Reconciliation Account

A reconciliation account can be used to reset the password of the User account if it becomes out of sync with the host.

A reconciliation account differs from the use of a Shadow Account in that it could be a unique account for each host.

The reconciliation account will be used automatically to reset the User account password on this host when a Check Status job fails.

A Check Status failure indicates that the User account in the record is no longer valid possibly due to a password change that occurred outside of PAM or during a remote session.

Reconciliation account passwords can also be periodically reset using the Password Reset Reconcile script with the desired policy event.

 

To create a record with a reconciliation account, select the record type Unix Host with Reconcile Account.

Please note that this record type is hidden by default, so you may need to unhide it before it becomes available.

In the record, you will see two additional fields; Reconcile Account User and Reconcile Account Password.

In these fields, enter your reconciliation user and password. Both fields are hidden, so you will only see them when you create or edit the record.

Help-Reconcile-Account1.png

This reconciliation account will be automatically used when the Check Status job fails on this record.

No additional configuration is required, but you may configure the Check Status task by navigating to Manage > Tasks and updating it as needed.

Help-Reconcile-Account2.png

Additionally, if you wish to reset the Reconcile Account Password, you can configure the Password Reset Reconcile SSH task policy on this record as needed.

For Switch User records, you can extend this same functionality by creating two new fields in the record type; ReconcileUserSU and ReconcilePasswordSU and entering the reconcile credentials in each field that will be used to reset the password of the SU User account if its Check Status job fails.

Help-Reconcile-Account3.png

If you want to add this Reconciliation Account function to an existing record, you can create the fields Reconcile Account User and Reconcile Account Password manually in your record type.

After, you can add the Password Reset Reconcile task to the record as well to support the option to reset the Reconciliation Account Password.