Centrify DirectControl Best Practices - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLuserUnixCopier.vbs is written by Kayne McGladrey for use withCentrify DirectControlIf user’s UID or GID values have changed, it will be necessary to use ‘adfixid’ to adjustthe file permissions accordingly. See section 3.8.2 for further details on the operation ofadfixid. If a user’s home directory has changed, it will be necessary to move or symlinkthe old home directory to the new home directory. Shell changes typically do not requireanything more than confirming that the new shell is installed on all UNIX computers inthe Zone (this can be an issue for certain shells, particularly ksh).It is possible to begin Zone consolidation once all UNIX profile values for users andgroups in a given Zone match those defined in the Universal Zone. The best practice forconsolidating two Zones is as follows:1. Consolidate all UNIX profiles for users and groups in a target Zone so that thoseprofiles match the profiles defined in the Universal Zone. This Zone will be referredto as the “source” Zone.2. Select another Zone, where 80% of the user and group profiles defined are incommon with profiles defined in the source Zone. This Zone will be referred to asthe “target” Zone. Use either the userUnixCopier.vbs script or the DirectControlconsole to ensure that UNIX profile values match those defined in the UniversalZone.3. Once all user and group UNIX profiles match in both the source and target Zones:a. Disable user logins on each computer in the target Zone.b. Unjoin each UNIX computer from the target Zone using the ‘adleave’command.c. Join each UNIX computer (from the target Zone) to the source Zone usingthe ‘adjoin’ commandd. Enable user logins on the UNIX computer.e. Test user logins and other common functions. Be particularly aware of filepermissions issues. If the user and group UNIX profiles from both thesource Zone and the target Zone matched the profiles in the Universal Zone,this is highly unlikely.4. Once all computers have left the target Zone and joined the source Zone, the targetZone may be deleted from Active Directory.5. Each UNIX administrator with a DirectControl console will need to remove thetarget Zone from his or her console.It is a best practice that once one Zone matches the UNIX profiles defined in theUniversal Zone, begin to use ZoneGen to automatically provision UNIX profiles forUsers and Groups into Zones.© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 36
CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• ZoneGen requires the use of additional Active Directory Groups for filtering Usersand Groups into Zones; create a Zone_{Name}_Users Active Directory Group thatcontains both AD Users and Groups of Users for a given Zone.• Similarly, create a Zone_{Name}_Groups Active Directory Group that containsActive Directory Groups to be provisioned into a given Zone.• Schedule ZoneGen on a single Windows computer that manages all Zones or acrossmultiple Windows computers that each manages a distinct set of Zones.Additional documentation for ZoneGen is available in the Centrify DirectControl ZoneGenerator application note.5 Solution: Phase Three Solution ArchitecturePhase three projects with Centrify DirectControl typically focus on integration withexternal systems, such as monitoring and provisioning systems.5.1 Lights-out administrationTwo best practices apply to configuring Centrify DirectControl for lights-outadministration.1. Integration with external monitoring systems.Any monitoring system that can read the output of syslog on UNIX computers issuitable for monitoring Centrify DirectControl. This does not require changes to thestandard INFO log level used by DirectControl. For example, Illumi Clinics canconfigure a regular expression in their commercial monitoring solution:“adclient.* Running in disconnected mode”This simple regular expression will determine when DirectControl is no longerconnected to Active Directory. Illumi Clinics can configure their monitoring solutionto take remedial steps and/or alert the on-call UNIX operations personnel tomanually troubleshoot the condition.2. Integration with provisioning systems.It is a best practice to automate as much user and group UNIX profile provisioningas possible. Illumi Clinics will invest heavily in a commercial Identity Managementsolution as part of a future project. This is covered in another whitepaper,“Integrating Centrify DirectControl with Identity Management Systems”:This white paper provides detailed examples of how to integrate CentrifyDirectControl with commercial off-the-shelf Identity Management Systems. Itdemonstrates how to handle common Identity Management events and discusses© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 37
Page 1 and 2: WHITE PAPERCENTRIFY CORP.Centrify D
Page 3 and 4: CENTRIFY WHITE PAPERCENTRALIZED MAN

Centrify DirectControl Best Practices - Cerberis

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?