Centrify DirectControl Best Practices - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLClyde will then select all of the groups in the “Pending Import” container for Groups andselect “Create New AD Groups”. Clyde will then select the “OU=Groups,OU=UNIX”organizational unit as the “Location of the Container” required by the “Create New ADGroup” wizard. This is because these are UNIX-specific groups and do not correspond toexisting Active Directory groups.The wizard will produce output as follows:The following Active Directory accounts are created:AD Group: jotpadTo be imported to AD Group at: illumiclinics.com/UNIX/Groups/jotpadAccount name: jotpadGroup scope: Domain LocalAD Group: nemesisTo be imported to AD Group at: illumiclinics.com/UNIX/Groups/nemesisAccount name: nemesisGroup scope: Domain LocalClyde can then check “Enable AD Groups to use DirectControl” to automatically createUNIX profiles for the 19 imported groups in Zone #1.After groups have been imported, Clyde can import UNIX profiles for users. As IllumiClinics UNIX usernames match the “Pre-Windows 2000 username” this is easily done byselecting all users in “Pending Import”, right-clicking those users, and selecting“Accept”.Seven (7) of the 23 users to be imported into Zone #1 have a primary GID of 10. GID 10is defined on Solaris computers as the ‘Staff’ group. The best practice for importinggroups into Active Directory is to exclude locally defined groups such as Staff and otherbasic groups that are included with the operating environment. This is because in mixedoperating environment zones (such as Red Hat and Solaris), the GID space below 99 canhave different meanings (10 on Linux is ‘wheel’, a privileged group). Groups below 99also normally contain local service accounts which are not typically part of amigration.There is, however, an exception.The Import Wizard will not allow Clyde to import UNIX user profiles for the seven userswhose primary GID is 10. This is because the 3.0.x Import Wizard requires the user’sprimary group to be defined in the Zone. This exception does not apply to version 4.0 ofCentrify DirectControl.Under the circumstances where multiple users primary GID is a locally-defined group(such as a group below 99), use the following steps to import user profiles:1. Create a new Active Directory group under the “OU=Groups,OU=UNIX”organizational unit. For example, “Staff”.2. Using the DirectControl Console, create a UNIX profile for the newly created groupin the Zone with an appropriate GID. For example, 10. Disregard the warningmessage about reserved GIDs.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 22
CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL3. In the “Users – Pending Import” container in the DirectControl Console, select thoseusers with the status message of “No group with the corresponding GID found inActive Directory”. Right-click and select “Check Status”.4. Import those users by right-clicking and selecting “Accept”.5. Delete the UNIX profile for the newly created group. Disregard the error message.Additionally, two users have group 10001 as their primary GID. Because group 10001must be defined as a local group – it contains the ‘mysql’ user, a service account – atemporary group (as described above) must be added and then removed for group 10001.3.7.1 Secondary Group membershipIllumi Clinics extensively uses secondary group membership to manage file permissions,which is an administrative best practice for UNIX. The Centrify DirectControl ConsoleImport Wizard only imports users and groups, and in version 3.0.x, it does not importsecondary group membership. As shown in Figure 3-3, secondary group membership isbased on Active Directory Group membership.Centrify’s Professional Services have developed a script, “addUsersToGroups.vbs”which automates this process. From the usage statement:PURPOSE:This script will associate AD Users with AD Groups within one ZoneThis script makes the following assumptions:1. That the GID for each group matches the GID of the Active DirectoryGroup2. That the UNIX username for each user matches the UNIX username foreach user defined in the ZoneUSAGE:This script requires two input values:1. The zone which contains users and groups2. The path to the /etc/group fileEXAMPLE:cscript addUsersToGroups finance "c:\import\zone1.group"Justino can execute the addUsersToGroups.vbs script using the zone1.group file hecreated earlier. This would produce the following output, truncated for brevity:INFO: ‘cn=Billy Bongers’ added to group 10000.INFO: ‘cn=Doretha Gingel’ added to group 10000.INFO: ‘cn=Alfred Colligan’ added to group 10000.…INFO: ‘cn=Peter Engelkes’ added to group 10019.INFO: FinishedINFO: Groups skipped: 0INFO: Users skipped: 0INFO: Users added: 97AddUsersToGroups.vbs is available through Centrify Professional Services, and requiresWindows and Centrify DirectControl. Note that this utility is not required forDirectControl 4.x.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 23
Page 1 and 2: WHITE PAPERCENTRIFY CORP.Centrify D
Page 3 and 4: CENTRIFY WHITE PAPERCENTRALIZED MAN

Centrify DirectControl Best Practices - Cerberis

Create successful ePaper yourself

Delete template?

Save as template?