identifies the hosts where a specific group exists in /etc/group. This report includesthe following information:

Local Unix Groups

• Host Name, DNS Name or IP Address where the group exists• Group Name, GID Number and members for each host where the group exists

If you do not specify a group, it includes all local groups on each profiled host in thereport.

To locate a specific group, use the following report parameters:

• Group Name contains• GID Number is• Member contains• Include all group members in report

Note: The Member contains field accepts multiple entries separated bya comma. Spaces are taken literally in the search. For example, entering:

• adm, user searches for members whose name contains 'adm' or 'user'

• adm,user searches for members whose name contains 'adm' or'user'.

Note: When you specify multiple report parameters (for example, GroupName contains, GID Number is, and Member contains), it uses the ANDexpression; therefore, ALL of the selected parameters must be met inorder to locate a group.

In addition, it includes all of the group members in the report by default, but you canclear the Include all group members in report option.


Returns all Active Directory groups that have Unix group attributes.Unix Enabled AD Groups

Note: A Group object is considered 'Unix-enabled' if it has a value for theGID Number.




DescriptionReport

Access & Privileges Reports

Identifies all users with logon access to hosts and the commands the users in thegroups can run on the hosts. This report includes the following information:

Access and Privileges byHost

• Total number of hosts where the group can logon• List of hosts where the group can logon• List of commands the users in the group can run on each host• List of runas aliases for which the users in the group can run commands on each

host• List of commands the runas alias can run on each host

Use the following report parameters to specify the group to include in the report:

• A local group (default)• An AD group

Browse to select a group.

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the Audit Sudo Policy role.

Identifies the hosts where the selected user can login, the commands that user canrun on each host, as well as the "runas aliases" information for that user. This reportincludes the following information:

Access and Privileges by User

• Total number of hosts where the user can logon• List of hosts where the user can logon• List of commands the user can run on each host• List of runas aliases for which the user can run commands on each host• List of commands the runas alias can run on each host

Use the following report parameters to specify the user to include in the report:

• A local user (default)• An AD user

Browse to select a user.

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the Audit Sudo Policy role.

Provides information about the commands executed by users on your hosts basedon their privileges. This report allows you to search for commands that have been

Commands Executed

recorded as part of events or keystroke logs for a policy group and includes thefollowing information:

• Command name• User who executed the command• Date and time the command was executed• Host where the command was executed

Use the following report parameters to define details in the report:


DescriptionReport

• Policy Group• Command• Host• Date

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the either the Manage SudoPolicy or Audit Sudo Policy role.

Lists users who have access to the management console based on membership in arole and the permissions assigned to the role. This report includes the followinginformation:

Console Access andPermissions

• List of roles• List of permissions assigned to each role• List and number of members assigned to each role

Note: This report is available when you are logged on as the supervisoror an Active Directory account in the Manage Console Access role. However,when you access this report as supervisor, the management consolerequires that you authenticate to Active Directory.

Identifies the hosts where one or more Active Directory user has been granted logon permission. This report includes the following information for hosts joined to anActive Directory domain:

Logon Policy for AD User

• Total number of hosts where the AD user has access• List of hosts where the AD user has access

Use the following report parameters to specify the Active Directory users to includein the report:

• All AD users (default)• Select AD user

When you select the Select AD user report parameter, browse to search Active Directoryto locate and select an Active Directory user.

Note: Only hosts joined to an Active Directory domain with a QAS 4.0agent are included in this report.


Identifies the Active Directory users that have been explicitly granted log onpermissions for one or more Unix computers. This report includes the followinginformation for hosts joined to an Active Directory domain:

Logon Policy for Unix Host

• Host Name, DNS Name or IP Address of the host selected for the report• List of users that have been granted permission to log on


DescriptionReport

Use the following report parameters to specify the managed hosts to include in thereport:

• All profiled hosts (default)• Select host

When you select the Select host report parameter, browse to locate and select amanaged host that is joined to Active Directory.

Note: This report only includes hosts joined to an Active Directory domainwith a QAS 4.0 agent.


Provides details of changes made to the sudoers policy for Policy Server groups. Thisreport includes the following information:

Sudo Policy Changes

• Name of the user that made changes to the sudoers policy• Version number for the changes• Time and date the changes were saved and actively used to enforce policy• Changes made to the sudoers policy based on version

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the either the Manage SudoPolicy or Audit Sudo Policy role.

Note: When Quest Identity Manager for Unix creates the Logon Policy for AD User and Logon Policy forUnix Host reports, it reads the users.allow file and reports which users (including nested users) areallowed access on that host. It ignores the users.deny file when determining Logon Policies throughthe Quest Identity Manager for Unix.

Use QAS PowerShell

Quest Authentication Services includes PowerShell modules which provide a "scriptable" interface to many QASmanagement tasks. You can access a customized PowerShell console from the QAS Control Center Tools navigationlink.

You can perform the following tasks using PowerShell cmdlets:

• Unix-enable Active Directory users and groups• Unix-disable Active Directory users and groups• Manage Unix attributes on Active Directory users and groups• Search for and report on Unix-enabled users and groups in Active Directory• Install product license files• Manage QAS global configuration settings• Find Group Policy objects with Unix/Mac settings configured

Using the QAS PowerShell modules, it is possible to script the import of Unix account information into Active Directory.


To Unix-Enable a User and User Group

1. From the QAS Control Center, navigate to Tools | Quest Authentication Services.2. Click QASPowerShell Console.

Note: The first time you launch the PowerShell Console it asks you if you want to run software fromthis untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to yoursystem as a trusted entity. Once you have done this you will never be asked this question again onthis machine.

3. At the PowerShell prompt, enter the following:

Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567

Note: You created the UNIXusers group in a previous exercise. (See Add an Active Directory GroupAccount on page 44.)

Unix attributes are generated automatically based on the Default Unix Attributes settings that were configuredearlier and look similar to the following:

ObjectClass : groupDistinguishedName : CN=UNIXusers,CN=Users,DC=example.,DC=comGroupName : UNIXusersUnixEnabled : TrueGidNumber : 1234567AdsPath : LDAP://windows.example.com/CN=UNIXusers,CN=Users, DC=example,DC=comCommonName : UNIXusers

4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:

Enable-QasUnixUser ADuser | Set-QasUnixUser -PrimaryGidNumber 1234567

The Unix properties of the user display:

ObjectClass : userDistinguishedName : CN=ADuser, CN=Users,DC=example.,DC=comUserName : ADuserUnixEnabled : TrueUidNumber : 2062157421PrimaryGidNumber : 1234567Gecos :HomeDirectory : /home/ADuserLoginShell : /bin/bashAdsPath : LDAP://windows.example.com/CN=ADuser,CN=Users, DC=example,DC=comCommonName : ADuser

5. To disable the ADuser user for Unix login, at the PowerShell prompt enter:

Disable-QasUnixUser ADuser

Note: To completely clear all Unix attribute information, enter

Clear-QasUnixUser ADuser

Now that you have Unix-disabled the user, that user can no longer log into systems running the QAS agent.


• the Unix host name in the Host name box• the Active Directory user name, ADuser, in the User name box

and click Login to log onto the Unix host with your Active Directory user account.


A PuTTY window displays.

Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberosis not enabled or properly configured for the remote SSH service.

7. Enter the password for the Active Directory user account.You will receive a message that says, "Access denied".

PowerShell Cmdlets

Quest Authentication Services supports the flexible scripting capabilities of PowerShell to automate administrative,installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Quest AuthenticationServices:

Table 15: PowerShell Cmdlets

Descriptioncmdlet Name

Installs an Authentication Services license file in Active Directory. Licenses installedthis way are downloaded by all Unix clients.

Add-QasLicense

Clears the Unix identity information from group object in Active Directory. The groupis no longer Unix-enabled and will be removed from the cache on the AuthenticationServices Unix clients.

Clear-QasUnixGroup

Clears the Unix identity information from a user object in Active Directory. The useris no longer Unix-enabled will be removed from the cache on the AuthenticationServices Unix clients.

Clear-QasUnixUser

"Unix-disables" a group andwill be removed from the cache on the AuthenticationServices Unix clients. Similar to Clear-QasUnixGroup except the Unix group name isretained.

Disable-QasUnixGroup

Removes an Active Directory user‘s ability to log in on Unix hosts. (The user will stillbe cached on the Authentication Services Unix clients.)

Disable-QasUnixUser

Enables an Active Directory group for Unix by giving a Unix GID number. The GIDnumber is automatically generated.

Enable-QasUnixGroup

Enables an Active Directory user for Unix. The required account attributes UID number,primary GID number, GECOS, login shell and home directory are generatedautomatically.

Enable-QasUnixUser

Returns an object representing the QAS application configuration data stored inActive Directory.

Get-QasConfiguration

Returns a set of objects representing GPOs with Unix and/or Mac settings configured.This cmdlet is in the Quest.AuthenticationServices.GroupPolicy module.

Get-QasGpo

Returns objects representing the Authentication Services product licenses stored inActive Directory.

Get-QasLicense

Returns a set of configurable global options stored in Active Directory that affect thebehavior of Authentication Services.

Get-QasOption

Returns the currently configured schema definition from the Quest AuthenticationServices application configuration.

Get-QasSchema

Returns a set of schema templates that are supported by the current Active Directoryforest.

Get-QasSchemaDefinition


Descriptioncmdlet Name

Returns an object that represents an Active Directory group as a Unix group. Thereturned object can be piped into other cmdlets such as Clear-QasUnixGroup orEnable-QasUnixGroup.

Get-QasUnixGroup

Returns an object that represents an Active Directory user as a Unix user. The returnedobject can be piped into other cmdlets such as Clear-QasUnixUser orEnable-QasUnixUser.

Get-QasUnixUser

Returns the version of Authentication Services currently installed on the local host.Get-QasVersion

Moves the QAS application configuration information from one container to anotherin Active Directory.

Move-QasConfiguration

Creates an object that represents a connection to Active Directory using specifiedcredentials. You can pass a connection object to most Authentication Services cmdletsto execute commands using different credentials.

New-QasAdConnection

Creates an object that represents a connection to a Quest ActiveRoles Server usingthe specified credentials. You can pass a connection object to most AuthenticationServices cmdlets to execute commands using different credentials.

New-QasArsConnection

Creates a default QAS application configuration in Active Directory and returns anobject representing the newly created configuration.

New-QasConfiguration

Accepts a QAS application configuration object as input and removes it from ActiveDirectory. This cmdlet produces no output.

Remove-QasConfiguration

Accepts an Authentication Services product license object as input and removes thelicense from Active Directory. This cmdlet produces no output.

Remove-QasLicense

Accepts an Authentication Services options set as input and saves it to ActiveDirectory.

Set-QasOption

Accepts an Authentication Services schema template as input and saves it to ActiveDirectory as the schema template that will be used by all Authentication ServicesUnix clients.

Set-QasSchema

Accepts a Unix group object as input and saves it to Active Directory. You can alsoset specific attributes using command line options.

Set-QasUnixGroup

Accepts a Unix user object as input and saves it to Active Directory. You can also setspecific attributes using command line options.

Set-QasUnixUser

QAS PowerShell cmdlets are contained in PowerShell modules named Quest.AuthenticationServices andQuest.AuthenticationServices.GroupPolicy. Use the Import-Module command to import the QAS commands intoan existing PowerShell session.

Quest ChangeAuditor for Active Directory

Quest ChangeAuditor allows you to track changes and send alerts on:

• Changes to Active Directory objects and attributes• Changes to Unix and Mac settings in Group Policy Objects• Changes to Product settings and configuration

Install Quest ChangeAuditor

To install Quest ChangeAuditor


1. Insert the QAS distribution media.The Autorun Home page displays.

Note: If the Autorun Home page does not display, navigate to the root of the distribution media anddouble-click autorun.exe

2. Click the Setup tab and select Quest ChangeAuditor.The Quest ChangeAuditor for Active Directory web page opens.

3. Click the Download on the left navigation panel.

4. Follow the online instructions to gain access to the Trial Download page.5. From the Trial Download: ChangeAuditor for Active Directory page, click the Installation Guide link.6. Read the ChangeAuditor Installation Guide to obtain detailed steps for installing Quest Defender.

Quest DefenderQuest Defender, another Quest product, provides strong authentication functionality that makes it possible for anActive Directory user to use a hardware or software token to authenticate to Unix, Linux or Mac platforms.

Install Quest Defender

In order to use strong authentication you must download and install Quest Defender.

To install Quest Defender

Note: Quest Defender installation requires a license file. A fully-functional 25-user license for Defenderis included with Quest Authentication Services.

1. Insert the QAS distribution media.The Autorun Home page displays.

Note: If the Autorun Home page does not display, navigate to the root of the distribution media anddouble-click autorun.exe

2. From the Home page, click the Setup tab.3. From the Setup page, click Quest Defender.

The Quest Defender web page opens.4. Click the Download on the left navigation panel.5. Follow the online instructions to gain access to the Trial Download page.6. From the Trial Download: Defender page, click the Defender Documentation Archive link.7. Read the Defender Installation Guide to obtain detailed steps for installing Quest Defender.8. Once you have installed Quest Defender, see the Quest Defender Integration Guide located in the QAS Control

Center Tools page, or in the docs directory of the QAS Installation media, for detailed configuration instructionsabout integrating Quest Defender with Quest Authentication Services.


Index

A

Active Directory 14changing configuration settings 14

Active Directory configuration 24determines schema mappings 24moving the configuration data 24purpose defined 24updating 24validates license information 24

Active Directory schema 41how Quest Authentication Services uses 41

Active Directory user account 44creating 44

ActiveRoles Server option 23, 24, 25not available if ActiveRoles Server agent is not installed 23, 24, 25

AD user identity formats 27AD users and groups 45, 46, 47

managing 45, 46, 47Add Hosts 28

procedure 28Add Hosts page 28, 29, 30, 31

add hosts to management console 28profile hosts 29, 30, 31

All Hosts page 33install software 33

Application Configuration 25overriding requirement 25

associate an AD user account with a local Unix user 45

B

Best Practice: 12, 13, 14, 36, 37, 38, 39, 41, 42add Unix identity attributes to global catalog 42do not install or run the QAS Windows components on ActiveDirectory domain controllers 12, 13, 14index attributes in Active Directory 42install only one management console per environment 36, 37, 38, 39, 41, 42use generated UIDs and GIDs 39use schema designed for storing Unix data in AD 41, 42

C

caching of Unix host credentials 29, 30, 31change Active Directory configuration settings 24Check for AD Readiness 32configure for Active Directory 26configure for Quest Authentication Services 26, 27contacting 9Control Center 36, 37, 38, 39, 41, 42

described 36, 37, 38, 39, 41, 42must be logged in as domain user 36, 37, 38, 39, 41, 42

conventions 8

credentials 27accepted user name formats 27

customize the schema mapping 42

D

debug logging 41enabling 41

E

enable debug logging 41enable local user for AD authentication 45

F

Filter Options 37

G

global settings modifications 36, 37, 38, 39, 41, 42Global Unix Options 39group 43

add to console 43

H

hosts 28, 29, 30, 31, 33add to management console 28install software 33profile 29, 30, 31

I

Import Public Key 29, 30, 31using 29, 30, 31

Install Software 33procedure 33

K

known_hosts file 28importing 28

L

LDAP attributes 41, 42mapped to Unix attributes 41, 42

license 12, 27Any Authentication Services 3.x or higher license is valid forQAS 4.x. 12installing 12updating 27updating in the management console 12

Authentication Services 4.0 Evaluation Guide | Index | 61

License 38, 39adding 38, 39

Limitation: 12, 13, 14Microsoft does not support (GPMC) on 64-bit platforms ofWindows 12, 13, 14

local account administration 43Logging 41

enabling 41setting options 41

login credentials 27accepted formats 27

Login with AD password 46, 47

M

manage local users and groups 45management console 28

add hosts 28management console Requirements 19mapping users 45

O

Optimize Schema 42requires AD administrator rights 42

P

patch level requirements 14, 15performance and scalability 42Permissions 14

required 14permissions required for full QAS functionality 15PosixAccount auxiliary class schema extension 41post-install setup 26, 27PowerShell cmdlets 57PowerShell modules 55, 56, 57Preferences 38, 39, 41, 42

configuring settings 38, 39, 41, 42Profile Host 29, 30, 31

procedure 29, 30, 31profile hosts automatically 31

Q

Quest Authentication Services 26, 27configure management console 26, 27

Quest One Identity Solution 8Quest Support 9

R

reports 48descriptions 48report parameters 48

required AD rights 36, 37, 38, 39, 41, 42required rights 24Requirements 12, 13, 14

Windows Management Tools 12, 13, 14Requirements: 14, 15, 20

network ports 20

Requirements: (continued)QAS Permissions 15Windows Permissions 14

S

saving credentials on server 29, 30, 31saving host credentials on server 32schema 41, 42

configuration 41, 42Custom Unix attributes 41, 42extensions 41, 42LDAP attributes 41, 42templates 41, 42Unix attributes 41, 42

schema configuration 41defined 41

schema extension 41PosixAccount auxiliary class 41

schema mappings 42customizing 42

index and replicate GUI and UID attributes to globalcatalog 42

set global value 39Set supervisor Password page 27Setup Quest Identity Manager for Unix page 26, 27SSH 30

duplicate keys 30upload new key 30

standard Active Directory schema extensions 41supervisor account 27

described 27

T

Troubleshooting 41using logs 41

Troubleshooting: 26, 31I can't configure the console for AD during initial install 26Profile Automatically option is not available 31

U

Unix Agent Requirements 14, 15Unix Group ID (GID) 39Unix identity management tasks 25, 26, 27, 28, 29, 30, 31, 32, 33

performing from QAS Control Center 25, 26, 27, 28, 29, 30, 31, 32, 33

Unix User ID (UID) 39Unix-enable an Active Directory group 47Unix-enable an Active Directory user 47users 43

add to console 43

V

validating SSH keys 30

W

where to set 39

62 | Authentication Services 4.0 Evaluation Guide | Index

Documents

AuthenticationServices_4.0_EvalGuide