Anonymous_User Absent Member.
Absent Member.
757 views

Authentication Domain


Hi,
I'm looking for some info about PUM.

If I understand the documentation correctly the PUM Agent for linux
relies on the operating system for the authentication. Authentication
Domain can be used for the SSH relay feature only.
That way, I probably need to distribute users cross all systems, for
example using the Fan-Out driver for Unix/Linux of Identity Manager.

The documentation states:
Privileged User Manager supports authentication against both Active
Directory and LDAP identity stores - including eDirectory™ - for
accessing Windows servers.

Is the PUM Agent for Windows able to authenticate users on the
Authentication Domain? Or does the documentation talk about the RDP
relay feature?

Any help will be appreciated. Thanks.

Best regards,

Alessandro


--
afolli
------------------------------------------------------------------------
afolli's Profile: https://forums.netiq.com/member.php?userid=172
View this thread: https://forums.netiq.com/showthread.php?t=46890

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Authentication Domain


Answers below:

afolli;225773 Wrote:
> Hi,
> If I understand the documentation correctly the PUM Agent for linux
> relies on the operating system for the authentication.
>


Correct, we don't care if your Linux box is using local /etc/password or
some other mechanism for login. You logon as a non-privileged user
(however you do that today) then you can invoke NPUM.

afolli;225773 Wrote:
>
> Authentication Domain can be used for the SSH relay feature only.
>


Yes, Authentication domain are used only for SSH Relay and/or RDP relay

With Authentication domain configured for eDirectory, you can ssh relay
into the SSH Relay host with an eDirectory user (no local user or
additional PUM user created on the SSH Relay host or external host). In
the example below I configured it so I could ssh relay as an eDirectory
user 'ediruser' and connect to a remote host (which doesn't have any
NPUM agent running) without providing root's password (it's stored in
our credential vault and injected for me).

For example:

ssh -t -p 2222 ediruser@<SSH Relay Manager>
ediruser@<SSH Relay Manager>'s password:
1) ssh - root@<Remote host, which does NOT have an NPUM agent
installed>
Enter option (1-1): 1


afolli;225773 Wrote:
>
> That way, I probably need to distribute users cross all systems, for
> example using the Fan-Out driver for Unix/Linux of Identity Manager.
>


The idea is that users login with their normal (non-privileged) account
to a host and NPUM allows them to either start a privileged shell
(pcksh) and/or run specific commands as a privileged user without
knowing the privileged account password. For example, I can login as
deni but I can run a command such as '/etc/init.d/apache2 restart' as
root without knowing root's password.


afolli;225773 Wrote:
>
> The documentation states:
> Privileged User Manager supports authentication against both Active
> Directory and LDAP identity stores - including eDirectory™ - for
> accessing Windows servers.
>
> Is the PUM Agent for Windows able to authenticate users on the
> Authentication Domain? Or does the documentation talk about the RDP
> relay feature?
>


With RPD Relay,if you configure an Authentication Domain, you can then
login to the RDP relay page as Active Directory users. (don't have
create additional users in NPUM - all management can happen in Active
Directory).

Hopefully this helps.

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46890

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authentication Domain


deni;225818 Wrote:
>
> With RPD Relay,if you configure an Authentication Domain, you can then
> login to the RDP relay page as Active Directory users. (don't have
> create additional users in NPUM - all management can happen in Active
> Directory).
>
> Hopefully this helps.
>
> -deni


Hi,
thanks for the detailed answer. Anyway, I still have some doubts about
Windows server.

If I'm not wrong the Agent can be installed on Windows Servers as well
(2003 and 2008). I do not understand if standalone server (not connected
to the Active Directory domain) need to have their local accounts or the
agent is able to authenticate users centrally.

Basically, I would like to achieve the following goals:
1. Authorize users to execute some administrative tasks without knowing
administrator's credentials
2. Monitor user's activity
3. Manage all users from one single point (including password
synchronization)

SSH relay and RDP relay only provide access to systems without knowing
administrator's credentials, authorization and monitoring are excluded.
That way they are probably useful for servers where the agent cannot be
installed.

I can achieve goal 3 using NetIQ Identity Manager. For Linux system: a
single Fan-Out driver is able to synchronize hundreds of servers.
Accounts on the Active Directory domain can be synchronized as well
using Identity Manager. I'm still trying to understand if I need to
synchronize accounts to standalone windows server.

Thank you again. Best regards,

Alessandro


--
afolli
------------------------------------------------------------------------
afolli's Profile: https://forums.netiq.com/member.php?userid=172
View this thread: https://forums.netiq.com/showthread.php?t=46890

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authentication Domain


Answers below:

afolli;225832 Wrote:
>
> If I'm not wrong the Agent can be installed on Windows Servers as well
> (2003 and 2008)
>


The Agent is currently supported on both Windows 2008 and Windows 2003
hosts.

afolli;225832 Wrote:
>
> . I do not understand if standalone server (not connected to the Active
> Directory domain) need to have their local accounts or the agent is able
> to authenticate users centrally.
>


Privileged User Manager stores Windows credentials in our "Credential
Vault" via our 'Privileged Accounts' option within the Command Control
console. These credentials are securely stored, so they can be injected
into a secure RDP Relay session as configured by SSH Relay rules. (so
the user doesn't know password for the Privileged Account which is being
used.)

The stored credential could be a AD user or a Local Account (non-AD).
Although you're only storing privileged users you need to RDP as. In
other words, the only users you are storing are those that we don't want
users to know the password. If my normal ID was 'deni' it wouldn't make
sense for me to store 'deni' in the Privileged Accounts because that is
my non-privileged account that I typically login as.

Logging into the RPD Relay page can come from two sources. Local PUM
users (created within PUM) or ID's from a configured Authentication
Domain, which in the RDP Relay case, would make sense to use Active
Directory. Configuring it as such, I can login to the RDP Relay page
with my 'deni' account from AD, and then be presented with RDP Sessions
that I can RDP Relay to hosts as Administrator.

afolli;225832 Wrote:
>
> Basically, I would like to achieve the following goals:
> 1. Authorize users to execute some administrative tasks without knowing
> administrator's credentials
> 2. Monitor user's activity
>


Yep, we can do this.

afolli;225832 Wrote:
>
> 3. Manage all users from one single point (including password
> synchronization)
>


With RDP Relay, and Active Directory the thought is that you can use AD
for Authentication and managing all users. So if you are using RDP
Relay and Active Directory, you can manage all users from a single point
(AD) with minimal setup within NPUM.

afolli;225832 Wrote:
>
> SSH relay and RDP relay only provide access to systems without knowing
> administrator's credentials, authorization and monitoring are excluded.
> That way they are probably useful for servers where the agent cannot be
> installed.
>


SSH Relay is an "agentless" feature. Meaning you have a remote Linux
host that does NOT have NPUM agent installed and you can use SSH Relay
to go through the SSH Relay and then out to the agentless ssh host and
it can be audited. However you lose some features by not having the
agent on the host.

There is no concept of 'agentless 'RDP Relay. All Windows hosts MUST
have at a minimum the NPUM Agent installed to connect to them via RDP
relay.


afolli;225832 Wrote:
>
> I'm still trying to understand if I need to synchronize accounts to
> standalone windows server.
>


With standalone Windows hosts (and you have no AD hosts), I think your
only option is to create a local user in NPUM to authenticate to RPD
relay.

I hope this helps.

As a side note, it might be easier for you (and the Forum) to try to
keep your questions specific to one issue and in the future start
multiple threads for each separate issue (for example only asking about
RDP Relay in one thread and asking your SSH relay question in another
thread).

- deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46890

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authentication Domain


Thank you again for your precious support.

Best regards,

Alessandro


--
afolli
------------------------------------------------------------------------
afolli's Profile: https://forums.netiq.com/member.php?userid=172
View this thread: https://forums.netiq.com/showthread.php?t=46890

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.