How deregistration process works in the context of UNAB
Article ID: 215513
Updated On:
Products
Issue/Introduction
This issue provides an overview of the UNAB deregistration process and it helps clarify the process whenever command uxconsole -deregister is issued in the context of UNAB endpoint management.
Environment
CA Privileged Access Manager Server Control 14.X and CA Privileged Identity Manager, several versions
Resolution
When the -deregister command optio is used, uxconsole requests deregistration to be handled by a DC in the site with which UNAB endpoint was registered, i.e., the one known to be optimal.
It is a one-time-only operation as far as endpoint is concerned.
The following points are worth noting:
- Both registration and deregistration query SRV records to find available DCs (that is how AD works)
- Both registration and deregistartion work eventually with a specific DC that performs the actual LDAP operation.
- During deregistartion UNAB makes not a generic but a site-specificDNS query (as one should).
One can use a particular site for deregistration by setting ad_site token in uxauth.ini as desired. If the site does not exist, UNAB will revert to AD for the process
For instance, the below deregistration process was done with ad_site changed to a non-existent MY_OWN_SITE.
As observed UNAB handled this correctly
/tmp> uxconsole -deregister -a Administrator -v2
CA ControlMinder UNAB uxconsole v12.81.0.3969 - console utility
Copyright (c) 2013 CA. All rights reserved.
Getting Active Directory DNS domain from the ad/ad_domain token.
Locating Resource Records for Active Directory services in site <MY_OWN_SITE>
Cannot find Resource Records for LDAP services in <MY_OWN_SITE> site.
Locating Resource Records for Active Directory services in domain <unabworks.net>
Domain Controller 'LVNDEV002775.UNABWORKS.NET' replied that this client belongs to site 'Default-First-Site-Name'
As per the 'ad_site' token in 'uxauth.ini', using <MY_OWN_SITE> for the client's site.
Cannot find Resource Records for LDAP services in <MY_OWN_SITE> site.
Locating Resource Records for Active Directory services in domain <unabworks.net>
Administrator password:
Trying LDAP service at lvndev002775.unabworks.net:389
Binding to Active Directory...
AD Schema version 87 (Windows Server 2016)
Searching with filter <(&(ObjectClass=Computer)(cn=lvntest001457))> under <DC=UNABWORKS,DC=NET> ...
Deleting computer object with DN <CN=lvntest001457,CN=Computers,DC=UNABWORKS,DC=NET>
Updating uxauth.ini
Successfully deregistered the client.
There is also the -s switch which you can use with deregistration. That will use a specific server to carry out the operation:
tmp> uxconsole -deregister -a Administrator -v2 -s lvndev002775.UNABWORKS.NET
CA ControlMinder UNAB uxconsole v12.81.0.3969 - console utility
Copyright (c) 2013 CA. All rights reserved.
Attempting to derive the domain from <lvndev002775.unabworks.net>.
Locating Resource Records for Active Directory services in site <Default-First-Site-Name>
Domain Controller 'LVNDEV002775.UNABWORKS.NET' replied that this client belongs to site 'Default-First-Site-Name'
As per the 'ad_site' token in 'uxauth.ini', using <Default-First-Site-Name> for the client's site.
Administrator password:
Trying LDAP service at lvndev002775.unabworks.net:389
Binding to Active Directory...
AD Schema version 87 (Windows Server 2016)
Searching with filter <(&(ObjectClass=Computer)(cn=lvntest001457))> under <DC=UNABWORKS,DC=NET> ...
Deleting computer object with DN <CN=lvntest001457,CN=Computers,DC=UNABWORKS,DC=NET>
Updating uxauth.ini
Successfully deregistered the client.
Feedback
