Migrating User Profiles to Centrify from other AD Bridging Solutions or LDAP

I have worked with a couple of customers recently who are migrating from other AD Bridging technologies or LDAP to Centrify Server Suite for UNIX/Linux to address the increased threat on privileged identities and take advantage of the following capabilities:

• Enforcement of Least Access and Least Privilege via a Roles Based Access Control Framework.
• Centralized management of AD Users and Groups as well as Local User and Groups.
• Robust support for complex AD Environments with 1 way and 2 way trusts, and Read Only Domain Controllers.
• Known performance advantages: caching of AD information, efficient group enumeration, automated management of krb5.conf, etc.
• Centralized reporting of “who” has access to the system(s), “what” privileges each user has, and “how” the users can access the systems.  

Bear in mind that when migrating from other AD Bridging Solutions or LDAP, the UNIX name space is most always rationalized. In other words there is one unique UID for each user and one unique GID for the each group. These identifiers do not vary by host. And if you are using AD Bridging already these attributes are stored on the AD User Object and Group Object.

Migration Steps assuming the User and Group Profiles are consistent as described above:

After the Centrify Console Access Manager is installed, the first step will be to create a Centrify Zone. At a high level, Centrify Zones are used for UNIX Name space management, delegated administration and access control, however in this post we are focusing on UNIX Name Space Management. Centrify Zones offer different ways of storing the UNIX profile attributes in AD based on whether the customer needs to accommodate a UNIX name space where UIDs and GIDs have variance between machines or does not. So in this scenario where we do not have to compensate for variances in profiles for a user/group, so we will choose the Centrify Zone Type of SFU. For this zone type, the UNIX attributes are stored on the user or group Active Directory object.

Creating the SFU Zone:

In Centrify DirectManage Access Manager, right click on zones and choose to Create New Zone. Make sure to deselect “Use default zone type” as shown in the screen shot below. Then click the Next button.

Select Hierarchical zone, the click the Next button.

Then specify the SFU zone storage model as shown below and click the Next button.

Importing Existing User profiles

To obtain the list of existing profiles, you may run the getent command on a UNIX/Linux server that has visibility to all the UNIX users/groups in your environment and redirect the output to a file.

“getent passwd > existingunixusers.txt”

and “getent group > existingunixgroups.txt”

Then you may use the import wizard in Centrify to import profiles as shown below:

As you import you can choose to ignore system accounts that should stay local. Also the import process will attempt to map the correct UNIX Account to the correct AD Account and you will have the opportunity to accept and/or reject the mapping. More detailed information on creating of the zone and the UNIX Data import wizard is available in the UNIX Administrators Guide for Centrify Server Suite.

Once the Global SFU zone is created AND after all the profiles are imported from the existing environment, then it is a good idea to go ahead and specify user defaults and group defaults on the GlobalSFU Zone properties.   Centrify can automatically create unique numbers for UIDs and GIDs if desired ensuring that they do not conflict with other users, by selecting the auto-generate option shown in the pull down menu in the screen shot. If you already have a method for populating the uidNumber and gidNumber fields, you may continue to use that as well – just select RFC2307 attribute in the pull down menus per the example for UID below.   Just remember to select the desired defaults in both user defaults tab and the group defaults tab.

In Summary, if you are migrating from a competing solution or from LDAP, these are the steps to migrating the user and group profiles with minimal impact to your environment.

• Create a Centrify zone with the Zone Type SFU.
• Import the users into Centrify from an /etc/password or /etc/group formatted file.
• Set the defaults on the Zone properties for new users and groups so as to avoid UID/GID collision.

Another tip: How to see the UNIX Attributes on the AD Object

Attribute name map between Centrify Access Manager and ADUC RF2307 view:

These may be found in Active Directory Users and Computers by looking at the properties on the user and selecting the Attribute Editor tab.

* Note - In order to see the Attribute Editor tab, in ADUC from the View pull down menu you need to select “Advanced Features”.   Also on the attribute editor tab, I recommend clicking the “Filter” button and choosing to “Show only attributes that have values”.