Centrify DirectControl Best Practices - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLoperation of Centrify DirectControl and do not store additional Active Directory User,Computer, or Group objects. Additional containers are created below this OrganizationalUnit, one per Zone. The top-level container is an Active Directory container with thesame name as the Zone; the Zone attributes are stored in attributes of this container.Below this there are several sub-containers:• Users: this contains the UNIX Profiles of users of the Zone• Groups: this contains the UNIX Profiles of groups in the Zone• Computers: this contains the UNIX Profiles for computers in the Zone.Figure 3-5In each case, the objects in the sub-containers are serviceConnectionPoint (SCP) objects.They contain the DirectControl-extended data for each type of object (user, group, andcomputer). There are links from the SCP object back to the parent objects (shown asdotted lines). These are maintained in the ParentLink pseudo-attribute (stored in theKeywords attribute) that stores the objectSID attribute value of the parent ActiveDirectory object.• The Zone tree does not need to be in the same domain as the user or the computers.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 18
CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• The separation of the Zone data into a separate tree is what allows the delegation ofadministration to the UNIX administrators for the UNIX data only; the UNIX datafor each Zone is separate from the other Zones and from the base Active Directoryobjects for the users and groups.• A user and a group can be associated with many Zones.3.4 Solution: Initial Patch AnalysisIllumi Clinics uses a commercial patch management system for software patchdeployment across Windows, UNIX and Linux. The minimum best practice is to reviewthe release notes included with the DirectControl agent for each platform, and then to atleast install those required patches before installing DirectControl. For example, therelease notes for Red Hat Linux 9.0 specify a minimum glibc patch level. Solaris versionsof DirectControl include the ‘pca’ script, which will help determine the required patches.Illumi Clinics is following their operating environment vendor’s best practices forsecurity and routinely updates their UNIX and Windows computers to the most recentrecommended security patches. As a result, their environment is up to date and requiresno changes in advance of deploying DirectControl.3.5 Solution: Software InstallationIllumi Clinics uses a commercial software package management system. This system willbe used to deploy DirectControl to all UNIX systems, using the native package installeron each platform (such as rpm on Red Hat and pkgadd on Solaris). The best practice fordeploying DirectControl is to install it on all machines that will be Zoned but notnecessarily to join those machines to Active Directory at the time of installation becausethe join process is what changes the configuration files which turn on authentication toAD.Illumi Clinics will also be deploying Centrify’s build of OpenSSH to all UNIX systems.The best practice for deploying OpenSSH is to remove the existing SSH packages, installthe Centrify build of OpenSSH, and then start the Centrify SSH server.If Illumi Clinics did not use a commercial software package management system then thedeployment of DirectControl and OpenSSH could be performed manually by UNIXoperators. Alternatively, Illumi Clinics could contact Centrify’s Professional Services tohelp develop a software distribution script for their environment. The best practice formanual installation is to write an installation and verification checklist to be used byUNIX operators who may be unfamiliar with the operation of DirectControl in order tominimize manual mistakes.Illumi Clinics purchased four console licenses for DirectControl. The best practice is toinstall the Centrify DirectControl Console on all UNIX operators and administrators’machines that need the ability to administer Zones, UNIX profiles for users and groups,© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 19
Page 1 and 2: WHITE PAPERCENTRIFY CORP.Centrify D
Page 3 and 4: CENTRIFY WHITE PAPERCENTRALIZED MAN

Centrify DirectControl Best Practices - Cerberis

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?