Centrify DirectControl Best Practices - Cerberis

WHITE PAPERCENTRIFY CORP.Centrify DirectControl Best PracticesNOVEMBER 2007Centrify DirectControl offers a high degree of flexibility in integrating with anorganization’s Active Directory and UNIX systems. Applying best practices to thedesign and deployment of DirectControl can accelerate an organization’s adoptionrate of DirectControl, allowing an organization to quickly become compliant withcompliance and auditing standards. Centrify’s patent-pending Zone technologysimplifies management of UNIX, Linux and Mac computers while at the same timestrengthening access controls through centralized management.ABSTRACTThis white paper provides detailed examples of how to integrate Centrify TMDirectControl TM with an organization’s Active Directory and UNIX systems. Itdemonstrates how to apply best practices to tasks such as designing Zones,storing UNIX data in Active Directory, delegating permissions to ActiveDirectory, installing DirectControl in the UNIX and Windows environments,creating Zones, joining UNIX computers to Active Directory, managing the rootpassword, consolidating an organization’s UID and GID space, and integratingDirectControl with monitoring and provisioning solutions.

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLInformation in this document, including URL and other Internet Web site references, is subject to changewithout notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mailaddresses, logos, people, places and events depicted herein are fictitious, and no association with any realcompany, organization, product, domain name, e-mail address, logo, person, place or event is intended orshould be inferred. Complying with all applicable copyright laws is the responsibility of the user. Withoutlimiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into aretrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,or otherwise), or for any purpose, without the express written permission of Centrify Corporation.Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rightscovering subject matter in this document. Except as expressly provided in any written license agreement fromCentrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,or other intellectual property.© 2004-2006 Centrify Corporation. All rights reserved.Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries.Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks ortrademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respectiveowners.[WP-001-2006-03-30]© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE II

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLContents1 Centrify DirectControl Best Practices........................................................... 11.1 Introduction ............................................................................................ 11.2 About Centrify DirectControl ...................................................................... 11.3 Scenario ................................................................................................. 21.3.1 Organization .................................................................................. 31.3.2 Current IT Architecture.................................................................... 41.3.3 Current Active Directory Environment................................................ 51.3.4 Current Active Directory Provisioning ................................................ 61.3.5 Current UNIX Environment............................................................... 71.3.6 Current UNIX Provisioning................................................................ 82 Project Phases............................................................................................. 92.1 Phase one: .............................................................................................. 92.2 Phase two: .............................................................................................. 92.3 Phase three:............................................................................................ 93 Phase One Solution Architecture ............................................................... 103.1 Solution: IT Architecture ......................................................................... 103.2 Solution: Initial Zone Design ................................................................... 103.2.1 Initial data set .............................................................................. 113.2.2 Zoning......................................................................................... 123.2.3 Final Zone Design ......................................................................... 133.2.4 Importing data ............................................................................. 133.2.5 Zone Design Example.......................... Error! Bookmark not defined.3.3 Solution: Changes to Active Directory ....................................................... 163.4 Solution: Initial Patch Analysis ................................................................. 193.5 Solution: Software Installation................................................................. 193.6 Solution: DirectControl Configuration........................................................ 203.7 Solution: Zone Creation .......................................................................... 213.7.1 Secondary Group membership........................................................ 233.8 Solution: Joining UNIX computers to Active Directory ................................. 243.8.1 Solution: firewall ports .................................................................. 263.8.2 Solution: changing file permissions ................................................. 273.8.3 Solution: removing duplicate users and groups................................. 293.9 Solution: Managing the root password ...................................................... 303.10 Solution: Daily Operations ............................................................. 31© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE III

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL3.10.1 Solution: Updated UNIX Provisioning ............................................... 334 Solution: Phase Two Solution Architecture ................................................ 344.1 Zone Consolidation................................................................................. 345 Solution: Phase Three Solution Architecture ............................................. 375.1 Lights-out administration ........................................................................ 376 Identifying Initial Tasks ............................................................................ 396.1 DirectControl Prerequisites ...................................................................... 396.2 Active Directory Setup ............................................................................ 396.3 Zone Design .......................................................................................... 396.4 UNIX Deployment................................................................................... 406.5 Conclusion............................................................................................. 407 Related Publications .................................................................................. 407.1 Product Documentation........................................................................... 407.2 White Papers ......................................................................................... 407.3 Video Chalktalks .................................................................................... 418 How to Contact Centrify............................................................................. 41© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE IV

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL1 Centrify DirectControl Best Practices1.1 IntroductionBefore deploying an enterprise software solutions, IT organizations should ask softwarevendors for best practices that will speed the adoption rate of the new software.Centrify TM DirectControl TM offers a high degree of flexibility in the design anddeployment of the product, and offers a comprehensive Administrator’s Guide. For manyorganizations, this has meant there are a large number of unanswered questions on how tobest approach design and deployment. This white paper provides specific examples ofhow to apply best practices to common tasks with Centrify DirectControl.This document assumes a general knowledge of Active Directory and UNIX, and atechnical understanding of Centrify DirectControl.1.2 About Centrify DirectControlCentrify DirectControl’s core feature is its ability to enable UNIX, Linux and Macservers and workstations to participate in an Active Directory domain. The CentrifyDirectControl Agent effectively turns the host system into an Active Directory client,enabling organizations to secure that system using the same authentication, access controland Group Policy services currently deployed for their Windows systems. Additionalseamlessly integrated modules snap into the DirectControl Agent to provide services suchas web single sign-on, strong authentication to database and ERP systems, and Sambaintegration. The DirectControl Management Tools include extensions to standardMicrosoft management tools, an administration console, out-of-the-box reporting, and anaccount migration wizard.With the Centrify DirectControl suite, organizations with diverse IT environments canleverage their investment in Active Directory to:Move to a central directory with a single point of administration for useraccounts and security policy. By centralizing user account management and securitypolicy in Active Directory, organizations can improve IT efficiency and move toward amore secure, connected infrastructure for their heterogeneous environment. UsingDirectControl they can eliminate redundant identity stores, provide administrators andend-users with a single sign-on account, standardize on a single set of tools andprocesses, and enforce enterprise wide security and configuration policies for theirheterogeneous environment.Use DirectControl Zones to provide secure, granular access control anddelegated administration. Only DirectControl, with its patent-pending Zonetechnology, delivers the granular access control that real-world enterprises need tosecurely manage their heterogeneous environments. Any logical collection of mixedUNIX, Linux or Mac systems can be segregated within Active Directory as a© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 1

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLDirectControl Zone. Each Zone can have a unique set of users, a unique set ofadministrators, and a unique set of security policies.Extend single sign-on to web applications, databases and ERP systems. Centrifydelivers Active Directory-based web single sign-on for both intranet and extranetapplications running on Apache and popular J2EE servers at a fraction of the cost ofolder point solutions. For intranets, DirectControl enables Active Directory-based webSSO via Kerberos and LDAP. For extranets, DirectControl leverages Microsoft ActiveDirectory Federation Services (ADFS) to provide federated identity management for bothbusiness-to-business and business-to-customer web applications.Simplify compliance with regulatory requirements. DirectControl greatly simplifiesthe administrative, reporting and auditing tasks brought on by Sarbanes-Oxley, PCI,HIPPA and other government and industry regulations by providing IT managers with asingle point of administration from which to reliably manage user accounts, set accesscontrols and enforce security policies. DirectControl Zones enable “need to know” accesscontrols, and out-of-the-box reports verify who has access to what.Deploy quickly without intrusive changes to existing infrastructure.DirectControl’s support for open standards and its unified architecture make it far easierto deploy than any other Active Directory-based solution. Certified for Windows 2003Server, DirectControl does not require proprietary schema changes in order to storeUNIX identity data or to enable advanced features.1.3 ScenarioThis white paper describes a fictional corporation named Illumi Clinics, which recentlycompleted an evaluation of Active Directory-centric authentication and authorizationsolutions. Centrify DirectControl was selected for production deployment to 200 existingUNIX computers. The root domain of this organization is stored as “illumiclinics.com” inActive Directory. Per corporate policy, all employees at Illumi Clinics log in with theirUser Principal Name, such as “Cedar.Pirl@illumiclinics.com”.Over the course of this whitepaper, Illumi Clinics will leverage Centrify’s best practicesto rapidly deploy DirectControl. Illumi Clinics will use a three-phased project to:• Quickly take control of their UNIX environment;• Consolidate their Zones and their UID/GID space; and• Reduce administrative overhead.A generic software patch management solution was selected for this white paper becauseDirectControl is fully interoperable with all software patch management solutions that arecapable of either calling an installation script or using native package management tools.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 2

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL1.3.1 OrganizationIllumi Clinics has its headquarters in Pittsburgh, Pennsylvania. It operates non-urgentcare medical clinics within surrounding states. As a publicly traded company, it is subjectto Sarbanes-Oxley regulations. Because it handles patient records, it is subject to HIPAA.It also accepts credit card payments at clinics, making it subject to the PCI standardspromoted by the payment card industry.Illumi Clinic’s regional sales personnel carry laptops. Local clinics have desktopssystems, from which personnel connect to web-based applications managed through thecorporate data center. Illumi Clinics has a flat organizational structure consisting of thefollowing departments:• Engineering• Finance• Human Resources• Marketing• SalesCedar Pirl is the manager of the engineering department. He has fourteen direct reports –four UNIX personnel and ten Windows personnel. Diana Wirth is the Active Directoryarchitect. Both Cedar and Diana report to Linda Spinney, the VP of InformationTechnology at Illumi Clinics. Despite this relatively flat organizational structure, theWindows and UNIX personnel are logically two separate teams and do not share jobfunctions.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 3

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL1.3.2 Current IT ArchitectureFigure 1-1This figure illustrates the logical architecture in use at Illumi Clinics. Specifically, thisillustrates the state before deploying Centrify DirectControl.• The Active Directory server is a fully redundant cluster running on Windows Server2003 Enterprise Edition R2.• The UNIX servers / workstations include HP-UX 11.23, Sun Solaris 9 and 10 andRed Hat Enterprise Linux 3 and 4 computers.• There is a local ntpd running on each UNIX computer.• Active Directory and all UNIX computers use the same primary timeserver.• All UNIX and Windows computers are registered with the Windows 2003 DNSservice.• A commercial software management package is used for deploying patches and newsoftware to Windows and UNIX clients.• The UNIX syslog is monitored with a commercial log-monitoring package.• Starting with Windows NT 3.1 for the DEC Alpha, Illumi Clinics standard has beenthe Windows user name and UNIX user name must match. All users “Pre-Windows2000 username” attribute value in Active Directory is equivalent to their 8 characterUNIX username.• The UNIX operations team shares the root password.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 4

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL1.3.3 Current Active Directory EnvironmentFigure 1-2This figure illustrates the current Organizational Units in Illumi Clinics Active Directory.Standard containers, such as “cn=users” and “cn=computers” have been omitted forbrevity. Illumi Clinics has a flat Active Directory structure based primarily on their flatorganizational structure. Depending on the role of the computer, computer objects arestored in “ou=workstations” and “ou=servers”. Illumi Clinics recently deployedWindows 2003 R2 and has a 2003 forest and domain functional level.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 5

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL1.3.4 Current Active Directory ProvisioningThe following steps are manually performed as part of provisioning a new Active Directory user at Illumi Clinics:1. A HR staff person adds a new employee record to the HR System; and,2. The HR System validates the data and adds the new employee record.3. The HR staff person sends an email to the Windows team to add a new user to Active Directory.4. A Windows team member adds a new User object to Active Directory; and,5. Active Directory saves the new User object.6. The Windows team member adds the new User object to the correct Active Directory group or groups; and,7. Active Directory saves the group membership.8. The Windows team member then replies to the email from HR.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 6

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL1.3.5 Current UNIX EnvironmentThese statements describe Illumi Clinics UNIX environment before the deployment ofDirectControl:• There are 200 UNIX computers in scope of the initial deployment of DirectControl• /etc/passwd, /etc/group and /etc/shadow have been locally managed• Over the years, Illumi Clinics has implemented several sets of standards for theassignment of UNIX UID and GID. Due to the age of some computers, several setsof standards may be in use on any one computer. For example, a mandate in 1996required a UID space of 1000-3000 to be used, while a new mandate in 2000required all UNIX users to have a UID between 5000 and 9000. Historical useraccounts were not migrated on each machine. As a result, each user may havenumerous UIDs assigned across multiple computers.• As previously mentioned in 1.3.2, the UNIX username for each user must match theActive Directory “Pre-Windows 2000 username” attribute value.• The Solaris computers are using /export as a local mount point, not a NFS mountpoint.• Illumi Clinics has not previously deployed NIS or LDAP solutions.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 7

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL1.3.6 Current UNIX ProvisioningFigure 1-3The following steps are manually performed as part of provisioning a new UNIX user at Illumi Clinics:1. A HR staff member sends an email to the UNIX team authorizing UNIX access.2. A UNIX staff member uses the native platform utility (such as ‘useradd’) to create a new user object on the UNIX computer.A new password and UID are assigned to the user; and,3. The updated /etc/passwd and /etc/shadow files are saved.4. The UNIX staff member then manually modifies /etc/group to set secondary group membership for the new UNIX user; and,5. The /etc/group file is saved.6. The UNIX staff member replies to the email from the HR staff member.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 8

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL3 Phase One Solution ArchitectureThis section describes the deployed solution at Illumi Clinics after DirectControl hasbeen initially deployed. Specific focus is given to the changes to Active Directory and theUNIX environment.3.1 Solution: IT ArchitectureFigure 3-1This figure illustrates the IT architecture in use at Illumi Clinics following deployment ofCentrify DirectControl.• Both Windows and UNIX computers will receive time updates from ActiveDirectory.• The local ntpd processes on the UNIX computers will be disabled in the startupscripts.• Both Windows and UNIX computers will use Active Directory as an authenticationand authorization source.3.2 Solution: Initial Zone DesignTo meet their objectives, Illumi Clinics must create their initial Zone design and deployDirectControl to 200 UNIX computers within 60 days.The most common practice for deploying DirectControl to a large number of systems in avery small amount of time is to directly import each computers /etc/passwd and/etc/group files, excluding local service accounts and groups. This design results in oneZone per computer. This design meets security requirements for removing local useraccounts if those local accounts are removed following the data import. However, froman administrative perspective, this is less than optimal as it does not reduce the total© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 10

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLnumber of distinct user populations being managed; rather, DirectControl becomesanalogous to a visual editor for /etc/passwd and /etc/group.Cedar knows that there are many UNIX computers with common user populations. Cedarasks Justino Aranda, a UNIX operator, to collect all 200 /etc/passwd and /etc/group files.He is then to find groups of computers where 80% of the users have the same usernameand home directory values. Cedar knows that there are some UID/GID collisions in theUNIX environment and that it would be easier to reconcile those collisions using adfixidfrom Centrify than to continue with the splintered UID/GID space. Consolidating ormoving home directories is less desirable during the first project phase.Using the simple rules set by his manager, Justino determines there will be 80 initialZones. The largest Zone will contain 24 computers and there are many Zones that containa single computer.3.2.1 Initial data setThe following example illustrates the UNIX user populations from three servers: dbserv,finserv, and rhel. All servers run identical versions of UNIX.For brevity, users with a UID less than 99 are not shown because they are not in scope./etc/passwd from dbservalyssia x 10020 10 ALYSSIA OSTEEN /home_dir/alyssia /bin/bashjustino x 10021 31 JUSTINO ARANDA /home/justino /bin/bashtetsu x 10022 10 TETSU ISHII /home/tetsu /bin/bashclyde x 10023 10017 CLYDE BAUM /home/clyde /bin/kshcedar x 10024 10012 CEDAR PIRL /home/cedar /bin/kshsdebruin x 10025 10012 SALLEY DEBRUIN /home/sdebruin /bin/shtdeshay x 10026 10 TENISHA DESHAY /home/tdeshay /bin/kshsramnari x 10028 90 SHAWN RAMNARINE /home/sramnari /bin/bashfniewier x 10029 10013 FUMIKO NIEWIEROSKI /home/fniewier /bin/shkminors x 10030 10 KATHRINE MINORS /home/kminors /bin/bashenerio x 10031 10 ELLYN NERIO /home/enerio /bin/kshdbaltaza x 10032 10 DANAE BALTAZAR /home/dbaltaza /bin/shacolliga x 10033 10018 ALFRED COLLIGAN /home/acolliga /bin/bashhgarry x 10034 10 HOPE GARRY /home/hgarry /bin/kshrcranfil x 10035 10012 RASHEEDA CRANFILL /home/rcranfil /bin/shktacadin x 10036 10018 KATHI TACADINA /home/ktacadin /bin/bashfsamsel x 10037 10014 FREDDA SAMSEL /home/fsamsel /bin/shbkozlovs x 10038 10014 BAILEY KOZLOVSKY /home/bkozlovs /bin/bashpengelke x 10039 10015 PETER ENGELKES /home/pengelke /bin/sh/etc/passwd from finservalyssia x 10020 10 ALYSSIA OSTEEN /home/alyssia /bin/bashjustino x 10021 10 JUSTINO ARANDA /home/justino /bin/bashtetsu x 10022 10 TETSU ISHII /home/tetsu /bin/bashclyde x 10023 10017 CLYDE BAUM /home/clyde /bin/ksh© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 11

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLcedar x 10024 10012 CEDAR PIRL /home/cedar /bin/kshsdebruin x 10025 10012 SALLEY DEBRUIN /home/sdebruin /bin/shtdeshay x 10026 10 TENISHA DESHAY /home/tdeshay /bin/kshsramnari x 10028 10 SHAWN RAMNARINE /home/sramnari /bin/bashfniewier x 10029 10013 FUMIKO NIEWIEROSKI /home/fniewier /bin/shkminors x 10030 10 KATHRINE MINORS /home/kminors /bin/bashenerio x 10031 10 ELLYN NERIO /home/enerio /bin/kshdbaltaza x 10032 10 DANAE BALTAZAR /home/dbaltaza /bin/shacolliga x 10033 10018 ALFRED COLLIGAN /home/acolliga /bin/bashhgarry x 10034 10 HOPE GARRY /home/hgarry /bin/kshrcranfil x 10035 10012 RASHEEDA CRANFILL /home/rcranfil /bin/shktacadin x 10036 10018 KATHI TACADINA /home/ktacadin /bin/bashfsamsel x 10037 10014 FREDDA SAMSEL /home/fsamsel /bin/shbkozlovs x 10038 10014 BAILEY KOZLOVSKY /home/bkozlovs /bin/bashpengelke x 10039 10015 PETER ENGELKES /home/pengelke /bin/shplama x 10017 10009 PALMA LAMA /home/plama /bin/shabalmer x 10018 10004 ADRIENNE BALMER /home/abalmer /bin/ksh/etc/passwd from rhelalyssia x 10020 10 ALYSSIA OSTEEN /home/alyssia /bin/bashjustino x 10021 10 JUSTINO ARANDA /home/justino /bin/bashtetsu x 10022 10 TETSU ISHII /home/tetsu /bin/bashclyde x 10023 10017 CLYDE BAUM /home/clyde /bin/kshcedar x 10024 10012 CEDAR PIRL /home/cedar /bin/kshsdebruin x 10025 10012 SALLEY DEBRUIN /home/sdebruin /bin/shtdeshay x 10026 10 TENISHA DESHAY /home/tdeshay /bin/kshsramnari x 10028 10 SHAWN RAMNARINE /home/sramnari /bin/bashfniewier x 10029 10013 FUMIKO NIEWIEROSKI /home/fniewier /bin/shkminors x 10030 10 KATHRINE MINORS /home/kminors /bin/bashenerio x 10031 10 ELLYN NERIO /home/enerio /bin/kshdbaltaza x 10032 10 DANAE BALTAZAR /home/dbaltaza /bin/shacolliga x 10033 10018 ALFRED COLLIGAN /home/acolliga /bin/bashhgarry x 10034 10 HOPE GARRY /home/hgarry /bin/kshrcranfil x 10035 10012 RASHEEDA CRANFILL /home/rcranfil /bin/shktacadin x 10036 10018 KATHI TACADINA /home/ktacadin /bin/bashfsamsel x 10037 10014 FREDDA SAMSEL /home/fsamsel /bin/shbkozlovs x 10038 10014 BAILEY KOZLOVSKY /home/bkozlovs /bin/bashpengelke x 10039 10015 PETER ENGELKES /home/pengelke /bin/sh3.2.2 ZoningThe majority of users UNIX profiles are in common between all three UNIX hosts.However, the following users UNIX profiles are different between dbserv and the othertwo UNIX hosts. These are the affected profiles from dbserv:alyssia x 10020 10 ALYSSIA OSTEEN /home_dir/alyssia /bin/bashjustino x 10021 31 JUSTINO ARANDA /home/justino /bin/bashsramnari x 10028 90 SHAWN RAMNARINE /home/sramnari /bin/bash© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 12

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLThese are the affected users UNIX profiles from rhel and finserv:alyssia x 10020 10 ALYSSIA OSTEEN /home/alyssia /bin/bashjustino x 10021 10 JUSTINO ARANDA /home/justino /bin/bashsramnari x 10028 10 SHAWN RAMNARINE /home/sramnari /bin/bashAdditionally, the following users exist on finserv but not on rhel or dbserv:plama x 10017 10009 PALMA LAMA /home/plama /bin/shabalmer x 10018 10004 ADRIENNE BALMER /home/abalmer /bin/kshBecause changing a user’s primary GID has security implications, Tetsu decides thatdbserv will not be put in the same Zone as finserv and rhel. This could be done at a laterdate to reduce the number of Zones. This would also require updating the ownership ofJustino & Shawn’s files on dbserv; Centrify provides ‘adfixid’ which can be used for this.Alyssia’s home directory could be moved if the user was notified.Because at least 80% of the users on finserv exist on rhel, finserv and rhel are a logicalcandidate for Zoning. This implies that Palma and Adrienne will be granted access to rhel(as all users in a Zone have access to all resources in that Zone, by default). There is nobusiness reason that Palma and Adrienne could not have access to rhel. Therefore, finservand rhel can be put in the same Zone.3.2.3 Final Zone DesignDbserv will be added to a single-computer Zone. If the GID changes can be reconciled, itcould be added to another Zone at a later date.Finserv and rhel will be added to a different Zone.3.2.4 Importing dataThe best practice for populating new Zones is to create /etc/passwd and /etc/group fileswhere either the UNIX username matches the “Pre-Windows 2000 username” or theGECOS field matches the Active Directory name of individual users. This is because theCentrify DirectControl Import Wizard first attempts to search the GECOS field for eachuser against the CN attribute of Active Directory User Objects. If that search fails, theDirectControl Import Wizard searches the UNIX username against the samAccountNameattribute of Active Directory User Objects. If both of these searches (exact string, notcase-sensitive) fail then the operator must manually reconcile the UNIX profile. It ispreferable to edit the /etc/passwd file(s) being imported before starting the DirectControlImport Wizard as the DirectControl Import Wizard has no functionality to edit the/etc/passwd file.For example, the DirectControl Import Wizard would match the GECOS field “JustinoAranda” against an Active Directory User Object named “Justino Aranda”. It would notmatch against “Aranda, Justino” or “Justino D Aranda”. In that case, it would fall back tosearching the UNIX username “justino” against the samAcccountName in Active© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 13

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLDirectory. “justino” would match “justino”, not “justino.aranda” or “jaranda”.Illumi Clinics standard is that the UNIX username matches the “Pre-Windows 2000username”. These passwd and group files will later be imported using the DirectControlConsole.Justino must also then check that each user is not a member of more than 16 groups in asingle Zone. This is atypical in traditional UNIX environments as it is a historical UNIXlimitation. Additionally, no single group should have more than 120 users in any singleZone. Once again, this is a historical UNIX limitation, not a limit of DirectControl.Figure 3-2This illustrates how a user’s group membership is determined within a given Zone:• Tetsu’s user account is stored in Active Directory.• His primary GID for the current Zone is 10, which is not defined in the Zone. GID10 is defined in /etc/group, as ‘staff’.• Tetsu is a member of four Active Directory groups – Domain Users, Helpdesk,UNIX Operations, and Project X. Only two of these groups – UNIX Operations andProject X – have a UNIX profile defined in the illustrated Zone.Finally, Justino must confirm that all groups to be loaded into Active Directory do notcontain local users. This is a logical limitation of Active Directory.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 14

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLFigure 3-3This illustrates how a local group – ‘opsteam’ – can contain members from both ActiveDirectory and the local /etc/passwd file:• opsteam is defined in /etc/group with a GID of 140.• Users root, postgres, and adm are local users defined in /etc/passwd.• Users justino, alyssia, testsu and clyde have UNIX profiles in the current Zone.Note: this design does not apply to AIX. Please refer to the release notes for the AIXplatform to understand how AIX handles local groups and Active Directory groups.Note that this limitation only applies to DirectControl 3.x and earlier.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 15

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL3.3 Solution: Changes to Active DirectoryFigure 3-4The best practice for storing UNIX data in Active Directory is to create a new high-levelOrganizational Unit named “OU=UNIX” (or “OU=LINUX”, or “OU=OSX” if that is thedominant platform in use). If your Active Directory structure is regional in nature, thiscould be created as “OU=UNIX,OU=Pittsburgh”, or if it belongs to a functional design,“OU=UNIX,OU=Engineering” – the main point being to add the UNIX data to as high alevel OU as possible.Diana Wirth, the Active Directory architect for Illumi Clinics, creates the UnixOrganizational Unit as well as two new Active Directory groups:Zone administrators: contains Cedar Pirl, Alyssia Osteen, and Justino Aranda.UNIX Operators: contains Cedar Pirl, Alyssia Osteen, Justino Aranda, Tetsu Ishii, andClyde Baum.Diana also creates four additional organizational units are below OU=UNIX:OU=Computers: The best practice is to store UNIX computer objects under thisorganizational unit. Computer group policies that affect all UNIX computers should be© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 16

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLlinked to this level. Group policies can be logically linked to a given Zone by creatingOrganizational Units below OU=Computers and then moving UNIX computers intothose OUs. For example, if there is a Zone named Zone14 (undercn=Zone14,ou=Zones,ou=Unix), then the computer object could be stored inou=Zone14,ou=Computers,ou=Unix.Diana grants the UNIX Operators Active Directory Group the following permissions on“OU=Computers,OU=UNIX” using the “Delegate Control” Wizard in Active Directoryusers and computers:• Create Computer Objects• Delete Computer ObjectsOU=Groups: The best practice for storing UNIX-specific groups that do not correlate toexisting Active Directory groups is to store them in “OU=Groups,OU=UNIX”.Traditionally, all UNIX users have been members of a common group (i.e. ‘staff’) andhave had additional groups that were based on their responsibilities or current projects.For example, the ‘newcore’ UNIX group defined in Zone #1 in section Error! Referencesource not found. does not correspond to any existing Active Directory Group at IllumiClinics. Creating it under “OU=Groups,OU=UNIX” allows the UNIX team to managethat group’s membership.Diana grants the UNIX Operators Active Directory Group the following permissions on“OU=Groups,OU=UNIX” using the “Delegate Control” Wizard:• Create, Delete, and manage Groups• Modify the Membership of a GroupOU=Users: The best practice for storing UNIX-specific accounts that do not correlate toexisting Active Directory accounts is to store them in “OU=Users,OU=UNIX”. Thesewould be machine service accounts, such as Oracle or MySQL. This keeps the serviceaccounts clearly separate from interactive Active Directory User objects. User Objects forservice accounts are typically not subject to the Default Domain Policy for passwordexpiry, for example, as password expiry could render critical business services (such as adatabase) unusable. Migrating these accounts to Active Directory would allowcentralized password management and auditing.Illumi Clinics account creation policy requires that all accounts have a correspondingemployee or contractor record in the Human Resources database. Additionally, onlyHuman Resources personnel can create individual exceptions to this policy. None of themachine service accounts on UNIX are used for interactive logon. Diana and Cedar agreeto keep this Organizational Unit for future expansion. In the future, Diana could grant theability to create and delete User objects to appropriate personnel.OU=Zones: The best practice for storing Zones is to store them in“OU=Zones,OU=UNIX”. These Zones store application-specific information for the© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 17

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLoperation of Centrify DirectControl and do not store additional Active Directory User,Computer, or Group objects. Additional containers are created below this OrganizationalUnit, one per Zone. The top-level container is an Active Directory container with thesame name as the Zone; the Zone attributes are stored in attributes of this container.Below this there are several sub-containers:• Users: this contains the UNIX Profiles of users of the Zone• Groups: this contains the UNIX Profiles of groups in the Zone• Computers: this contains the UNIX Profiles for computers in the Zone.Figure 3-5In each case, the objects in the sub-containers are serviceConnectionPoint (SCP) objects.They contain the DirectControl-extended data for each type of object (user, group, andcomputer). There are links from the SCP object back to the parent objects (shown asdotted lines). These are maintained in the ParentLink pseudo-attribute (stored in theKeywords attribute) that stores the objectSID attribute value of the parent ActiveDirectory object.• The Zone tree does not need to be in the same domain as the user or the computers.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 18

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• The separation of the Zone data into a separate tree is what allows the delegation ofadministration to the UNIX administrators for the UNIX data only; the UNIX datafor each Zone is separate from the other Zones and from the base Active Directoryobjects for the users and groups.• A user and a group can be associated with many Zones.3.4 Solution: Initial Patch AnalysisIllumi Clinics uses a commercial patch management system for software patchdeployment across Windows, UNIX and Linux. The minimum best practice is to reviewthe release notes included with the DirectControl agent for each platform, and then to atleast install those required patches before installing DirectControl. For example, therelease notes for Red Hat Linux 9.0 specify a minimum glibc patch level. Solaris versionsof DirectControl include the ‘pca’ script, which will help determine the required patches.Illumi Clinics is following their operating environment vendor’s best practices forsecurity and routinely updates their UNIX and Windows computers to the most recentrecommended security patches. As a result, their environment is up to date and requiresno changes in advance of deploying DirectControl.3.5 Solution: Software InstallationIllumi Clinics uses a commercial software package management system. This system willbe used to deploy DirectControl to all UNIX systems, using the native package installeron each platform (such as rpm on Red Hat and pkgadd on Solaris). The best practice fordeploying DirectControl is to install it on all machines that will be Zoned but notnecessarily to join those machines to Active Directory at the time of installation becausethe join process is what changes the configuration files which turn on authentication toAD.Illumi Clinics will also be deploying Centrify’s build of OpenSSH to all UNIX systems.The best practice for deploying OpenSSH is to remove the existing SSH packages, installthe Centrify build of OpenSSH, and then start the Centrify SSH server.If Illumi Clinics did not use a commercial software package management system then thedeployment of DirectControl and OpenSSH could be performed manually by UNIXoperators. Alternatively, Illumi Clinics could contact Centrify’s Professional Services tohelp develop a software distribution script for their environment. The best practice formanual installation is to write an installation and verification checklist to be used byUNIX operators who may be unfamiliar with the operation of DirectControl in order tominimize manual mistakes.Illumi Clinics purchased four console licenses for DirectControl. The best practice is toinstall the Centrify DirectControl Console on all UNIX operators and administrators’machines that need the ability to administer Zones, UNIX profiles for users and groups,© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 19

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLand to run reports. Alyssia Osteen, Justino Aranda, Tetsu Ishii and Clyde Baum willdirectly install these consoles on their Windows XP and Vista laptops. Cedar Pirl, theEngineering manager, does not require a console.Centrify’s build of PuTTY will be manually installed during phase one of the project. In alater phase, this will be deployed using Illumi Clinics commercial software packagemanagement system.3.6 Solution: DirectControl ConfigurationDiana Wirth, the Active Directory architect, and Alyssia Osteen, a UNIX operator, willinitially configure Active Directory for DirectControl at Illumi Clinics. Diana’s accountwill be used as she has Domain Administrator privileges. The best practice forconfiguring DirectControl is to involve the Active Directory architect so they canunderstand what minimal changes are being performed on Active Directory. A sidebenefit is that their administrative account can be used to perform this one-timeconfiguration without the additional delegated permissions described in the DirectControlAdministrator’s Guide.The Default Zone container, chosen while running the Setup Wizard, is “OU=Zones,OU=UNIX, DC=Illumiclinics,DC=Com”. Choosing this location in Active Directorydoes not modify the Zones Organizational Unit. Rather, it adds the following new object:dn: CN=$CentrifyZoneContainer,OU=Zones,OU=UNIX,DC=illumiclinics,DC=comcn: $CentrifyZoneContainerdisplayName: $CimsZoneContainerVersion2distinguishedName:CN=$CentrifyZoneContainer,OU=Zones,OU=UNIX,DC=illumiclinics,DC=cominstanceType: 4name: $CentrifyZoneContainerobjectCategory: CN=Class-Store,CN=Schema,CN=Configuration,DC=illumiclinics,DC=comobjectClass: topobjectClass: classStoreshowInAdvancedViewOnly: TRUEA Default Zone is not created using the Setup Wizard. The best practice for Productionenvironments is to create the Default Zone Container – which configures the console tocreate new Zones under that container or OU – but not to create the Default Zone.Computer security best practices are to avoid using defaults, though there are currently noknown attacks on Centrify DirectControl. Additionally, the DirectControl agent willattempt to join the Default Zone if no Zone is specified, and this can create configurationerrors.Diana finally grants the Zone Administrators Active Directory Group the followingpermissions on “OU=Zones, OU=UNIX” using the Advanced Security button in ADSIEdit (these are not visible using Active Directory Users and Computers on Windows2003 R2):• Read All Properties (this object only)© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 20

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• Create Container Objects (This object and all child objects)• Delete Container Objects (This object and all child objects)• Write displayName (This object and all child objects)At this point, the Zone Administrators Active Directory Group can now manage theDirectControl environment without further assistance from the Active Directory team.This includes delegating permissions to Zones.3.7 Solution: Zone CreationThe best practice for creating and managing Zones is to use the DirectControl Console.The “Zone Administrators” Active Directory Group has delegated permissions to createnew Zones and to delegate permissions to those Zones.Zone Administrators use the Centrify DirectControl Console’s Zone Delegation Wizardto set permissions on newly created Zones. The best practice for Zone delegation is todelegate permissions to Active Directory Groups and not to individual Active DirectoryUsers. Because Illumi Clinics UNIX operations team will continue to be responsible formanaging UNIX profiles for users and groups, the following permissions are delegated tothe “Unix Operators” Active Directory Group:• Add or remove users• Add or remove groups• Join computers• Remove computers• Modify users• Modify groupsThe best practice for importing existing UNIX user and group profiles from /etc/passwdand /etc/group files is to use the Centrify DirectControl Console’s Import Wizard. Thebest practice is to import groups and then users. All members of the “UNIX operators”team have delegated permissions to use this wizard and have the DirectControl Console,so Cedar can easily balance his staff’s workload.For example, Clyde Baum has been assigned the task of importing users and groups fromZone #1, described in section Error! Reference source not found.. Clyde must firstcopy the finished /etc/passwd and /etc/group files to his Windows XP laptop. He thenwill use the DirectControl Console Import Wizard to select Zone #1, and then pick theappropriate passwd and group file for that Zone. Finally, the users and groups will beimported into “Pending Import” containers.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 21

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLClyde will then select all of the groups in the “Pending Import” container for Groups andselect “Create New AD Groups”. Clyde will then select the “OU=Groups,OU=UNIX”organizational unit as the “Location of the Container” required by the “Create New ADGroup” wizard. This is because these are UNIX-specific groups and do not correspond toexisting Active Directory groups.The wizard will produce output as follows:The following Active Directory accounts are created:AD Group: jotpadTo be imported to AD Group at: illumiclinics.com/UNIX/Groups/jotpadAccount name: jotpadGroup scope: Domain LocalAD Group: nemesisTo be imported to AD Group at: illumiclinics.com/UNIX/Groups/nemesisAccount name: nemesisGroup scope: Domain LocalClyde can then check “Enable AD Groups to use DirectControl” to automatically createUNIX profiles for the 19 imported groups in Zone #1.After groups have been imported, Clyde can import UNIX profiles for users. As IllumiClinics UNIX usernames match the “Pre-Windows 2000 username” this is easily done byselecting all users in “Pending Import”, right-clicking those users, and selecting“Accept”.Seven (7) of the 23 users to be imported into Zone #1 have a primary GID of 10. GID 10is defined on Solaris computers as the ‘Staff’ group. The best practice for importinggroups into Active Directory is to exclude locally defined groups such as Staff and otherbasic groups that are included with the operating environment. This is because in mixedoperating environment zones (such as Red Hat and Solaris), the GID space below 99 canhave different meanings (10 on Linux is ‘wheel’, a privileged group). Groups below 99also normally contain local service accounts which are not typically part of amigration.There is, however, an exception.The Import Wizard will not allow Clyde to import UNIX user profiles for the seven userswhose primary GID is 10. This is because the 3.0.x Import Wizard requires the user’sprimary group to be defined in the Zone. This exception does not apply to version 4.0 ofCentrify DirectControl.Under the circumstances where multiple users primary GID is a locally-defined group(such as a group below 99), use the following steps to import user profiles:1. Create a new Active Directory group under the “OU=Groups,OU=UNIX”organizational unit. For example, “Staff”.2. Using the DirectControl Console, create a UNIX profile for the newly created groupin the Zone with an appropriate GID. For example, 10. Disregard the warningmessage about reserved GIDs.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 22

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL3. In the “Users – Pending Import” container in the DirectControl Console, select thoseusers with the status message of “No group with the corresponding GID found inActive Directory”. Right-click and select “Check Status”.4. Import those users by right-clicking and selecting “Accept”.5. Delete the UNIX profile for the newly created group. Disregard the error message.Additionally, two users have group 10001 as their primary GID. Because group 10001must be defined as a local group – it contains the ‘mysql’ user, a service account – atemporary group (as described above) must be added and then removed for group 10001.3.7.1 Secondary Group membershipIllumi Clinics extensively uses secondary group membership to manage file permissions,which is an administrative best practice for UNIX. The Centrify DirectControl ConsoleImport Wizard only imports users and groups, and in version 3.0.x, it does not importsecondary group membership. As shown in Figure 3-3, secondary group membership isbased on Active Directory Group membership.Centrify’s Professional Services have developed a script, “addUsersToGroups.vbs”which automates this process. From the usage statement:PURPOSE:This script will associate AD Users with AD Groups within one ZoneThis script makes the following assumptions:1. That the GID for each group matches the GID of the Active DirectoryGroup2. That the UNIX username for each user matches the UNIX username foreach user defined in the ZoneUSAGE:This script requires two input values:1. The zone which contains users and groups2. The path to the /etc/group fileEXAMPLE:cscript addUsersToGroups finance "c:\import\zone1.group"Justino can execute the addUsersToGroups.vbs script using the zone1.group file hecreated earlier. This would produce the following output, truncated for brevity:INFO: ‘cn=Billy Bongers’ added to group 10000.INFO: ‘cn=Doretha Gingel’ added to group 10000.INFO: ‘cn=Alfred Colligan’ added to group 10000.…INFO: ‘cn=Peter Engelkes’ added to group 10019.INFO: FinishedINFO: Groups skipped: 0INFO: Users skipped: 0INFO: Users added: 97AddUsersToGroups.vbs is available through Centrify Professional Services, and requiresWindows and Centrify DirectControl. Note that this utility is not required forDirectControl 4.x.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 23

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLThe alternative to using this script would be to manually add each Active Directory Userto each Active Directory Group under “OU=Groups,OU=UNIX”. For example, considerthe Edge group (GID 10015). The following Active Directory Users would need tomanually be added to the “cn=Edge,OU=Groups,OU=UNIX” Active Directory Group:• Alyssia Osteen• Clyde Baum• Peter Engelkes• Rasheeda Cranfill• Salley Debruin• Tenisha DeshayZone#1 for Illumi Clinics has 19 groups that contain 79 users, and Zone #1 is a typicalZone. Illumi Clinics has 80 Zones and several hundred distinct UNIX groups. AddingActive Directory Users to Active Directory Groups solely for the purposes of UNIX filepermissions is tedious. It is recommended to use the AddUsersToGroups.vbs script toautomate this one-time import process.3.8 Solution: Joining UNIX computers to Active DirectoryThe best practice for joining UNIX computers to Active Directory is to produce a briefdocument with clearly written instructions. This document can be used by personnelunfamiliar with the operation of DirectControl and also ensures a consistent deployment.The best practice is to include at least the following steps in the instructions:• Disable user logins• Open firewall ports if required• Disable local ntpd process so that DirectControl manages time on the UNIXcomputers• Disable local telnetd, ftpd, and tftpd processed (though not required forDirectControl, disabling insecure protocols is a security best practice)• Join computer to Active Directory• Restart all PAM-dependent services such as ftpd and sshd• Enable user logins• If necessary, execute ‘adfixid’ to fix file permissions• If feasible, use ‘adrmlocal’ to remove duplicated users from /etc/passwd,/etc/shadow, and /etc/group© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 24

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLHere is a sample excerpt from the checklist prepared for use by Illumi Clinics UNIXoperations team.Task InstructionExpected ResultLog on or switch (su) to the root user on thecomputer. If possible, use the console headserver or the local console.The root prompt “#” will bedisplayed.Disable user logins:# touch /etc/nologinDisable the NTP service.For Solaris 10 Systems Only:# svcadm disable network/ntpFor Solaris 2.6 – 9 Systems Only:# /etc/rc2.d/S74xntpd stop# mv /etc/rc2.d/S74xntpd/etc/rc2.d/K74xntpdFor Red Hat Systems Only:# /sbin/chkconfig ntpd off# /sbin/service ntpd stopType the following command to join thedomain:# adjoin –u username -c“container or OU DN” –z zoneillumiclinics.comThe correct values for username, container,and zone can be found in section 3.1 of thisdocument.Note: Only use the partial DN for the OUpath. Do not include the domain name.Example:“cn=zone34,ou=computers,ou=unix”.Sample output:Centrify DirectControlstarted.You have successfullyjoined the ActiveDirectory domain:illumiclinics.comIn the CentrifyDirectControl zone:CN=ZONENAME,CN=Zones,OU=UNIX,DC=Illumiclinics,DC=COMYou may need to restartother services that relyupon PAM and NSS or simplyreboot the computer forproper operation. Failureto do so may result inlogin problems for ADusers.Enable user logins:# touch /etc/nologin© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 25

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLTask InstructionRestart the SSH service:For Solaris 10 only:# svcadm restart centrify-sshdFor Solaris 2.6 – 9 Systems Only:# /etc/init.d/centrify-sshdrestartFor Red Hat systems only:# /etc/init.d/centrify-sshdrestartAttempt a SSH connection (not usingKerberos) using PuTTY on your Windows XPlaptop.login as:clyde.baum@illumiclinics.compassword:Exit out of the new ssh connection fromPuTTY.$ exitAttempt a SSH connection using Kerberos(under Connection – SSH – Kerberos) usingPuTTY on your Windows XP laptop.Exit out of the new ssh connection fromPuTTY.$ exitExecute the following command to leave theroot account:# exitExpected ResultStopping centrify-sshd[ok]Starting centrify-sshd[ok]Last login: Wed Mar 2116:47:38 2007 fromcfl173.illumiclinics.comThe PuTTY window will close.Using KeberosauthenticationLogin asclyde.baum@illumiclinics.comGot ticket for servicehost/finserv.illumiclinics.comSuccessful KerberosconnectionLast login: Wed Mar 2116:52:12 2007 fromcfl173.illumiclinics.comThe PuTTY window will close.The root account will be logged out.3.8.1 Solution: firewall portsSome high-security servers at Illumi Clinics have restrictive firewalls. The best practicefor joining firewalled UNIX computers to Active Directory is to open these ports fromUNIX computers to the appropriate Domain Controllers at a minimum:© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 26

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• LDAP 389/TCP/UDP• LDAP GC 3268/TCP• Kerberos Auth 88/UDP• Kerberos Change Password 464/TCP/UDP• DNS 53/TCP/UDP• SMB 445/TCP/UDPOther possible ports required:• RPC 135/TCP This is ONLY needed if you want to enable joining by nonadministrative users. This traffic is initated by the unix server to contact the activedirectory server.• SNTP (Simple network time protocol) UDP 123. DirectControl must maintaintime sync with the domain controller. You can close this port provided your externalservers can get accurate time updates.Illumi Clinics has chosen to allow members of the “UNIX Operators” Active DirectoryGroup to join computers to Active Directory, and to use Active Directory as the source ofNTP updates. Therefore, Illumi Clinics must open all of the aforementioned portsbetween the UNIX computers and the Active Directory Domain Controllers.3.8.2 Solution: changing file permissionsSome Zone designs will inherently result in changing a user’s primary UID or GID, orthe GID associated with a group. Illumi Clinics, for example, decided to reconcile UIDcollisions within a potential Zone by assigning the user or group the most common UIDor GID, and if that didn’t reconcile the collision, to assign a new UID or GID starting at50000. Each user and group must have a distinct UID and GID within a given Zone.Centrify provides a utility, ‘adfixid’, to reconcile file permissions for users and groups onindividual UNIX computers. It is a best practice to use adfixid to correct file permissionsbefore users log on to computers where their UID or GID has changed.adfixid must be installed and executed as root. As of version 3.0.2, the installation filesare included in the DirectControl installation packages for each platform.Installation:# gunzip -c centrifydc-adfixid--.tgz | ( cd / && tar xf- )By default, adfixid will preview the duplicated users and groups between the individualUNIX computer and the currently joined Zone. For example, Tetsu Ishii runs adfixid onfinserv, which is joined to Zone1:© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 27

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL[root@finserv root]# adfixid6 user-id conflicts were found.Local UID Zone UID User--------- -------- --------10021 50000 justino10023 10016 clyde10026 10013 tdeshay10027 10019 alyssia10031 10008 enerio10033 10006 acolliga1 group-id conflict was found.Local GID Zone GID User--------- -------- --------10009 50000 controlIt is a best practice with adfixid to limit the scope of adfixid to only mount points anddirectories that contain files and directories that belong to users and groups you havemigrated to Active Directory. These typically include:• /var/tmp• /tmp/• /home• /exportadfixid examines the permissions of every file and directory. Starting at / may seemcomprehensive but it will take substantially longer amounts of time, particularly onUNIX computers with remote mounted file systems, RAID disk arrays, external storage,etc.For example, Tetsu Ishii runs adfixid as root against /var/tmp/ on finserv, which is joinedto Zone 1:# adfixid --commit --verbose /tmpchecking /tmp/krb5cc_10016checking /tmp/krb5cc_50000checking /tmp/10577changed ownership of /tmp/10577checking /tmp/7408changed ownership of /tmp/7408checking /tmp/11639changed ownership of /tmp/11639checking /tmp/12676changed ownership of /tmp/12676checking /tmp/krb5cc_100194 file(s) changedRunning adfixid against the /home mount point produces the following results:# adfixid --commit /home10879 files changedadfixid can potentially affect tens or hundreds of thousands of files on each UNIXcomputer where it is executed. The primary performance limitation of adfixid is the speed© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 28

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLof the underlying disks, and, in the case of remote storage (NAS, NFS, etc) the speed ofthe connection. It is a best practice to estimate the time required for adfixid verypessimistically, particularly for purposes of scheduling outage or change windows.Once all users have been migrated to Active Directory and adfixid has been executed,there is no additional benefit to running adfixid again. It is a best practice to keep amaster list of all machines where adfixid has been executed and to require all personnelto update that list once adfixid has been executed.Finally, adfixid has a rollback option that will undo all changes since the beginning of thelog file. By default, the log file is /etc/centrifydc/adfixid.log. It is a best practice to gzipthis log file (thereby manually check-pointing the log) upon the successful completion ofeach UNIX computer. For example, if Clyde Baum runs adfixid against the /var, /tmp,and /home directories on medcalc.illumiclinics.com, he should gzip/etc/centrifydc/adfixid.log once all three mount points have been processed.3.8.3 Solution: removing duplicate users and groupsMultiple auditing and compliance standards require the removal of local users once thoseusers have been migrated to Active Directory. There are three possible methods ofremoving local users and groups from UNIX computers:1. Use the included ‘adrmlocal’ utility that is included with Centrify DirectControl; or,2. Use the native platform tools for that version of UNIX; or,3. Use a text editor to manually edit the appropriate files.The method of removing local users and groups largely depends upon the migrationstatus of groups to Active Directory.If there no Active Directory Users are defined in local UNIX groups, then use‘adrmlocal’. The adrmlocal utility will leverage the platform-native utilities to remove thelocal users and groups. If the native platform tools make backups of the files beingmodified, then adrmlocal will inherently make backups of those files (it does not,however, make additional backups). adrmlocal does not take additional backups.If there are Active Directory Users defined in local UNIX groups (such as the ‘opsteam’group in Figure 3-3), then manually edit the files. This is because all native platform toolsare greedy when they remove user accounts, removing both the local user account andalso removing that username from all local groups. In cases where a local group has notbeen migrated to Active Directory, the local files must be manually edited.For example, group ‘dba’ has a GID of 10001 and is defined as a local group on dbserver(see section Error! Reference source not found. for details).dba::10001:rcranfil,hgarry,acolliga,enerio,sramnari,tetsu,mysql© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 29

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLThis group must remain a local group because the ‘mysql’ account has not been migratedto Active Directory. Using adrmlocal (or the local platform-specific user removal utility)would erroneously remove rcranfil, hgarry, acolliga, enerio, sramnari, and tetsu from thedba group. The best practice in these situations is:1. Use adfixid to modify file permissions as necessary.2. Manually back up /etc/shadow, /etc/passwd, /etc/group, and /etc/gshadow (if itexists; this is limited to Linux computers).3. Use ‘vi’ to remove the user accounts that have been migrated to Active Directoryfrom /etc/passwd. This can be accomplished by deleting those lines.4. Use ‘vi’ to remove the passwords for user accounts that have been migrated toActive Directory from /etc/shadow. This can be accomplished by deleting thoselines.5. Use ‘vi’ to remove those groups that have been migrated to Active Directory. DONOT remove groups that contain both local and Active Directory users. DO NOTremove locally defined groups that came with the operating environment or are partof any installed software (such as the ‘oinstall’ group from Oracle).Generally speaking, customers are migrating user accounts to Active Directory first inorder to be compliant with standards and auditing requirements. Migrating UNIX groupsto Active Directory is given a lesser priority in these situations. As such, the best practicedescribed for removing Active Directory Users defined in local UNIX groups is commonpractice in the field today.Note: only remove the groups on AIX if all members of the group have been migrated toAD.3.9 Solution: Managing the root passwordA common audit compliance complaint of UNIX system operators is typically worded,‘there shall be no shared accounts or passwords’. This refers to accounts, particularly theroot account, which can perform privileged operations on UNIX systems. Modern UNIXsystems have attempted to limit or delegate the functions of the root account; however,this does not help legacy UNIX systems. Typically, UNIX operators who must perform aprivileged operation (such as shutting the system down, or mounting a file system) mustswitch user (su) to root, which requires the root password to be known by UNIXoperators.It is a computer security best practice to use ‘sudo’ instead of sharing the root password.Centrify DirectControl provides a Group Policy for deploying commands to the/etc/sudoers file on UNIX computers. This group policy is defined in the ‘centrifydc.adm’Administrative Template for Group Policies. When added to a Group Policy Object, itcan be found under Computer Configuration – Administrative Templates - Centrify© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 30

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLCommon UNIX Settings – SuDo Permissions. The sudo Group Policy does not removeor modify existing statements locally defined in the /etc/sudoers file; rather, it appendscommands defined in the Group Policy to the /etc/sudoers file.It is a best practice to fully and thoroughly test the sudo Group Policy before changingthe root password to a secret value unknown by the UNIX system operators.Additionally, do not disable the root account or delete the root account unless theoperating environment vendor specifically has certified and will support thatconfiguration.For example, Illumi Clinics must stop sharing the root password to be compliant withSarbanes-Oxley and PCI requirements. Their course of action is as follows:1. The UNIX operators deploy the following simple sudo group policy:rootALL=(ALL) ALL%admin ALL=(ALL) ALL2. This group policy is linked to the “OU=Computers,OU=UNIX,DC=Illumiclinics,DC=COM” Organizational Unit in Active Directory.3. All users who require root access are added to the ‘admin’ group. This group couldbe defined either in Active Directory or in /etc/group.4. The UNIX operators test the sudoers Group Policy over the course of one month.Any system operators who were not initially added to the ‘admin’ group are added.5. At the end of the month-long trial, if no significant operational failures have beenobserved and the sudoers Group Policy permits the UNIX operations team toperform their jobs, the root password will be set to a secret value.Setting the root password to a secret value is a challenging process. The root passwordshould never be set to an unknown value, as it is invaluable for systems restore purposeswhen all other avenues have failed. Illumi Clinics will change the root password to asecret value that is written down and put in a safe with a dial where only two personnelcan access the secret values.Under normal operational circumstances the UNIX operations team will not require theroot password. Use of the root password will now require contacting either the systemoperators’ manager, or the system operators’ VP. This security design discourages use ofthe root account. If exceptional circumstances arise and the root password must be used,Illumi Clinics standard policy will be that the root password must be changed after usage.3.10 Solution: Daily OperationsThese best practices apply once all users have been migrated to Active Directory.A UNIX operator should use the DirectControl console once bi-monthly to analyze thedata stored in Active Directory. Typically, there will be no defects reported by the© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 31

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLAnalyze Wizard. The most common defect reported may be “Orphan UNIX DataObjects”, which are caused by deleting Active Directory User objects but not their UNIXprofiles. This defect can be prevented by registering the administrative notificationhandler for Active Directory Users and Computers (through the DirectControl setupwizard).Finally, UNIX users should be notified that the IT Helpdesk (or similar job function) willassist with password resets. This is in place of the UNIX operations team.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 32

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL3.10.1 Solution: Updated UNIX ProvisioningFigure 3-6The other obvious operational change to UNIX operations is that UNIX operators will no longer edit local system files to manageusers and groups on UNIX computers. The following steps are manually performed as part of provisioning a new UNIX user atIllumi Clinics:1. A HR staff member sends an email to the UNIX team authorizing UNIX access.2. A UNIX staff member uses the DirectControl Console to create a new user UNIX profile in one or more Zones; and,3. Active Directory saves the changes to the Zones.4. The UNIX staff member replies to the email from the HR staff member.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 33

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL4 Solution: Phase Two Solution ArchitectureThe initial deployment of DirectControl at Illumi Clinics resulted in eighty Zones. Thereis no known limit to the number of Zones that can be stored in Active Directory;however, there is a subjective limit on how many Zones a small UNIX operations teamcan efficiently manage. Phase two projects with DirectControl typically focus onreducing the number of Zones to be administered, and consolidating the UID and GIDspace in use by the user community.4.1 Zone ConsolidationThe best practice for zone consolidation is to begin by defining a consolidated UNIXprofile space, and then consolidating Zones. Migrating to a consolidated UID/GID spacehas many benefits, including consistency of file permissions across mount points andbackup media. Historical approaches to this problem have required an all-or-nothingapproach that required unacceptable risk.The best possible approach is to migrate slowly to a consolidated UID/GID space as timeand resources permit. Begin by creating a new Zone that contains UNIX profiles for allusers and group in the organization. In most organizations, this is named the “Universal”zone. This Zone will ultimately serve as the basis for all users UNIX profiles.Next, copy the UID, GID, home directory and shell attributes for users from theUniversal Zone to the Zone being consolidated. These steps can be performed manuallyusing the Centrify DirectControl console. Alternatively, Centrify’s Professional Serviceshave developed a script, “userUnixCopier.vbs” which automates this process. From theusage statement:NAMEuserUnixCopier.vbs - the UNIX profile copierSYNOPSIScscript userUnixCopier.vbs /input:Universal /output:Finance /uidDESCRIPTIONThe UNIX profile copier allows for copying of individual attributevaluesfrom a UNIX user profile defined in one Zone to another Zone. This ismeant to beused with the Universal Zone design, where a single consolidated UID/GIDspace hasbeen defined for all users. The UNIX profile copier is used during azoneconsolidation project to copy all of the UID values (for example) in theUniversalzone into another Zone.OPTIONS/helpPrints the usage statement./?© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 34

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLPrints the usage statement./verboseVerbose mode: prints successful operations as well as failures. Bydefaultonly failures are printed./vVerbose mode: prints successful operations as well as failures. Bydefaultonly failures are printed./input:{zone name}Specifies the Zone from which values will be copied. This willnormally be theUniversal Zone. Values from this Zone will be used to overwite valuesin the Outputzone./output:{zone name}Specifies the Zone where attribute values will be overwritten. OnlyUNIX profilesthat are defined in both the Input and Output zones will be modified./uidOverwrite the UID attribute value for existing UNIX user profiles inthe OutputZone with the UID attribute values from existing UNIX user profilesin the Input Zone./gidOverwrite the GID attribute value for existing UNIX user profiles inthe OutputZone with the GID attribute values from existing UNIX user profilesin the Input Zone./homeOverwrite the home directory attribute value for existing UNIX userprofiles in the OutputZone with the home directory attribute values from existing UNIX userprofiles in the Input Zone./shellOverwrite the shell attribute value for existing UNIX user profilesin the OutputZone with the shell attribute values from existing UNIX user profilesin the Input Zone.EXAMPLEScscript userUnixCopier.vbs /input:Universal /output:Engineering /uidThis command would update the existing UNIX user profiles in theEngineeringZone with the UID attribute values from the Universal Zone.cscript userUnixCopier.vbs /input:Universal /output:Marketing /shell/homeThis command would update the existing UNIX user profiles in theMarketing Zonewith the shell and home directory values from the Universal Zone.AUTHOR© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 35

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLuserUnixCopier.vbs is written by Kayne McGladrey for use withCentrify DirectControlIf user’s UID or GID values have changed, it will be necessary to use ‘adfixid’ to adjustthe file permissions accordingly. See section 3.8.2 for further details on the operation ofadfixid. If a user’s home directory has changed, it will be necessary to move or symlinkthe old home directory to the new home directory. Shell changes typically do not requireanything more than confirming that the new shell is installed on all UNIX computers inthe Zone (this can be an issue for certain shells, particularly ksh).It is possible to begin Zone consolidation once all UNIX profile values for users andgroups in a given Zone match those defined in the Universal Zone. The best practice forconsolidating two Zones is as follows:1. Consolidate all UNIX profiles for users and groups in a target Zone so that thoseprofiles match the profiles defined in the Universal Zone. This Zone will be referredto as the “source” Zone.2. Select another Zone, where 80% of the user and group profiles defined are incommon with profiles defined in the source Zone. This Zone will be referred to asthe “target” Zone. Use either the userUnixCopier.vbs script or the DirectControlconsole to ensure that UNIX profile values match those defined in the UniversalZone.3. Once all user and group UNIX profiles match in both the source and target Zones:a. Disable user logins on each computer in the target Zone.b. Unjoin each UNIX computer from the target Zone using the ‘adleave’command.c. Join each UNIX computer (from the target Zone) to the source Zone usingthe ‘adjoin’ commandd. Enable user logins on the UNIX computer.e. Test user logins and other common functions. Be particularly aware of filepermissions issues. If the user and group UNIX profiles from both thesource Zone and the target Zone matched the profiles in the Universal Zone,this is highly unlikely.4. Once all computers have left the target Zone and joined the source Zone, the targetZone may be deleted from Active Directory.5. Each UNIX administrator with a DirectControl console will need to remove thetarget Zone from his or her console.It is a best practice that once one Zone matches the UNIX profiles defined in theUniversal Zone, begin to use ZoneGen to automatically provision UNIX profiles forUsers and Groups into Zones.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 36

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• ZoneGen requires the use of additional Active Directory Groups for filtering Usersand Groups into Zones; create a Zone_{Name}_Users Active Directory Group thatcontains both AD Users and Groups of Users for a given Zone.• Similarly, create a Zone_{Name}_Groups Active Directory Group that containsActive Directory Groups to be provisioned into a given Zone.• Schedule ZoneGen on a single Windows computer that manages all Zones or acrossmultiple Windows computers that each manages a distinct set of Zones.Additional documentation for ZoneGen is available in the Centrify DirectControl ZoneGenerator application note.5 Solution: Phase Three Solution ArchitecturePhase three projects with Centrify DirectControl typically focus on integration withexternal systems, such as monitoring and provisioning systems.5.1 Lights-out administrationTwo best practices apply to configuring Centrify DirectControl for lights-outadministration.1. Integration with external monitoring systems.Any monitoring system that can read the output of syslog on UNIX computers issuitable for monitoring Centrify DirectControl. This does not require changes to thestandard INFO log level used by DirectControl. For example, Illumi Clinics canconfigure a regular expression in their commercial monitoring solution:“adclient.* Running in disconnected mode”This simple regular expression will determine when DirectControl is no longerconnected to Active Directory. Illumi Clinics can configure their monitoring solutionto take remedial steps and/or alert the on-call UNIX operations personnel tomanually troubleshoot the condition.2. Integration with provisioning systems.It is a best practice to automate as much user and group UNIX profile provisioningas possible. Illumi Clinics will invest heavily in a commercial Identity Managementsolution as part of a future project. This is covered in another whitepaper,“Integrating Centrify DirectControl with Identity Management Systems”:This white paper provides detailed examples of how to integrate CentrifyDirectControl with commercial off-the-shelf Identity Management Systems. Itdemonstrates how to handle common Identity Management events and discusses© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 37

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLhow DirectControl can simplify provisioning tasks and strengthen security whenused in an environment that includes LDAP-based systems, databases, and portalservers.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 38

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL6 Identifying Initial TasksThis chapter identifies and discusses some of the initial tasks to start applying bestpractices for Centrify DirectControl in your organization.6.1 DirectControl PrerequisitesBefore deploying Centrify DirectControl, the following network elements should exist inyour environment:• Active Directory, such as Windows 2000, Windows 2003, and Windows 2003 R2• UNIX, Linux, or Mac computers, such as Mac OS X, Debian Linux, HP-UX, AIX,SUSE Linux Enterprise, Red Hat Enterprise Linux, Red Hat Fedora Core, SGI IRIX,Sun Solaris, and VMware ESX Server.• Web applications or web servers, such as Apache, Apache Tomcat, BEA WebLogic,IBM WebSphere, and JBoss.• Databases and ERP applications, such as IBM DB2, Oracle, SAP Enterprise andSAP NetWeaver• The full list of supported versions is available online athttp://www.centrify.com/platforms.6.2 Active Directory SetupThe first task is to install Centrify DirectControl in the Windows environment. Thisrequires permissions to add UNIX-specific data to Active Directory, typically stored incn=Centrify,cn=Program Data,dc=your,dc=domain,dc=here. This is not aschema extension – rather, it is a set of LDAP containers and class store objects that areused as part of the DirectControl Zone technology. See section 3.3 for best practicesapplicable to Active Directory.6.3 Zone DesignAt least one Zone must be created in Active Directory before UNIX computers can bejoined to Active Directory. Zone design is a complex and challenging subject covered indepth in this whitepaper, the Centrify DirectControl documentation and CentrifyDirectControl training. Generally speaking, Zone design requires the following steps:• Identifying existing UNIX identity stores (such as /etc/passwd files, NIS domains,legacy LDAP servers, etc).• Surveying the users and groups defined across those identity stores to find UID/GIDcollisions.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 39

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• Grouping the UNIX computers by function, by geography, or by one of many othercriteria into Zones, while minimizing UID/GID collisions.6.4 UNIX DeploymentWhile many deployment strategies exist, the best practice is to install the DirectControlAgent on all UNIX computers. Each computer will join a Zone in the Active Directorydomain. However, locally defined user accounts will continue to work until they aremigrated to Active Directory. If DirectControl for Databases or DirectControl for WebApplications is being deployed, it should also be deployed at this time.6.5 ConclusionThese initial high-level tasks must be performed or verified in order begin applying bestpractices to your deployment of Centrify DirectControl. Once this solution is deployed,the administrative tasks will primarily involve adding new services or servers as required,as well as routine maintenance on existing services and servers.7 Related PublicationsThe publications listed in this section are recommended for a more in-depth discussion ofthe subjects covered in this white paper. All publications are available from Centrify.7.1 Product DocumentationThese publications are available at http://www.centrify.com/resources/documentation.asp• Centrify DirectControl Quick Start• Administrator’s Guide• Centrify DirectControl Authentication Guide for Apache7.2 White PapersThese publications are available athttp://www.centrify.com/directcontrol/whitepapers.asp• Centralized Identity and Policy Management for Windows, Linux, UNIX, Mac andJava with Active Directory and DirectControl• Active Directory and DirectControl• Centrify's Solution for Migrating UNIX Directories to Active Directory• Integrating Centrify DirectControl with Identity Management Solutions© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 40

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL7.3 Video ChalktalksThese require an active Internet connection and a web browser with a Flash plugin, andare available at http://www.centrify.com/resources/video_chalktalk_library.asp• DirectControl's Architecture• Single Sign-On for Web Applications• Migrating UNIX Identities to Active Directory8 How to Contact CentrifyNorth America(And All Locations Outside EMEA)Centrify Corporation444 Castro St., Suite 1100Mountain View, CA 94041United StatesEurope, Middle East, Africa(EMEA)Centrify EMEAAsmec CentreMerlin HouseBrunel RoadTheale, Berkshire, RG7 4ABUnited KingdomSales: +1 (650) 961-1100 Sales: +44 118 902 6580Enquiries:Web site:info@centrify.comwww.centrify.com© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 41