Authentication Domain


Hi,
I'm looking for some info about PUM.

If I understand the documentation correctly the PUM Agent for linux
relies on the operating system for the authentication. Authentication
Domain can be used for the SSH relay feature only.
That way, I probably need to distribute users cross all systems, for
example using the Fan-Out driver for Unix/Linux of Identity Manager.

The documentation states:
Privileged User Manager supports authentication against both Active
Directory and LDAP identity stores - including eDirectoryTm - for
accessing Windows servers.

Is the PUM Agent for Windows able to authenticate users on the
Authentication Domain? Or does the documentation talk about the RDP
relay feature?

Any help will be appreciated. Thanks.

Best regards,

Alessandro


--
afolli
------------------------------------------------------------------------
afolli's Profile: https://forums.netiq.com/member.php?userid=172
View this thread: https://forums.netiq.com/showthread.php?t=46890


  • Answers below:

    afolli;225773 Wrote:
    > Hi,
    > If I understand the documentation correctly the PUM Agent for linux
    > relies on the operating system for the authentication.
    >


    Correct, we don't care if your Linux box is using local /etc/password or
    some other mechanism for login. You logon as a non-privileged user
    (however you do that today) then you can invoke NPUM.

    afolli;225773 Wrote:
    >
    > Authentication Domain can be used for the SSH relay feature only.
    >


    Yes, Authentication domain are used only for SSH Relay and/or RDP relay

    With Authentication domain configured for eDirectory, you can ssh relay
    into the SSH Relay host with an eDirectory user (no local user or
    additional PUM user created on the SSH Relay host or external host). In
    the example below I configured it so I could ssh relay as an eDirectory
    user 'ediruser' and connect to a remote host (which doesn't have any
    NPUM agent running) without providing root's password (it's stored in
    our credential vault and injected for me).

    For example:

    ssh -t -p 2222 ediruser@<SSH Relay Manager>
    ediruser@<SSH Relay Manager>'s password:
    1) ssh - root@<Remote host, which does NOT have an NPUM agent
    installed>
    Enter option (1-1): 1


    afolli;225773 Wrote:
    >
    > That way, I probably need to distribute users cross all systems, for
    > example using the Fan-Out driver for Unix/Linux of Identity Manager.
    >


    The idea is that users login with their normal (non-privileged) account
    to a host and NPUM allows them to either start a privileged shell
    (pcksh) and/or run specific commands as a privileged user without
    knowing the privileged account password. For example, I can login as
    deni but I can run a command such as '/etc/init.d/apache2 restart' as
    root without knowing root's password.


    afolli;225773 Wrote:
    >
    > The documentation states:
    > Privileged User Manager supports authentication against both Active
    > Directory and LDAP identity stores - including eDirectoryTm - for
    > accessing Windows servers.
    >
    > Is the PUM Agent for Windows able to authenticate users on the
    > Authentication Domain? Or does the documentation talk about the RDP
    > relay feature?
    >


    With RPD Relay,if you configure an Authentication Domain, you can then
    login to the RDP relay page as Active Directory users. (don't have
    create additional users in NPUM - all management can happen in Active
    Directory).

    Hopefully this helps.

    -deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46890


  • deni;225818 Wrote:
    >
    > With RPD Relay,if you configure an Authentication Domain, you can then
    > login to the RDP relay page as Active Directory users. (don't have
    > create additional users in NPUM - all management can happen in Active
    > Directory).
    >
    > Hopefully this helps.
    >
    > -deni


    Hi,
    thanks for the detailed answer. Anyway, I still have some doubts about
    Windows server.

    If I'm not wrong the Agent can be installed on Windows Servers as well
    (2003 and 2008). I do not understand if standalone server (not connected
    to the Active Directory domain) need to have their local accounts or the
    agent is able to authenticate users centrally.

    Basically, I would like to achieve the following goals:
    1. Authorize users to execute some administrative tasks without knowing
    administrator's credentials
    2. Monitor user's activity
    3. Manage all users from one single point (including password
    synchronization)

    SSH relay and RDP relay only provide access to systems without knowing
    administrator's credentials, authorization and monitoring are excluded.
    That way they are probably useful for servers where the agent cannot be
    installed.

    I can achieve goal 3 using NetIQ Identity Manager. For Linux system: a
    single Fan-Out driver is able to synchronize hundreds of servers.
    Accounts on the Active Directory domain can be synchronized as well
    using Identity Manager. I'm still trying to understand if I need to
    synchronize accounts to standalone windows server.

    Thank you again. Best regards,

    Alessandro


    --
    afolli
    ------------------------------------------------------------------------
    afolli's Profile: https://forums.netiq.com/member.php?userid=172
    View this thread: https://forums.netiq.com/showthread.php?t=46890


  • Answers below:

    afolli;225832 Wrote:
    >
    > If I'm not wrong the Agent can be installed on Windows Servers as well
    > (2003 and 2008)
    >


    The Agent is currently supported on both Windows 2008 and Windows 2003
    hosts.

    afolli;225832 Wrote:
    >
    > . I do not understand if standalone server (not connected to the Active
    > Directory domain) need to have their local accounts or the agent is able
    > to authenticate users centrally.
    >


    Privileged User Manager stores Windows credentials in our "Credential
    Vault" via our 'Privileged Accounts' option within the Command Control
    console. These credentials are securely stored, so they can be injected
    into a secure RDP Relay session as configured by SSH Relay rules. (so
    the user doesn't know password for the Privileged Account which is being
    used.)

    The stored credential could be a AD user or a Local Account (non-AD).
    Although you're only storing privileged users you need to RDP as. In
    other words, the only users you are storing are those that we don't want
    users to know the password. If my normal ID was 'deni' it wouldn't make
    sense for me to store 'deni' in the Privileged Accounts because that is
    my non-privileged account that I typically login as.

    Logging into the RPD Relay page can come from two sources. Local PUM
    users (created within PUM) or ID's from a configured Authentication
    Domain, which in the RDP Relay case, would make sense to use Active
    Directory. Configuring it as such, I can login to the RDP Relay page
    with my 'deni' account from AD, and then be presented with RDP Sessions
    that I can RDP Relay to hosts as Administrator.

    afolli;225832 Wrote:
    >
    > Basically, I would like to achieve the following goals:
    > 1. Authorize users to execute some administrative tasks without knowing
    > administrator's credentials
    > 2. Monitor user's activity
    >


    Yep, we can do this.

    afolli;225832 Wrote:
    >
    > 3. Manage all users from one single point (including password
    > synchronization)
    >


    With RDP Relay, and Active Directory the thought is that you can use AD
    for Authentication and managing all users. So if you are using RDP
    Relay and Active Directory, you can manage all users from a single point
    (AD) with minimal setup within NPUM.

    afolli;225832 Wrote:
    >
    > SSH relay and RDP relay only provide access to systems without knowing
    > administrator's credentials, authorization and monitoring are excluded.
    > That way they are probably useful for servers where the agent cannot be
    > installed.
    >


    SSH Relay is an "agentless" feature. Meaning you have a remote Linux
    host that does NOT have NPUM agent installed and you can use SSH Relay
    to go through the SSH Relay and then out to the agentless ssh host and
    it can be audited. However you lose some features by not having the
    agent on the host.

    There is no concept of 'agentless 'RDP Relay. All Windows hosts MUST
    have at a minimum the NPUM Agent installed to connect to them via RDP
    relay.


    afolli;225832 Wrote:
    >
    > I'm still trying to understand if I need to synchronize accounts to
    > standalone windows server.
    >


    With standalone Windows hosts (and you have no AD hosts), I think your
    only option is to create a local user in NPUM to authenticate to RPD
    relay.

    I hope this helps.

    As a side note, it might be easier for you (and the Forum) to try to
    keep your questions specific to one issue and in the future start
    multiple threads for each separate issue (for example only asking about
    RDP Relay in one thread and asking your SSH relay question in another
    thread).

    - deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46890


  • Thank you again for your precious support.

    Best regards,

    Alessandro


    --
    afolli
    ------------------------------------------------------------------------
    afolli's Profile: https://forums.netiq.com/member.php?userid=172
    View this thread: https://forums.netiq.com/showthread.php?t=46890