UNAB certain users cannot login.


Article ID: 4868


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


UNAB installation can be a slight chore as it requires much configuration so the endpoint can communicate with kerberos and AD//LDAP. This sometimes require configuration of the PAM stack, the hosts/NIS files, or even modifications to the SSHD. Often, you may find yourself having issues where some users are able to login meanwhile another group may not be able to. Listed below are several areas to check to help resolve this issue.


Release: ACP1M005900-12.8-Privileged Identity Manager


A few things to check would be:

1. SELINUX - turned off or a policy is in place for this

SELINUX can cause issues regarding the authentication process and if you are utilizing it, try turning it off and testing further. If everything works while it is down you will need to run uxauth_selinux.sh from /UNAB_DIRECTORY/uxauthd/lbin to allow UNAB to run in this environment.


2. PAM configuration - Make sure that the /etc/pam_directory/system-auth- | ac | cm contains auth,account,password,session contains pam_unab.so (and pam_seos.so if PIM endpoint is installed on the system)


3. usePAM = yes - Ensure the PIM seos.ini has PAM set as the authentication method as the default value is OS authentication (if PIM endpoint is installed)


5. loginappl - Ensure in selang you have a loginappl rule for SSH with loginflags(PAMLOGIN) as this will tell PIM when SSH is being used to utilize the PAM stack (if PIM endpoint is installed)


6. SSHD config - Ensure usePAM is set to yes and all sections that may say UsePam no are commented out as this will not overwrite the former value with the latter, it will take the first value.