UNIX Agent Manager allows administrators to control user access to features and computers. To log into any UNIX Agent Manager server, an administrator on that server must create the user account in the UNIX Agent Manager Administrator Console, which is part of the UNIX Agent Manager console.
You can grant different permissions to each user account that allows access to only the features required by that user’s role. Permission sets allow you to simplify this process. Permission sets define product, computer, and feature access. Once you create a permission set, you can assign it to multiple user accounts with the same role.
For example, you can create a permission set that grants access to all AppManager functionality separate from Secure Configuration Manager functionality. You can then assign this permission set to all computers running AppManager. When you grant a new AppManager user access to a console, simply assign the user to the AppManager permission set to grant them access to the applicable features and computers.
To assign permissions, log into a UNIX Agent Manager console as an administrator and click Access Control > Admin Console. From there, add the users that need access to that UNIX Agent Manager server, then assign the appropriate permissions.
UNIX Agent Manager version 7.3 or later can access the information you have already set up in your LDAP or Microsoft Active Directory server to allow users to log into the UNIX Agent Manager server. This functionality is not available if you restricted UNIX Agent Manager to only use Federal Information Processing Standard (FIPS) encrypted algorithms.
To configure UNIX Agent Manager server to use LDAP or Active Directory credentials:
Ensure you have the following information:
The domain and computer address, such as ldap://houston.itservice.production:389, of the LDAP or Active Directory server
The location of the user entries in the structure of the LDAP or Active Directory server
The attribute that identifies the login name for each user
An account that UNIX Agent Manager server can use to access the LDAP or Active Directory server
Log into a UNIX Agent Manager console as an administrator, and open the Manage Server window.
Click the LDAP or AD tab, then the Add button.
Enter the name of the domain that contains the LDAP or AD server. Users must also enter this domain name when they log into UNIX Agent Manager.
Select the domain and provide the information as requested on the window using the following guidelines:
In Server Address, enter LDAP or Active Directory server computer name and port. For example, ldap://houston.itservice.production:389
In User’s Parent DN, enter the path to the node that contains the usernames you want to use. For example, ou=AMAdmins,dc=netiq,dn=com
In Username Attribute, enter the attribute you want UNIX Agent Manager to use to identify the user. This attribute will be used as a consistent identifier even if the user name changes. The default and only attribute supported by UNIX Agent Manager 7.2 is uid
(Conditional) If you use simple authentication for specific users, in Username, enter the path to the user name. For example, ou=Operator,dc=netiq,dn=com
Click Save.
Have the users log into UNIX Agent Manager using their LDAP or Active Directory credentials. The user list will not contain the username until the user logs into UNIX Agent Manager for the first time.
The UNIX Agent Manager server can communicate with the LDAP or Active Directory server using Secure Sockets Layer (SSL). If you choose to have UNIX Agent Manager server communicate with the server using SSL, you must obtain and manage the required certificates. UNIX Agent Manager requires certificates that are base-64 encoded.
For example, to get a certificate from an OpenLDAP server, run the following command from the /etc/openldap/certs directory on the computer that is running the slapd daemon:
certutil –L –a –n "OpenLDAP Server" –d `pwd` > servername.pem
The command creates a servername.pem file that you can import into UNIX Agent Manager using the Manage Server window where you identify your LDAP server.