Applies to: All versions of Centrify DirectControl with Netezza
How does one integrate Centrify DirectControl with Netezza (http://en.wikipedia.org/wiki/Netezza)?
As of August 2013, Centrify has been placed on the IBM Netezza/PureData Certified Products list. This means that Centrify can be installed on the IBM Netezza/PureData analytics systems, without violating the support agreement, for the management, control and auditing of OS administrators and users. This does not include the actual database users, as that mechanism is built into the appliance.
IBM validated that we can provide admin access, elevated privilege management, as well as DirectAudit on the following:
Twinfin (IBM N1001 Series) running Redhat ES5
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
nzrev: Release 7.0.3 [Build 29626]
Striper (IBM N2001 Series) running Redhat ES6
Red Hat Enterprise Linux Server release 6.2 (Santiago)
nzrev: Release 7.0.3 [Build 29626]
Note: If customer want to manage Netezza admin accounts, they can follow Method A. If they want to manage user accounts, they can follow Method B
Netezza is a Linux server running on an appliance. From a Centrify perspective, customers can install the DirectControl agent using Centrify's Deployment manager, and join it to AD. Since it's an appliance, no GPO's need to be assigned. A Netezza zone can be created to which one can join the systems, and created the AD Groups of admins that need access.
From IBM's site, Netezza supports authentication by LDAP – but it does this by PAM.
Netezza then look for the authenticated user name in the system catalog.
It uses its own information to determine what the user is authorized for.
The key is to set Netezza for LDAP authentication, since that was the only way to get it to use PAM.
Then take out the LDAP lines from its pam.d file and add the Centrify lines for auth, account, and password (no session).
This is a tentative how-to for getting Netezza to authenticate its database users against AD accounts through Centrify.
It allows users to log into the database with Centrify IDs, but does not allow users to log into the host (e.g., via ssh).
1. Set Netezza to use LDAP authentication. The LDAP settings don't matter. This step is just to get Netezza using PAM for authentication.
In nzsql, type:
SET AUTHENTICATION ldap base 'dc=r1-core,dc=r1,dc=yourcompany,dc=net' server
'r1-core.r1.yourcompany.net' port '636' version '3' binddn 'cn=dummy,ou=users,dc=dummy,dc=com' bindpw 'XXXXXXX'
scope 'base' ssl 'on' attrname 'sAMAccountName' namecase 'lowercase';
Note: After running the SET AUTHENTICATION command in nzsql, you should \q out and restart the server: nzstop; nzstart
The configuration steps only need to be done on the active node of the HA pair, EXCEPT:
On the failover node, you also need to create /etc/pam.d/netezza_nps, and chown it nz:nz.
1. This will create /etc/pam.d/netezza_nps. Replace that file with:
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
account sufficient pam_centrifydc.so
account requisite pam_centrifydc.so deny
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny
1. Create the following in AD/Centrify:
a. A user team for the database IDs (For example: uxtm_chdba_netezza)
b. A Unix profile for each database ID
c. A server team for the Netezza Red Hat instance (For example: uxrl_chdba_netezza)
d. A login right allowing PAM authentication via netezza_nps (For example: netezza_nps)
e. A role definition containing just the netezza_nps right (For example: netezza)
f. A role assignment (for example: uxtm_chdba_netezza gets netezza role in uxrl_chdba_netezza)
g. Optionally, role 'Listed' given to uxtm_chdba_netezza in uxrl_chdba_netezza, to allow use of OS tools to verify account (id, getent, dzinfo, etc.)
At that point, you should be able to create IDs in Netezza and have them authenticate against the corresponding AD account.
For example, netezza user 'joeuser' would authenticate against AD account email@example.com
For service accounts (non-person accounts), you will need to have the accounts created as Unix service accounts through Centrify first.
IMPORTANT: For users whose AD accounts are not in r1-core, other steps will be necessary.
This might include setting the account to authenticate against the qualified account name (either user@domain or domain\user), or using the Unix logon as the Netezza account (creating u1082509 in Netezza instead of joeuser, for example).