Centrify DirectControl Best Practices - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL3 Phase One Solution ArchitectureThis section describes the deployed solution at Illumi Clinics after DirectControl hasbeen initially deployed. Specific focus is given to the changes to Active Directory and theUNIX environment.3.1 Solution: IT ArchitectureFigure 3-1This figure illustrates the IT architecture in use at Illumi Clinics following deployment ofCentrify DirectControl.• Both Windows and UNIX computers will receive time updates from ActiveDirectory.• The local ntpd processes on the UNIX computers will be disabled in the startupscripts.• Both Windows and UNIX computers will use Active Directory as an authenticationand authorization source.3.2 Solution: Initial Zone DesignTo meet their objectives, Illumi Clinics must create their initial Zone design and deployDirectControl to 200 UNIX computers within 60 days.The most common practice for deploying DirectControl to a large number of systems in avery small amount of time is to directly import each computers /etc/passwd and/etc/group files, excluding local service accounts and groups. This design results in oneZone per computer. This design meets security requirements for removing local useraccounts if those local accounts are removed following the data import. However, froman administrative perspective, this is less than optimal as it does not reduce the total© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 10
CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLnumber of distinct user populations being managed; rather, DirectControl becomesanalogous to a visual editor for /etc/passwd and /etc/group.Cedar knows that there are many UNIX computers with common user populations. Cedarasks Justino Aranda, a UNIX operator, to collect all 200 /etc/passwd and /etc/group files.He is then to find groups of computers where 80% of the users have the same usernameand home directory values. Cedar knows that there are some UID/GID collisions in theUNIX environment and that it would be easier to reconcile those collisions using adfixidfrom Centrify than to continue with the splintered UID/GID space. Consolidating ormoving home directories is less desirable during the first project phase.Using the simple rules set by his manager, Justino determines there will be 80 initialZones. The largest Zone will contain 24 computers and there are many Zones that containa single computer.3.2.1 Initial data setThe following example illustrates the UNIX user populations from three servers: dbserv,finserv, and rhel. All servers run identical versions of UNIX.For brevity, users with a UID less than 99 are not shown because they are not in scope./etc/passwd from dbservalyssia x 10020 10 ALYSSIA OSTEEN /home_dir/alyssia /bin/bashjustino x 10021 31 JUSTINO ARANDA /home/justino /bin/bashtetsu x 10022 10 TETSU ISHII /home/tetsu /bin/bashclyde x 10023 10017 CLYDE BAUM /home/clyde /bin/kshcedar x 10024 10012 CEDAR PIRL /home/cedar /bin/kshsdebruin x 10025 10012 SALLEY DEBRUIN /home/sdebruin /bin/shtdeshay x 10026 10 TENISHA DESHAY /home/tdeshay /bin/kshsramnari x 10028 90 SHAWN RAMNARINE /home/sramnari /bin/bashfniewier x 10029 10013 FUMIKO NIEWIEROSKI /home/fniewier /bin/shkminors x 10030 10 KATHRINE MINORS /home/kminors /bin/bashenerio x 10031 10 ELLYN NERIO /home/enerio /bin/kshdbaltaza x 10032 10 DANAE BALTAZAR /home/dbaltaza /bin/shacolliga x 10033 10018 ALFRED COLLIGAN /home/acolliga /bin/bashhgarry x 10034 10 HOPE GARRY /home/hgarry /bin/kshrcranfil x 10035 10012 RASHEEDA CRANFILL /home/rcranfil /bin/shktacadin x 10036 10018 KATHI TACADINA /home/ktacadin /bin/bashfsamsel x 10037 10014 FREDDA SAMSEL /home/fsamsel /bin/shbkozlovs x 10038 10014 BAILEY KOZLOVSKY /home/bkozlovs /bin/bashpengelke x 10039 10015 PETER ENGELKES /home/pengelke /bin/sh/etc/passwd from finservalyssia x 10020 10 ALYSSIA OSTEEN /home/alyssia /bin/bashjustino x 10021 10 JUSTINO ARANDA /home/justino /bin/bashtetsu x 10022 10 TETSU ISHII /home/tetsu /bin/bashclyde x 10023 10017 CLYDE BAUM /home/clyde /bin/ksh© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 11
Page 1 and 2: WHITE PAPERCENTRIFY CORP.Centrify D
Page 3 and 4: CENTRIFY WHITE PAPERCENTRALIZED MAN

Centrify DirectControl Best Practices - Cerberis

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?