centrify dc admin guide v3

Centrify DirectControlAdministrators GuideVersion 3.0

Centrify Corporation

Legal noticeThis document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2006 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

ContentsAbout this guide9

Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Getting a preview of whats in this release . . . . . . . . . . . . . . . . . . . . . . . . . 10 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Using online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Chapter 1

Introduction

17

Understanding identity and access management. . . . . . . . . . . . . . . . . . . 17 Why integrate with Active Directory?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 What is the Centrify DirectControl solution?. . . . . . . . . . . . . . . . . . . . . . . . 19 What can you do after you deploy DirectControl?. . . . . . . . . . . . . . . . . . . 24 Chapter 2

About the Centrify DirectControl architecture and operation

27

Understanding the integration of Windows and Unix . . . . . . . . . . . . . . . 27 Understanding DirectControl Management Tools . . . . . . . . . . . . . . . . . . 29 Understanding Centrify DirectControl Zones . . . . . . . . . . . . . . . . . . . . . . . 33 Understanding Centrify DirectControl Agents . . . . . . . . . . . . . . . . . . . . . . 34 Understanding the log-on process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Summary of how DirectControl works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Chapter 3

Planning the deployment of Centrify DirectControl

49

Planning Active Directory permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3

Planning changes to the Active Directory structure. . . . . . . . . . . . . . . . . 83 Planning to work with multiple forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Planning how you will use zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Planning user account migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Planning group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Planning NIS map migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Chapter 4

Installing Centrify DirectControl on Windows

99

Preparing for installation on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Installing Centrify DirectControl Management Tools . . . . . . . . . . . . . . .103 Starting Centrify DirectControl for the first time. . . . . . . . . . . . . . . . . . . 105 Updating from a previous release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Removing Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Chapter 5

Installing the Centrify DirectControl Agent on Unix

115

Preparing for installation on Unix computers . . . . . . . . . . . . . . . . . . . . . 115 Installing the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . . . . . 116 Verifying the DNS configuration on Unix . . . . . . . . . . . . . . . . . . . . . . . . . 119 Joining an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Updating from a previous release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Removing Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Chapter 6

Managing zones

129

Using the Centrify DirectControl Setup Wizard . . . . . . . . . . . . . . . . . . . . 129 Creating a new zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Opening and closing zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Delegating control of administrative tasks. . . . . . . . . . . . . . . . . . . . . . . . 135 Changing zone properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Adding a computer to a zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Running reports for zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

4

Administrators Guide

Chapter 7

Managing computers

143

Using zones for Linux, Unix, and Mac OS computers . . . . . . . . . . . . . . . 143 Understanding how a computer joins a domain . . . . . . . . . . . . . . . . . . . 145 Deciding who can join computers to the domain . . . . . . . . . . . . . . . . . . 147 Preparing computer accounts before joining . . . . . . . . . . . . . . . . . . . . . 149 Joining a domain interactively or using a script. . . . . . . . . . . . . . . . . . . . 150 Changing computer properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Allowing password resets for computer accounts. . . . . . . . . . . . . . . . . . 154 Changing the domain for a computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Leaving a domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Running reports for computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Customizing configuration settings for a computer . . . . . . . . . . . . . . . . 159 Using computer-based group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Chapter 8

Managing users and groups

161

Understanding user access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Using private groups for Unix users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Adding standard Active Directory groups to zones. . . . . . . . . . . . . . . . . 163 Adding Active Directory users to zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Modifying the Unix profile for users or groups. . . . . . . . . . . . . . . . . . . . . 168 Applying password policies and changing passwords . . . . . . . . . . . . . . 169 Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Mapping local Unix accounts to Active Directory . . . . . . . . . . . . . . . . . . 172 Setting a local override account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Importing user and group information . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Running reports for users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Customizing configuration settings for users and groups. . . . . . . . . . . 179 Using user-based group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Contents

5

Chapter 9

Managing group policies for Unix users and computers

181

Understanding Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Understanding group policy for Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Adding Unix policies to a Group Policy Object. . . . . . . . . . . . . . . . . . . . . 193 Creating a Centrify DirectControl Group Policy Object . . . . . . . . . . . . . 195 Setting policies for Unix computers and users. . . . . . . . . . . . . . . . . . . . . 196 Linking a Group Policy Object to a container . . . . . . . . . . . . . . . . . . . . . . 203 Reporting group policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Editing the Centrify DirectControl configuration file . . . . . . . . . . . . . . . 205 Defining custom group policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Chapter 10

Managing licenses

213

Understanding how licensing works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Adding license containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Viewing the license summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Adding license keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Deleting a license key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Running reports for licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Chapter 11

Importing information from NIS maps or Unix files

223

Understanding the information source . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Importing from NIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Importing from a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Moving pending information into Active Directory . . . . . . . . . . . . . . . . 226 Making imported information available to NIS clients . . . . . . . . . . . . . 231 Chapter 12

Using the DirectControl Information Service for NIS requests 233Understanding the DirectControl Information Service . . . . . . . . . . . . . 233 Understanding how to deploy the adnisd daemon . . . . . . . . . . . . . . . . 236 Understanding NIS maps in Active Directory . . . . . . . . . . . . . . . . . . . . . . 237

6


Configuring the DirectControl Information Service . . . . . . . . . . . . . . . . 239 Configuring NIS clients to use Centrify DirectControl. . . . . . . . . . . . . . . 243 Configuring client authentication through adnisd . . . . . . . . . . . . . . . . . 246 Maintaining NIS maps in the Administrators Console . . . . . . . . . . . . . . 250 Discontinuing use of legacy NIS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Chapter 13

Running reports

257

Understanding the importance of reports. . . . . . . . . . . . . . . . . . . . . . . . . 257 Understanding the information each report provides . . . . . . . . . . . . . . 258 Generating and viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Filtering report information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Displaying the group navigation pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Exporting and saving report information . . . . . . . . . . . . . . . . . . . . . . . . . 264 Printing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Chapter 14

Troubleshooting authentication and authorization

267

Understanding diagnostic tools and log files . . . . . . . . . . . . . . . . . . . . . . 267 Analyzing zone information in Active Directory . . . . . . . . . . . . . . . . . . . 268 Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . 270 Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . 275 Filtering the objects displayed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Appendix A

Using Centrify DirectControl Unix commands

283

Understanding when to use command line programs . . . . . . . . . . . . . 284 Displaying usage information and man pages. . . . . . . . . . . . . . . . . . . . . 285 Using adjoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Using adleave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Using adpasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Using adgpupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Contents

7

Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Using adrmlocal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Using adsmb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Using runmappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Using OpenLDAP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Appendix B

Customizing Centrify DirectControl configuration options

323

Understanding how the configuration file is used . . . . . . . . . . . . . . . . . 323 Understanding the syntax in the configuration file . . . . . . . . . . . . . . . . 324 Customizing daemon parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Customizing Kerberos parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Customizing PAM parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Customizing NSS parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Customizing NIS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Customizing group policy parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Appendix C

Installing an agent software package manually

399

Installing DirectControl on Red Hat, SuSE, or VMware . . . . . . . . . . . . . 400 Installing DirectControl on Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Installing DirectControl on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Installing DirectControl on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Installing DirectControl on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Installing DirectControl on Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Appendix D

Setting the ports for Centrify DirectControl Index

405 407

8


About this guideCentrifyTM DirectControlTM delivers secure access control and centralized identity management by seamlessly integrating UNIX, Linux, and Mac OS X computers, and J2EE and web platforms with Microsoft Active Directory. With DirectControl, organizations can improve IT efficiency, better comply with regulatory requirements, and move toward a more secure, connected infrastructure for their heterogeneous computing environment.

Intended audienceThis Administrators Guide provides complete information for installing, using, and customizing Centrify DirectControl. This guide is intended for system and network administrators who are responsible for managing user access to servers, workstations, enterprise applications, and network resources. Because Centrify DirectControl requires components to be installed in both the Windows environment and the Linux, UNIX, or Mac OS X environment, this guide assumes you have a working knowledge of performing administrative tasks across these different environments. If you are unfamiliar with any of the operating environments you need to support with Centrify DirectControl, you may need to consult additional, operating system-specific documentation to perform certain tasks or understand certain concepts. This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator,

9

Getting a preview of whats in this release

you may be able simplify or automate some tasks described in this guide using scripts or other tools.

Getting a preview of whats in this releaseThis release of Centrify DirectControl includes updates for all of the core DirectControl components. These updates include support for new platforms, group policy support, extended NIS support, and other enhancements. For a summary of whats in this release, the system requirements for installation, and any other late-breaking information, see the Centrify DirectControl Release Notes on the Centrify DirectControl CD or in the distribution package. When the CD is inserted into the drive on a Windows computer, an autorun program displays the default Centrify DirectControl page. From this page, click Release Notes for an overview of whats in this release package and to review other topics.

Using this guideDepending on your environment and role as a Centrify DirectControl administrator or user, you may want to read portions of this guide selectively. The guide provides the following information: Chapter 1, Introduction, provides an overview of identity management and how Centrify DirectControl works, including a summary of key features and benefits. Chapter 2, About the Centrify DirectControl architecture and operation, describes the key components that make up the Centrify DirectControl architecture and how these components provide authentication services. Chapter 3, Planning the deployment of Centrify DirectControl, provides information to assist Active Directory administrators in planning a deployment of Centrify

10


DirectControl and migration to Active Directory, including information about the permissions required to perform key Centrify DirectControl tasks and suggestions for planning how to use zones to suit your organization. Chapter 4, Installing Centrify DirectControl on Windows, provides step-by-step instructions for installing Centrify DirectControl Management Tools on a Windows computer and how to update Active Directory to get started using DirectControl. Chapter 5, Installing the Centrify DirectControl Agent on Unix, provides step-by-step instructions for installing the Centrify DirectControl Agent and the steps to take after installation to get started. Chapter 6, Managing zones, describes the strategies for organizing your computers into zones, how to create new zones, and how to manage zone properties. Chapter 7, Managing computers, describes how to add Unix computers to an Active Directory domain, how to modify computer account properties for Unix computers, and how to change the domain for a Unix computer. Chapter 8, Managing users and groups, describes how to define Unix-based profiles for Active Directory users and groups and how to manage access for those accounts. Chapter 9, Managing group policies for Unix users and computers, provides an overview of group policy and describes how to apply Centrify DirectControl group policies for Unix users and computers. Chapter 10, Managing licenses, describes how to view and update Centrify DirectControl license keys. Chapter 11, Importing information from NIS maps or Unix files, describes how to import existing users and groups from

About this guide

11

Using this guide

an NIS domain or Unix configuration files into Active Directory. Chapter 12, Using the DirectControl Information Service for NIS requests, describes the Centrify DirectControl Network Information Service, how to configure computers and devices to send NIS client requests to the DirectControl Network Information Service, and how to manage NIS maps in the Centrify DirectControl Administrator Console. Chapter 13, Running reports, describes how to generate, filter, and export information about Unix users, groups, computers, and applications using Centrify DirectControl reports. Chapter 14, Troubleshooting authentication and authorization, describes how to use diagnostic tools and log files to retrieve information about the operation of Centrify DirectControl. Appendix A, Using Centrify DirectControl Unix commands, provides reference information for the Centrify DirectControl command line programs. Appendix B, Customizing Centrify DirectControl configuration options, describes the Centrify DirectControl configuration file and how to customize its parameters. Appendix C, Installing an agent software package manually, provides platform-specific installation instructions for installing the Centrify DirectControl Agent directly on a computer without using the Centrify DirectControl installation script. Appendix D, Setting the ports for Centrify DirectControl, provides a summary of the port requirements for Centrify DirectControl. In addition to these chapters, an index is provided for your reference.

12


Conventions used in this guideThe following conventions are used in this guide: Fixed-width font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, the fixed-width font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments. Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms. Italics are used for book titles and to emphasize specific words or terms. For simplicity, Unix is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted. The variable release is used in place of the specific release number in the file names for individual Centrify DirectControl software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the Centrify DirectControl Agent for Solaris on SPARC available on the Centrify DirectControl CD or in a Centrify DirectControl download package. On the CD or in the download package, the file name indicates the Centrify DirectControl version number. For example, if the software package installs Centrify DirectControl version number 3.0.0, the full file name is centrifydc-3.0.0-sol8-sparc-local.tgz.

About this guide

13

Using online help

Using online helpCentrify DirectControl provides task-based, reference, and context-sensitive online help. To access task-based help or search for help topics, click Help on the right-click menu in the Centrify DirectControl Administrator Console. To view context-sensitive help within dialog boxes, press F1. In addition, Centrify DirectControl documentation is available in searchable Adobe Portable Document Format (PDF).

Where to go for more informationThe Centrify DirectControl documentation set includes several sources of information. Depending on your interests, you may want to explore some or all of these sources further: Centrify DirectControl Release Notes provides the most up-to-date information about the current release, including system requirements and supported platforms, and any additional information, specific to this release, that may not be included in other Centrify DirectControl documentation. Centrify DirectControl Quick Start provides a brief summary of the steps for installing Centrify DirectControl and getting started so you can begin working with the product right away. All of the topics and steps covered in the Quick Start are covered in greater detail in this Administrators Guide. Evaluation Guide provides information to help you set up an evaluation environment and use Centrify DirectControl to test typical authentication and authorization scenarios, such as resetting user passwords for Unix computers, preventing a user from accessing unauthorized Unix computers, or enforcing specific lockout policies when users attempt to log on to Unix computers using Centrify DirectControl.

14


Administrators Guide provides installation, administrative, and reference information to help you install, deploy, customize, and use Centrify DirectControl to manage Unix computers, users, and groups through Active Directory. Centrify DirectControl Authentication Guide for Apache describes how to use Centrify DirectControl with Apache Web servers and applications to provide authentication and authorization services through Active Directory. If you are using Centrify DirectControl with Apache, you should refer to this supplemental documentation for details about how to configure your Apache server to use Centrify DirectControl and Active Directory. Centrify DirectControl Authentication Guide for Java Applications describes how to use Centrify DirectControl with J2EE applications to provide authentication and authorization services through Active Directory. If you are using Centrify DirectControl with Java servlets, such as Tomcat, JBoss, WebLogic, or WebSphere, you should refer to this supplemental documentation for details about how to configure your applications to use Centrify DirectControl and Active Directory. Individual Unix man pages for command reference information for Centrify DirectControl Unix command line programs. In addition to the Centrify DirectControl documentation, you may want to consult the documentation for your Windows, Linux, Unix, or Mac OS X operating system, or the documentation for Microsoft Active Directory. This information can help you get the most out of Centrify DirectControl.

About this guide

15

Contacting Centrify

Contacting CentrifyIf you have questions or comments, we look forward to hearing from you. For information about contacting Centrify with questions or suggestions, visit our Web site at www.centrify.com. From the Web site, you can get the latest news and information about Centrify products, support, services, and upcoming events. For information about purchasing or evaluating Centrify products, send email to [email protected].

16


Chapter 1

IntroductionThis chapter provides an introduction to identity, access, and configuration management and to the Centrify DirectControl suite. It includes an overview of Centrify DirectControl features and benefits. The following topics are covered: Understanding identity and access management Why integrate with Active Directory? What is the Centrify DirectControl solution? What can you do after you deploy DirectControl?

Understanding identity and access managementFor most organizations, it is critical to control access to computer and application resources to prevent disruption of service, data tampering, or security breaches. Managing who has access efficiently and securely is especially difficult in heterogeneous environments that may include a combination of Windows, Linux, UNIX, and Mac OS X servers and workstations. In cross-platform environments, securing access to computers and applications typically involves managing multiple identity stores with multiple authentication mechanisms. As the following figure suggests, there are many authentication mechanisms available for

17

Why integrate with Active Directory?

Unix and Linux systems, but they are typically isolated from each other and managed separately.Local accounts stored in local files on individual Unix servers and workstations Unix and Linux computers NIS and NIS+ servers and account maps provide a central repository for Unix accounts Kerberos realms and Key Distribution Center provide authentication for some users and services LDAP authentication for LDAP transactions

Windows computers

Active Directory forests with Kerberos authentication and LDAP directory service

Users who have access to more than one application or computer platform often have multiple login accounts with conflicting user name or password policy requirements. In addition, individual applications and services may use any of these standard mechanisms or have their own specialized authentication method. Because managing user accounts and access using all of these different mechanisms across an enterprise is impractical, Centrify DirectControl provides a way to centralize and simplify the management of user accounts and access to computers and applications through Active Directory.

Why integrate with Active Directory?Many organizations already have a significant investment in their Windows infrastructure, with Windows workstations often used as desktop systems and Windows servers handling critical business

18


services such as messaging or database transactions. For Windows 2000, Windows XP, and Windows Server 2003, Active Directory is the core technology for managing users, computers, and other resources, and, therefore, is a requirement for any organization that manages Windows resources. In addition to being a key component of the organizations infrastructure, Active Directory provides a complete set of tools for authentication, authorization, and directory service, making it an ideal candidate for managing user accounts and access to computer resources. By extending Active Directory to manage Linux and Unix computers, Centrify DirectControl provides administrators with a comprehensive identity and access management solution while reducing administrative complexity and overhead.

What is the Centrify DirectControl solution?As the previous section suggests, the Centrify DirectControl delivers secure access control and centralized identity management by integrating UNIX, Linux, and Mac OS X servers and workstations, and J2EE and Web platforms with Microsoft Active Directory. Through the Centrify DirectControl Agent, UNIX, Linux, and Mac OS X servers and workstations can become part of an Active Directory domain and act as Active Directory clients. Once part of a domain, you can secure those systems using the same authentication, access control, and group policy services you deploy for Windows computers. Additional modules work with the Centrify DirectControl Agent to provide services such as single sign-on for Web applications and Samba integration. The Centrify DirectControl Management Tools provide an Administrator Console, extensions for Active Directory Users and Computers, out-of-the-box reporting, and account migration tools.

Chapter 1 Introduction

19

What is the Centrify DirectControl solution?

With the Centrify DirectControl suite, organizations with diverse IT environments can leverage their investment in Active Directory to: Move to a central directory with a single point of administration for user accounts and security policy. Use Centrify DirectControl Zones to provide secure, granular access control and delegated administration. Extend Web single sign-on to internal end-users and external business partners and customers. Simplify compliance with regulatory requirements. Deploy quickly without intrusive changes to the existing infrastructure.

Moving to a central directoryBy consolidating user accounts in Active Directory, organizations can improve IT efficiency and move toward a more secure, connected infrastructure for their heterogeneous environment. Using DirectControl enables them to: Strengthen security by consolidating user accounts into Active Directory, making is easy for IT managers to disable the accounts of departing employees, and locate and eliminate security risks posed by orphan accounts. Reduce infrastructure costs by eliminating redundant identity stores, including legacy directories, un-secured NIS servers, dedicated application databases and locally managed /etc/passwd files. Streamline operations by standardizing on a single set of Active Directory-based tools, administrative training, and in-house processes for account provisioning, maintenance, and other tasks. Establish consistent password policies across a heterogeneous environment by enforcing Active Directorys rules for password20 Administrators Guide

complexity and expiration for all users regardless of where they log in. Enforce consistent security and configuration policies across UNIX, Linux, and Mac OS X servers and workstations by adding Centrify DirectControl group policy templates for computer- and user-based configuration settings to Windows Group Policy Objects. Improve productivity and satisfaction for end-users, who now have only one password to remember, and fewer Help Desk calls to reset passwords or update user accounts.

Using Centrify DirectControl Zones for granular controlWith its patent-pending zone technology, Centrify DirectControl delivers the granular access control that real-world enterprises need to securely manage heterogeneous environments. With DirectControl, IT managers can: Segregate logical collections of UNIX, Linux, or Mac OS X computers into Centrify DirectControl Zones within Active Directory. Computers can be organized by department, geography, function, system type, or in any other grouping that makes sense for a particular organization. Use Active Directorys role-based access model to allow users and groups to log on only to the systems in the zones for which they are authorized. Grant system administrators the administrative privileges they need only on the zones where there are computers they need to manage without elevating their privileges for other computers or zones. Enforce consistent security and configuration policies that are specific to the computers within a zone.


21

What is the Centrify DirectControl solution?

Extending single sign-on for web applicationsCentrify DirectControl provides Active Directory-based single sign-on for intranet and extranet Web applications running on Apache and popular J2EE servers. Centrify DirectControl and the Apache or J2EE add-on module provides: Active Directory-based single sign-on (SSO) through Kerberos and LDAP for end-users accessing intranet applications. Federated identity authentication through Microsoft Active Directory Federation Services (ADFS) for business-to-business and business-to-customer extranet web applications. Support for popular Web application servers running on UNIX, Linux, or Windows. Mapping between Active Directory users and groups and Web application roles to leverage the existing Active Directory infrastructure.

Simplify compliance with regulatory requirementsCentrify DirectControl simplifies the administrative, reporting, and auditing tasks brought on by Sarbanes-Oxley, PCI, HIPPA and other government and industry regulations. The combination of Active Directory and Centrify DirectControl provides the following benefits: IT managers can reliably manage user accounts, set access controls, and enforce security policies across the enterprise from a single point of administration. Zone-based access controls enable IT managers to limit administrative rights and end-user access to sensitive systems, and the Centrify DirectControl Administrator Console makes it easy for IT managers to view and change zone-based access controls. Out-of-the box reports can be used to satisfy auditing requirements and can identify the computers any specific user

22


can access, and which users can access any specific computer or application. By extending Active Directorys password requirements and Group Policy features to UNIX, Linux, and Mac OS X servers and workstations, Centrify DirectControl enables IT managers to enforce consistent, enterprise-wide security policies in a manner that can be verified by auditors. Centrify DirectControl ensures activity on UNIX, Linux, and Mac OS servers and workstations is written to the proper Active Directory logs, providing an audit trail for verifying system access.

Deploying without changes to existing infrastructureCentrify DirectControls support for open standards and its unified architecture make it easy to deploy without making changes to your existing Active Directory or network infrastructure. Centrify DirectControl offers IT managers the following benefits: Centrify DirectControl does not install any software on domain controllers, and it does not require any changes to the Active Directory schema to store UNIX identity data. Centrify DirectControl supports the native Active Directory schema, the Microsoft Services for UNIX (SFU) schema extension, and the RFC 2307 Active Directory schema introduced with Windows Server 2003 R2. Centrify DirectControl can map multiple UNIX identities to a given Active Directory account, and IT managers can access this UNIX data in Active Directory using ADSI or LDAP commands. Centrify DirectControls unified architecture delivers identity management, access control, and policy enforcement through a core Centrify DirectControl Agent. Additional modules snap in


23

What can you do after you deploy DirectControl?

to this base agent to provide services such as SSO for Web applications or Samba integration. Centrify accelerates an organizations productivity by offering free downloads of Open Source tools such as OpenSSH and PuTTY, which have been optimized to work seamlessly with Active Directory through Centrify DirectControl.

What can you do after you deploy DirectControl?Once the Centrify DirectControl Agent is deployed on a server or workstation, that computer is considered a Centrify DirectControl managed system. When a computer is managed by Centrify DirectControl, an administrator with the proper permissions can perform the following common tasks: Specify which Active Directory users and groups can log on to a specific Unix computer or group of computers. Control user access to Unix computers across the one or more Active Directory forests, regardless of the organizational structure you use and where users are defined in that structure. Map local Unix accounts, such as the root user, to Active Directory accounts for centralized control over the passwords, or set specific local Unix accounts to be authenticated locally rather than through Active Directory. Define zones and zone properties and delegate the rights necessary to manage Unix computer, user, and group accounts in any zones to other users, as needed. Configure and apply group policies for Unix computers and users.

24


When a computer is managed by Centrify DirectControl, authorized users can perform the following common tasks: Log on to the Unix shell or desktop program and use Unix programs and services such as telnet, ssh, and ftp. Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously. Manage their Active Directory passwords directly from the Unix command line, provided they can connect to Active Directory.


25

What can you do after you deploy DirectControl?

26


Chapter 2

About the Centrify DirectControl architecture and operationThis chapter provides an overview of the Centrify DirectControl architecture and discusses the operations associated with each of the Centrify DirectControl components. The following topics are covered: Understanding the integration of Windows and Unix Understanding DirectControl Management Tools Understanding Centrify DirectControl Zones Understanding Centrify DirectControl Agents Understanding the log-on process Summary of how DirectControl works

Understanding the integration of Windows and UnixBecause the Centrify DirectControl suite provides an integration layer between Windows and other operating environments, it consists of the following primary components: In the Windows environment, you need to install the Centrify DirectControl Management Tools on a computer from which you can access Active Directory. The Centrify DirectControl Management Tools include required and optional components for working with Unix-specific properties in Active Directory, including the Centrify DirectControl Administrator Console and Centrify DirectControl properties, called the Centrify Profile, for Active Directory Users and Computers.

27

Understanding the integration of Windows and Unix

On each server or workstation to be integrated into Active Directory, you need to install the Centrify DirectControl Agent. With the Centrify DirectControl Agent, when a Unix computer joins the Active Directory domain, that computer essentially becomes an Active Directory client for authentication, authorization, policy management, and directory services. Operationally, the interaction between the Centrify DirectControl Agent and Active Directory is similar to the interaction between a Windows XP client and its Active Directory domain controller. The following figure provides a simplified view of the integration between Windows and Unix through Centrify DirectControl.Centrify DirectControl Management Tools Active Directory Users and Computers: Centrify Profile Centrify DirectControl Administrator Console

Windows servers and workstations

Active Directory user Account: chris Password: &tiger1

Centrify DirectControl Agent Package

UNIX and Linux servers and workstations

Before you can centrally manage access across different platforms using Microsoft Active Directory, you need to: Prepare the Active Directory environment by installing the Centrify DirectControl Management Tools on at least one Windows computer. Ensure each Unix, Linux, or Mac OS computer can communicate with an Active Directory domain controller to present valid credentials for authentication. To handle this communication, you need to install the Centrify DirectControl Agent and join an Active Directory domain.28 Administrators Guide

Use Active Directory and the Centrify DirectControl Management Tools to enable and manage access and authorization for users and groups who need to log on to or use Unix, Linux, and Mac OS X computers. The next sections provide a more detailed discussion of the Centrify DirectControl Management Tools and Centrify DirectControl Agent, including an overview of how Centrify DirectControl zones are used, and a summary of what happens when a user logs on to a Unix computer that has joined the Active Directory domain.

Understanding DirectControl Management ToolsAs discussed in Understanding the integration of Windows and Unix on page 27, the components you install on Windows are collectively referred to as the Centrify DirectControl Management Tools. The Centrify DirectControl Management Tools include both required and optional components as follows: The Centrify DirectControl Administrator Console is required to be installed on at least one computer that can access domains in Active Directory. The Centrify DirectControl Administrator Console provides a central location for managing Unix users, groups, and computers and performing administrative tasks, such as importing accounts, running reports, and analyzing account information. The Centrify DirectControl property extensions for Active Directory can be installed on any domain computer in the forest. The first time you start the Centrify DirectControl Administrator Console, a Setup Wizard guides you through the steps for configuring Active Directory to store Unix-specific attributes without modifying the Active Directory schema of the forest.

Chapter 2 About the Centrify DirectControl architecture and operation

29

Understanding DirectControl Management Tools

The documentation, release notes, and online help for the Centrify DirectControl Administrator Console are optional and can be installed on any computer. The Centrify DirectControl Extension for NIS Maps is optional and can be installed on at least one computer if you want to import and manage NIS maps, such as netgroup and auto.master, in Active Directory. The Centrify DirectControl Administrative Templates for Group Policy is optional and can be installed on at least one computer where the Group Policy Object Editor is available. The following figure provides a simplified view of the architecture.Windows environment DirectControl Administrator Console DirectControl Property Extensions Unix environment

Centrify DirectControl Agents

adclient

adclient Active Directory Domain Controller adclient

About the Centrify DirectControl Administrator ConsoleThe primary way you create and manage Unix users, groups, computers, Centrify DirectControl zones and Centrify DirectControl zone properties is through the Centrify DirectControl Administrator Console. The Centrify DirectControl Administrator Console is a Microsoft Management Console

30


(MMC) snap-in that allows you to centrally manage all of the Centrify DirectControl information in the enterprise.

You can use the Centrify DirectControl Administrator Console to: Manage access to all of your Unix, Linux, and Mac OS X computers. Set and modify user and group properties for all of your Unix, Linux, and Mac OS X users and groups. Create and manage Centrify DirectControl zones and zone properties to simplify the process of giving users access to specific computers and migrating Unix user accounts to Active Directory. Add Active Directory users and groups to Centrify DirectControl zones. Import user and group information from local password and groups files or from NIS and NIS+ servers. Import and maintain network information from NIS maps such as netgroup, auto.master, and automount or create custom NIS maps.


31

Understanding DirectControl Management Tools

Generate and view reports describing Unix users, groups, computers, and applications you have enabled for access through Centrify DirectControl. View and manage Centrify DirectControl licenses for computers and applications. For example, with the Centrify DirectControl Administrator Console you can view the users with permission to access Unix computers in different zones much as you would view Windows users in a domain:

About the Centrify ProfileOnce you have updated the Active Directory forest, Unix-specific properties are displayed on the Centrify Profile tab when you view the properties for a user, group, or computer in the Centrify DirectControl Administrator Console or through Active Directory Users and Computers, making the user experience consistent whether you manage Windows systems, Unix systems, or both.

32


Understanding Centrify DirectControl ZonesOne of the most important aspects of managing Unix, Linux, and Mac OS X systems through the Centrify DirectControl Administrator Console is the ability to organize computers and users access to those computers using zones. A Centrify DirectControl zone is similar to an Active Directory domain or an NIS domain. Zones allow you to organize the computers in your organization in meaningful ways to simplify system management and the migration of account information from existing local files, NIS databases, LDAP servers, and other sources to Active Directory. How you use zones will depend primarily on the needs of your organization. In some organizations, a single default zone is sufficient. In other organizations, using multiple zones may be a necessity. In general, you use zones in one of two ways: To group computers with similar properties and requirements. For example, you may want to create one zone for all of your Red Hat Linux workstations and another zone for all of your Sun Solaris Unix servers because the users of the Linux workstations prefer a different login shell, belong to a different functional group in the organization, or have different administrative needs than the users of the Solaris Unix servers. To separate computers with conflicting properties and requirements. For example, you may want to create separate zones when a single user has multiple conflicting identities on multiple computers. In large organizations, Centrify DirectControl zones are especially useful for migrating users and computers from NIS, NIS+, local files, or LDAP to Active Directory. Using zones, administrators can migrate existing user accounts to Active Directory users without having to ensure that all Unix UIDs are unique throughout the entire enterprise. Because theres no need to rationalize the UIDs, zones enable you to migrate the existing users quickly and easily


33

Understanding Centrify DirectControl Agents

with minimal advance planning or impact to your existing infrastructure. You can also use zones to organize computers along departmental, geographical, or functional lines to better manage access control and delegate administrative tasks. With Centrify DirectControl zones, you can roll out Centrify DirectControl to the user community using whatever strategy works best for your organization. Although zones can provide flexibility for managing user accounts and computer access, Centrify DirectControl does not require you to set up and use multiple zones. Instead, when you start the Centrify DirectControl Administrator Console for the first time, a Setup Wizard guides you through the configuration of a default zone. You can use this single default zone as you add computers to the domain for as long as it is practical to do so. You only need to be concerned with planning and populating additional zones if you determine multiple zones would be useful for your organization. You can then create the additional Centrify DirectControl zones when and if you need them. For more information about planning and using Centrify DirectControl zones, see Using the Centrify DirectControl Setup Wizard on page 129.

Understanding Centrify DirectControl AgentsThe Centrify DirectControl Agent makes a Unix, Linux, or Mac OS X computer look and behave like a Windows computer to Active Directory. From a high-level view, the Centrify DirectControl Agent performs the following key tasks: Joins Unix or Linux computers to an Active Directory domain. Communicates with Active Directory to authenticate users logging on to the Unix or Linux computer, and caches credentials for offline access. Enforces Active Directory authentication and password policies.

34


Extends Active Directory group policies to manage the configuration of Unix users and computers. Provides a Kerberos environment so that existing Kerberos applications automatically work transparently with Active Directory. Although the individual agents you install are platform-specific, the Centrify DirectControl Agent is a tightly integrated a suite of services that work together to ensure seamless operation between existing Unix services and applications and Active Directory authentication and authorization. The following figure provides a closer look at the services provided through the Centrify DirectControl Agent:Unix infrastructure (login, ftp, ssh...) Apache server and applications Java/J2EE applications Kerberized applications

Centrify CLI

Centrify NSS

Centrify PAM

Apache Module

Centrify SDK

Centrify JAAS

Centrify SPNEGO

Centrify DirectControl Service Library Centrify DirectControl daemon Centrify DirectControl Agent Kerberos cache, keytab and configuration file

Offline credentials and search results

As this figure suggests, the Centrify DirectControl Agent includes the following core components: The Centrify DirectControl daemon (adclient). The adclient daemon handles all of the authentication, authorization, and policy management interaction with Active Directory and passes valid credentials along to the Unix shell programs or Web applications that need this information.


35


The Centrify DirectControl Pluggable Authentication Module, pam_centrifydc, enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory. The Centrify DirectControl NSS module updates the nsswitch.conf to use the Centrify DirectControl daemon to access information thats stored in Active Directory through LDAP. This module enables standard operating system look-up services to look up and validate information using Active Directory. The Centrify DirectControl command line programs (CLI) enable you to perform common administrative tasks, such as join and leave the domain, change user passwords, and collect diagnostic information from the Unix command prompt. These command line programs can be used interactively or within scripts to automate tasks. The Centrify DirectControl Kerberos environment provides a Kerberos configuration file and krb5.keytab file to enable your Kerberized applications to authenticate through Active Directory. The Centrify DirectControl local cache stores user credentials and other information for offline access and network efficiency. In addition to these core components, the Centrify DirectControl Agent can also include the following add-on modules: The Centrify DirectControl libraries for Apache, Tomcat, JBoss, and WebLogic plug in to the native authentication mechanisms for each Web server to enable you to configure Web applications to use Active Directory for authentication. The Centrify DirectControl Network Information Service (adnisd). The Centrify DirectControl Network

36


Information Service is a separate service that works in conjunction with the Centrify DirectControl daemon to enable you to store NIS maps in Active Directory and publish that information to NIS clients through Centrify DirectControl. Optional utilities and programs, such as updated Kerberos or the OpenLDAP commands, that have been optimized to work with Active Directory.

Understanding the activities of the daemon (adclient)The most important element in the Centrify DirectControl Agent is the Centrify DirectControl daemon, adclient, and its service library that exposes the daemons functionality to all of the other modules. The Centrify DirectControl daemon runs as a single trusted service and is automatically started when the system is first booted. It handles all of the direct communication with Active Directory and manages all of the operations provided through the other services. The adclient daemon performs several key tasks of the Centrify DirectControl Agent, including the following: Locates the appropriate domain controllers for the local Unix, Linux, or Mac OS X computer based on the Active Directory forest and site topology published through the Windows DNS server. If a domain controller becomes unavailable, the adclient daemon automatically locates the next available domain controller to ensure uninterrupted service. Provides Active Directory with account credentials that verify the computer is a valid member of the domain. Delivers and stores user credentials so that users can be authenticated by Active Directory and, once authenticated, can sign on even if the computer is disconnected from the network for mobile access or if Active Directory is unavailable.


37


Caches query responses and other information, including positive and negative search results, to reduce network traffic and the number of connections to Active Directory and to ensure users can work uninterrupted and start new application sessions using their login credentials. The cache and all communication with Active Directory is encrypted to ensure security. No communication is in clear text. Creates and maintains the Kerberos configuration and service ticket files to allow existing Kerberos-enabled applications to work with Active Directory without any manual configuration. Synchronizes the local computers time with the clock maintained by Active Directory to ensure the timestamp on Kerberos tickets issued by the KDC are within a valid range. Resets the password for the local computer account in Active Directory at a regular interval to maintain security for the accounts credentials. Provides all the authentication, authorization, and directory look-up services retrieved from Active Directory to the other Centrify DirectControl Agent services, for example, to the PAM or Apache modules. To perform these tasks, the Centrify DirectControl daemon and all of the other Centrify DirectControl Agent services rely on an internal service library of functions that enable the communication with Active Directory and perform Active Directory operations. This service library is not exposed directly for external use but is accessed internally through programming interfaces.

Understanding Centrify DirectControl for PAM servicesPluggable Authentication Modules (PAM) are a common mechanism for configuring authentication and authorization used by many Unix programs and applications. If a program or application uses PAM for authentication and authorization, the rules for authenticating the user are configured in either the PAM38 Administrators Guide

configuration file, /etc/pam.conf, or, more commonly, in application-specific files in the /etc/pam.d directory. Centrify DirectControl includes a customized Pluggable Authentication Module (pam_centrifydc) that enables any application that uses PAM, such as ftpd, telnetd, login, and Apache, to authenticate users through Active Directory. When you join a domain, the pam_centrifydc module is automatically placed first in the PAM stack in system-auth, so that it takes precedence over other authentication modules. The pam_centrifydc module is configured to work with adclient to provide a number of services, such as checking for password expiration, filtering for users and groups, and creating the local home directory and default user profile files for new users. The services provided through the pam_centrifydc module can be customized locally on a computer, modified through Active Directory group policy, or configured through a combination of local and Active Directory settings. Working in conjunction with the Centrify DirectControl daemon, the pam_centrifydc module provides the following services for PAM-enabled programs and applications: Verifies the current user name and password for a session are a valid user name and password in Active Directory. Requests the PAM-enabled application to prompt for a password when appropriate and verifies whether the application-provided user name and password are valid in Active Directory. Checks whether the users password has expired in Active Directory. If the password has expired, the pam_centrifydc module prompts the user to change the password, and forwards the new password to the Centrify DirectControl daemon, which communicates the change to Active Directory. Checks policy settings in the/etc/centrifydc/centrifydc.conf

file to determine whether


39


any access control policies are applied. For example, the pam_centrifydc module uses the information in the centrifydc.conf file to determine whether a local user attempting to log on is mapped to an Active Directory account, whether specific users or groups have been granted or denied permission to log on to the local computer, or whether Active Directory authentication should be ignored for a specific user or group. Creates the local home directory and default user profile files for new users. The pam_centrifydc module uses skeleton files to set up the user environment when new Active Directory users log on to a Unix computer for the first time. Most of these tasks are performed during a user login session as a series of requests and replies from the pam_centrifydc module to Active Directory through the adclient daemon for those programs and applications that are configured to use PAM. Because PAM is the most common authentication service used by Unix programs and applications, the pam_centrifydc module is the most commonly used for a typical log-on session. For a more detailed description of a typical log-on process, see Understanding the log-on process on page 43.

Understanding Centrify DirectControl for NSSThe Name Service Switch (NSS) provides a mechanism for identifying sources of network information a computer should use, such as local password and group files, NIS maps, NIS+ tables, LDAP, and DNS, and the order in which these sources should be consulted when looking up users, groups, host names, and other information. When you join a domain, the NSS configuration file, nsswitch.conf, is automatically updated to use the Centrify DirectControl NSS module first. Using the Centrify DirectControl daemon and the service library, the Centrify DirectControl NSS

40


module accesses network information thats stored in Active Directory through LDAP. When a Unix program or applications needs to look up information, it checks the nsswitch.conf file and is directed to use the nss_centrifydc module. The nss_centrifydc module directs the request to Active Directory through the adclient daemon. The adclient provides the information retrieved from Active Directory, then caches responses locally to ensure faster performance, reduce network traffic, and allow for disconnected operation. The cache is encrypted to ensure the security of the responses.

Understanding the Kerberos configurationKerberos is a network authentication protocol for client/server applications that uses encrypted tickets passed through a central Key Distribution Center to verify the identity of a user or service requesting access. Because Kerberos is an industry standard and a secure network authentication mechanism, you may already have Unix programs and services that are configured to use it. To allow those existing Kerberized applications to work with Active Directory without manual configuration, the adclient daemon automatically creates and maintains the Kerberos configuration file, krb5.conf, and the krb5.keytab service ticket file to point Kerberos-enabled services and applications to the Key Distribution Center (KDC) in Active Directory. The configuration file is initially created using information collected by probing DNS and Active Directory with the default domain set to the domain that the computer has joined. Whenever a logon or ticket validation is performed with a domain that is not in the configuration file, the configuration file is updated so that it includes the new domain. Although the adclient daemon can automatically update the file as needed, it does not destroy existing configuration entries that you may have added by hand. Because of this, Centrify DirectControl works seamlessly with your existing Kerberos-enabled applications.


41


Understanding authentication for Web applicationsIn most cases, deployed Web applications provide some type of native authentication and authorization module for Web developers to implement. With Centrify DirectControl, you can extend these native interfaces to seamlessly connect to Active Directory for authentication and authorization, and, depending on the configuration of the Web applications and the Web browsers that access those applications, to provide transparent Single Sign-On capability. Much in the same way it supports authentication for basic Unix services, such as login and telnet, the Centrify DirectControl Agent provides authentication and authorization services to Web servers and applications through server-specific plug-in modules. These modules work in conjunction with the adclient daemon and service library to provide silent and prompted authentication and authorization when users access Web applications created in Apache, Tomcat, JBoss, or WebLogic environments. Because each Web application platform has its own development environment and native authentication mechanisms, the specific authentication mechanisms and methods supported can vary by server platform. For example, Java Authentication and Authorization Service (JAAS) is a standard Java package that provides interfaces to allow applications to perform silent or prompted authentication of user credentials. Centrify DirectControl provides a customized JAAS realm for Tomcat and JBoss applications to use Active Directory for authentication when an application is configured to use the BASIC or FORM authentication method. For more information about configuring authentication services for Apache, see the Centrify DirectControl Authentication Guide for Apache. For more information about configuring authentication services for Tomcat, JBoss, WebLogic, and other Java-based applications, see the Centrify DirectControl Authentication Guide for Java Applications.

42


Understanding the log-on processThe Centrify DirectControl Agent components work together to identify and authenticate the user any time a user logs on to a computer using any Unix command that requires the user to enter credentials. The following steps summarize the interaction to help you understand the process for a typical log on request. The process is similar, though not identical, for Unix commands that need to get information about the current user or group. The following steps focus on the operation of the Centrify DirectControl Agent rather than the interaction between the Centrify DirectControl Agent and Active Directory. In addition, these steps are intended to provide a general understanding of the operations performed through the Centrify DirectControl Agent and do not provide a detailed analysis of a typical log on session.Note

When a user starts the Unix computer and is prompted to log in, the following takes place:1 The user enters a local Unix user name or an Active Directory

user name.2 The Unix login process reads the PAM configuration file,

and determines that it should use the Centrify DirectControl PAM service, pam_centrifydc, for identification.3 The Unix login process passes the login request and the user

/etc/pam.conf,

name to the Centrify DirectControl PAM service for processing.4 The pam_centrifydc service checks the pam.allow.override

parameter in the Centrify DirectControl configuration file to see if the user name entered is an account that should be authenticated locally. If the user should be authenticated locally, the pam_centrifydc service passes the login request to the next PAM module specified in the PAM configuration file, for example, to the local configuration file etc/passwd.Chapter 2 About the Centrify DirectControl architecture and operation 43

Understanding the log-on process

If the user is not an override account, the pam_centrifydc service continues with the login request and checks to see if the adclient daemon is running, then passes the login request and user name to the adclient daemon.5 The adclient daemon connects to Active Directory and queries

the Active Directory domain controller to determine whether the user name included in the request is a Centrify DirectControl user who has access to computers in the current computers zone. If the adclient daemon is unable to connect to Active Directory, it queries the local cache to determine whether the user name has been successfully authenticated before. If the user account does not have access to computers in the current zone or cant be found in Active Directory or the local cache, the adclient daemon checks the Centrify DirectControl configuration file to see if the user name specified is mapped to a different Active Directory user account with the adclient.mapuser.username parameter. If the user name specified is mapped to another Active Directory account in the configuration file, the adclient daemon queries the Active Directory domain controller or local cache to determine whether the mapped user name has access to computers in the current computers zone.6 If the user has a Unix profile for the current zone, the adclient

daemon receives the zone-specific information for the user, such as the users UID, the users local Unix name, the users global Active Directory user name, the groups of which the user is a member, the users home directory, and the users default shell.7 The adclient daemon queries through the nss_centrifydc

service to determine whether theres another user currently logged in with same UID. If there is a potential conflict between local user account and the Unix profile for an Active Directory account, the adclient

44


daemon notifies the pam_centrifydc service of the potential conflict. The pam_centrifydc service checks the Centrify DirectControl configuration file to determine to issue a warning, ignore the conflict, or prevent the user from logging on. If the login continues, the pam_centrifydc service asks the Unix login process for a password.8 The Unix login process prompts the user to provide a password

and returns the password the user enters to the pam_centrifydc service.9 The pam_centrifydc service checks the pam.allow.users andpam.deny.users

parameters in the Centrify DirectControl configuration file to see if any user filtering has been specified to allow or deny access to specific user accounts. If any user filtering has been specified, the current user is either allowed to continue with the login process or denied access. parameters in the Centrify DirectControl configuration file to see if any group filtering has been specified to allow or deny access to members of specific groups. If any group filtering has been specified, the current user is either allowed to continue with the login process or denied access based on group membership.

10 The pam_centrifydc service checks the pam.allow.groups andpam.deny.groups

11 If the current user account is not prevented from logging on by

user or group filtering, the pam_centrifydc service queries the adclient daemon to see if the user is authorized to log on.12 The adclient daemon queries the Active Directory domain

controller through Kerberos to determine whether the user is authorized to log on to the current computer at the current time.13 The adclient daemon receives the results of its authorization

request from Active Directory and passes the reply to the pam_centrifydc service.Chapter 2 About the Centrify DirectControl architecture and operation 45

Understanding the log-on process

14 The pam_centrifydc service does one of the following

depending on the content of the authorization reply: If the user is not authorized to use the current computer or to log in at the current time, the pam_centrifydc service denies the users request to log on through the Unix login process. If the users password has expired, the pam_centrifydc service sends a request through the Unix login process asking the user to change the password. After the user supplies the password, log-in succeeds. If the users password is about to expire, the pam_centrifydc service notifies the user of impending expiration through the Unix login process. If the user is authorized to log on and has a current password, the login process completes successfully. If this is the first time the user has logged on to the computer through Centrify DirectControl, the pam_centrifydc service creates a new home directory on the computer in the location specified in the Centrify DirectControl configuration file by the parameter pam.homeskel.dir.

46


The following figure provides a simplified view of a typical log-on process when using Centrify DirectControl.Check /etc/centrifydc.conf settings for override, allow, deny, password expirationxxxxx xxxxx xxxxx

Check /etc/pam.conf PAM-enabled services pam_centrifydc

Active Directory Domain Controller

User starts a Unix log on process using a command such as login, telnet, ssh

Kerberos applications

adclient

Unix look-up requests

nss_centrifydc Check /etc/nsswitch.conf

Cached credentials and search results

Centrify DirectControl Agent

Kerberos keytab and configuration file

Summary of how DirectControl worksAs discussed in the previous sections in this chapter, the Centrify DirectControl suite is comprised of two main architectural components that enable Unix users, groups, computers, and applications to be integrated into the Active Directory infrastructure: The Centrify DirectControl Management Tools that enable you to manage Unix users, groups, and computers from the Windows environment. The Centrify DirectControl Agent that enables the authentication of Active Directory users to standard Unix programs and services, including those configured to use PAM, NSS, and Kerberos, and the authentication of Active Directory users to Web server applications. The Centrify DirectControl Agent also provides command line programs, so that Unix users can update their Active Directory password or perform other


47

Summary of how DirectControl works

tasks using a command line interface that feels native and appropriate for the Unix environment. Through the Centrify DirectControl daemon and service library, the Centrify DirectControl Agent components work together transparently on the Unix system and connect transparently to Active Directory for authentication of user and service credentials. With the Centrify DirectControl Agent, the Centrify DirectControl Management Tools, and Active Directory, you have an integrated solution to identity and access management that provides native operation for both Windows and Unix users and for administrators in the cross-platform enterprise. Now that you are familiar with both the Windows and Unix components, you are ready to install these components on your Windows and Unix computers and begin adding Unix, Linux, and Mac OS computers to the Active Directory domain.

48


Chapter 3

Planning the deployment of Centrify DirectControlThis chapter provides step-by-step instructions for installing Centrify DirectControl and joining a computer to the domain. The following topics are covered: Planning Active Directory permissions Planning changes to the Active Directory structure Planning to work with multiple forests Planning how you will use zones Planning user account migration Planning NIS map migration

Planning Active Directory permissionsCentrify DirectControl requires some specific rights for administrators to work with objects such as Unix users, groups, and computers within Active Directory. As part of your deployment planning process, you should review the rights required to set up and manage Centrify DirectControl objects and understand how to manually assign rights for managing Centrify DirectControl objects, if needed.Note

At a minimum, all Centrify DirectControl actions require the user to have generic Read permission. This permission is typically granted to all Authenticated Users by default.

Understanding permission requirements for the Setup WizardIn most cases, you run the Centrify DirectControl Setup Wizard to guide you through the configuration of Active Directory for49

Planning Active Directory permissions

Centrify DirectControl. The Setup Wizard updates Active Directory with Centrify DirectControl objects and properties, including some DirectControl-specific containers that are required for proper operation. To successfully perform these tasks, the user account that runs the Setup Wizard must have specific rights. Because some of these rights may be reserved for administrative accounts, other users may not be able to perform all of the steps in the Setup Wizard. To allow other user accounts to run the Setup Wizard, you can manually create the appropriate container objects, then assign to those objects only the specific permissions needed to correctly complete the configuration of Centrify DirectControl. Users can then use the Setup Wizard to select the appropriate container objects and perform all of the necessary steps without being members of an administrative group. The following table describes the minimum rights that must be applied to the Centrify DirectControl container objects or other

50


users to successfully complete the configuration of Centrify DirectControl.This target object Licenses container Requires these permissions Read All Properties Create classStore Objects Modify permissions Write Description property Write displayName property Applied to This object only

This object and all child objects

Centrify DirectControl requires you to create or select at least one parent container for license keys. By default, this container object is:domain/Program Data/Centrify/Licenses

You can create additional License containers, if needed, through the Manage Licenses dialog box. By default, all Authenticated Users have read and list contents permission for the Licenses container and all of its child objects. You can change these permissions if you want to restrict access to the Centrify DirectControl Administrator Console. Zones container (or Read All Properties any container used as Create classStore Objects a destination for a Create container objects new zone) Write displayName property This object only


Centrify DirectControl requires you to create or select a parent container object for creating new zones. By default, this container object is:domain/Program Data/Centrify/Zones

You can use other containers for zones, if needed.

Chapter 3 Planning the deployment of Centrify DirectControl

51


This target object Private Groups container

Requires these permissions Read All Properties Create classStore Objects Modify permissions Write displayName property

Applied to This object only


Centrify DirectControl requires you to create or select a parent container object for private groups if you are using private groups in any zones. By default, this container objects is:domain/Program Data/Centrify/Private Groups

By default, all Authenticated Users have permission to create group objects in the Private Groups container.

Creating Display Specifiers for Centrify DirectControlTo set up the Centrify Profile properties page in the Active Directory Users and Computers console, you must be an enterprise administrator or a domain administrator for the forest root domain because adding the Centrify Profile to Active Directory Users and Computers requires you to add Display Specifiers to Active Directory. If you want to provide access to the Centrify Profile in the Active Directory Users and Computers console, an enterprise administrator can manually define the display specifiers (under domain/Configuration/DisplaySpecifiers/LanguageID/) for computer, group, and user properties by modifying the adminPropertyPages attribute with the appropriate GUID. Adding the display specifiers for Centrify DirectControl properties is an optional step you can perform manually using ADSI Edit or by running the displayspecifier.vbs script. If you manage all Centrify DirectControl objects through the Centrify DirectControl Administrator Console, you do not need to perform this task.Note

52


To use the displayspecifier.vbs script to set up the display specifiers for Centrify DirectControl:1 Log on using an enterprise administrator account or a domain

administrator for the forest root domain.2 Open a Command Prompt window and change to the Centrify

DirectControl directory. For example:cd C:\Program Files\Centrify\Centrify DirectControl

3 Run the displayspecifier.vbs script.

To manually set up the property pages in the Active Directory Users and Computers, you need to create the following entries using ADSI Edit, where n is the next number in the index of values for the attribute:For this target objectcomputer-Display displaySpecifier group-Display displaySpecifier user-Display displaySpecifier inetOrgPerson-Display

Set this attributeadminPropertyPages adminPropertyPages adminPropertyPages adminPropertyPages

Ton,{DB5E4BE1-A0F0-4e6c-AD8A-B46475D727CB}

n,{0CDC9AD0-E870-483f-8D16-17EAB3B7F881}

n,{543DBFE3-317D-4493-8D00-84591E4EDCDE}

n,{543DBFE3-317D-4493-8D00-84591E4EDCDE}

In most cases, you only need to set up the display specifiers once for the Active Directory forest. If you support multiple languages, you can manually add the display specifiers to each language you support. For example, if your organization supports US-English (CN=409), Standard French (CN=40C), and Japanese (CN=411), you would add the display specifiers to these three containers. Once you have updated Active Directory by running the displayspecifier.vbs script or by manually adding the display specifiers, you can access the Centrify Profile properties using Active Directory Users and Computers.


53


Registering the administrative notification handlerThe administrative notification handler supports the replication services in Active Directory to ensure data integrity in the Active Directory forest. You can register the notification handler automatically through the Centrify DirectControl Setup Wizard the first time you start the Centrify DirectControl Administrator Console, but this requires an account that is an Enterprise Administrator or a Domain Administrator in the forest root domain rights. Although this step is optional, registering the administrative notification handler helps to ensure Unix profile properties are properly deleted if a user, group, or computer is deleted using Active Directory Users and Computers. If you dont want to perform this step in the Setup Wizard, you can manually configure the administrative notification handler using ADSI Edit or you can choose not to register the administrative notification handler for Centrify DirectControl. If you choose not to register the administrative notification handler, however, you should periodically run the Centrify DirectControl Analyze command to check and maintain data integrity in the Active Directory forest. To manually set up the administrative notification handler for Centrify DirectControl, add the following entry using ADSI Edit under domain/Configuration/DisplaySpecifiers/LanguageID/ where n is the next number in the index of values for the attribute:For this target objectDS-UI-Default-Settings

Set this attribute

To

dSUIAdminNotification n,{D0D2C2AE-C143-4C81-A61C -BE95C3C5EEDF}

Creating containers manually for Centrify DirectControlSome organizations prefer to create and manage Active Directory objects manually to ensure tight control over the objects and their related attributes. For example, you may want to manually create your own Zone or License containers so that you can manually set54 Administrators Guide

specific permissions and related properties on those containers and refine who has access to them. You can create the container objects anywhere in the forests directory structure, but you must have at least one Zone container object and at least one License container object. If you plan to use private groups for any zone, you also need to have at least one Private Groups container object. Normally, you can create these objects when you run the Setup Wizard, create a new zone, or manage licenses, but you can manually create them prior to deployment, if desired.

Understanding permissions for the Zone Delegation WizardIf you use the Zone Delegation Wizard to delegate administrative tasks to specific users and groups, you are providing those users and groups specific permissions for working with objects in Active Directory. The following table summarizes the permissions that can be assigned through your selections in the Zone Delegation Wizard.Selecting this task All Grants these rights Permissions to perform all of the actions listed in the Zone Delegation Wizard and described below. When a user creates a new zone, that user is granted this permission for the zone he created. List Contents on the ZoneName object container. Read All Properties on the ZoneName object container. Write Description property on the ZoneName object container.

Change zone properties

Add or remove users List Contents on the ZoneName/Users object container. Read All Properties on the ZoneName/Users object container. Create serviceConnectionPoint objects on the ZoneName/Users object container. Delete serviceConnectionPoint objects on the ZoneName/Users object container.


55


Selecting this task Add or remove groups

Grants these rights List Contents on the ZoneName/Groups object container. Read All Properties on the ZoneName/Groups object container. Create serviceConnectionPoint objects on the ZoneName/Groups object container. Delete serviceConnectionPoint objects on the ZoneName/Groups object container. L

centrify dc admin guide v3

Documents