search cancel

How deregistration process works in the context of UNAB

book

Article ID: 215513

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

This issue provides an overview of the UNAB deregistration process and it helps clarify the process whenever command uxconsole -deregister is issued in the context of  UNAB endpoint management.

Environment

CA Privileged Access Manager Server Control 14.X and CA Privileged Identity Manager, several versions

Resolution

When the -deregister command optio is used, uxconsole requests deregistration to be handled by a DC in the site with which UNAB endpoint was registered, i.e., the one known to be optimal.  

It is a one-time-only operation as far as endpoint is concerned.

The following points are worth noting:

  • Both registration and deregistration query SRV records to find available DCs (that is how AD works)
  • Both registration and deregistartion work eventually with a specific DC that performs the actual LDAP operation.
  • During deregistartion UNAB makes not a generic but a site-specificDNS query (as one should).  

One can use a particular site for deregistration by setting ad_site token in uxauth.ini as desired.  If the site does not exist, UNAB will revert to AD for the process

For instance, the below deregistration process was done with ad_site changed to a non-existent MY_OWN_SITE.

As observed UNAB handled this correctly

/tmp> uxconsole -deregister   -a Administrator    -v2
CA ControlMinder UNAB uxconsole v12.81.0.3969 - console utility
Copyright (c) 2013 CA. All rights reserved.

Getting Active Directory DNS domain from the ad/ad_domain token. 
Locating Resource Records for Active Directory services in site <MY_OWN_SITE> 
Cannot find Resource Records for LDAP services in <MY_OWN_SITE> site. 
Locating Resource Records for Active Directory services in domain <unabworks.net> 
Domain Controller 'LVNDEV002775.UNABWORKS.NET' replied that this client belongs to site 'Default-First-Site-Name'
As per the 'ad_site' token in 'uxauth.ini', using <MY_OWN_SITE> for the client's site.
Cannot find Resource Records for LDAP services in <MY_OWN_SITE> site. 
Locating Resource Records for Active Directory services in domain <unabworks.net> 
Administrator password: 
Trying LDAP service at lvndev002775.unabworks.net:389 
Binding to Active Directory... 
AD Schema version 87 (Windows Server 2016)
Searching with filter <(&(ObjectClass=Computer)(cn=lvntest001457))> under <DC=UNABWORKS,DC=NET> ... 
Deleting computer object with DN <CN=lvntest001457,CN=Computers,DC=UNABWORKS,DC=NET> 
Updating uxauth.ini 
Successfully deregistered the client. 

There is also the -s switch which you can use with deregistration.  That will use a specific server to carry out the operation:

tmp> uxconsole -deregister   -a Administrator    -v2 -s lvndev002775.UNABWORKS.NET
CA ControlMinder UNAB uxconsole v12.81.0.3969 - console utility
Copyright (c) 2013 CA. All rights reserved.

Attempting to derive the domain from <lvndev002775.unabworks.net>. 
Locating Resource Records for Active Directory services in site <Default-First-Site-Name> 
Domain Controller 'LVNDEV002775.UNABWORKS.NET' replied that this client belongs to site 'Default-First-Site-Name'
As per the 'ad_site' token in 'uxauth.ini', using <Default-First-Site-Name> for the client's site.
Administrator password: 
Trying LDAP service at lvndev002775.unabworks.net:389 
Binding to Active Directory... 
AD Schema version 87 (Windows Server 2016)
Searching with filter <(&(ObjectClass=Computer)(cn=lvntest001457))> under <DC=UNABWORKS,DC=NET> ... 
Deleting computer object with DN <CN=lvntest001457,CN=Computers,DC=UNABWORKS,DC=NET> 
Updating uxauth.ini 
Successfully deregistered the client.