11 April,19 at 11:50 AM
Recap
In part one of this blog, I discussed how Centrify can be used to leverage Active Directory (AD) to manage access to UNIX/Linux computers. I described a best practice for where to store UNIX/Linux data in AD and the Centrify construct called Computer Role. I explained that the script mkComputerRoles.tcl can be used to create Computer Roles as specified in a CSV formatted file which defines the Computer Roles and related information. In this blog I will examine the options to the mkComputerRoles.tcl script.
The mkComputerRoles.tcl Command Line Options
The mkComputerRoles.tcl script can be used to create AD objects as defined in a CSV formatted file (e.g., ComputerRoles.csv). The script along with the CSV file must be copied to a UNIX/Linux computer on which the Centrify agent has been installed. It uses the Centrify ADEdit library that is stored in /usr/share/centrifydc/lib/ade_lib/ade_lib.tcl. The computer does not need to be joined to AD.
The mkComputerRoles.tcl script has the following options:
mkComputerRoles.tcl -d {AD domain} -f {CSV file} [-o {servers ou}] [-c {computer role groups ou}] [-r {user role groups ou}] [-j {ad,scp,czone,all}] [-a] [-i {passwdDir|mapFile}|{passwdDir|mapFile}] [-v] [-u {AD account}] [-p {AD password}]
where,
{AD domain} – is the Active Directory domain where the computer roles and related objects will be created
{CSV file} – is the CSV formatted file with the definition of the Computer Roles and related information as described in the previous blog post
{servers ou} - is the OU where the computer objects will be created
{computer role groups ou} -is the OU where the Computer Role groups will be created
{user role groups ou} - is the OU where the User Role groups will be created
-j {ad,scp,czone,all} - the “-j” option will create AD computer objects for the UNIX/Linux computers and must be followed by one or more, comma separated, arguments. The “ad” argument will create the computer object in the specified OU or the default OU as defined by the Centrify best practice OU structure. This operation will fail if the computer object already exists. The “scp” argument will create the Service Connection Point (SCP) object for the computer in the zone specified in the ComputerRoles.csv file. This operation will fail if the computer object does not exist. The “czone” argument will create a computer zone in the zone specified in the ComputerRoles.csv file. The “all” argument will create the computer object, the SCP and the computer zone.
-a - will add the computer objects to the Computer Roles (i.e., Computer Group or Computer Role Groups)
{passwdDir|mapFile}|{passwdDir|mapFile} - will add AD user accounts to the User Groups (or User Role Groups) from either passwd files or a “mapfile”, respectively.
PasswdDir is a directory containing the UNIX/Linux passwd files of the computers listed in the ComputerRoles.csv file. The passwd files must be named “computer”.passwd, where “computer” is the name of the computer as listed in the ComputerRoles.csv file. The users in the passwd files will be added to the corresponding User Groups (or User Role Groups) for each computer as defined in the ComputerRoles.csv file. Note: The UNIX/Linux login names in the passwd files must define the user’s UPN as in “login@ADdomain”.
MapFile is a CVS formatted file that lists the User Groups (i.e., User Role Groups) and the AD user accounts that should be added to the User Groups (i.e., User Role Groups). The format of the file is:
UserRoleGroup,ADuser[,ADuser,…]
Where UserRoleGroup is an AD group and ADuser is an AD user account that will be added to UserRoleGroup.
-v – is a debug flag that will enable printing of verbose output
{AD account} - specifies an AD account with privilege to create the objects in Active Directory
- specifies the AD passwd for the AD account above
Result of Executing the mkComputerRoles.tcl Script
To demonstrate using the mkComputerRoles.tcl script the sample CSV file, ComputerRoles.csv, that was described in the first blog will be used. The script is executed with the following command line options:
mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -j ad,scp -a -u tetsu
After executing the mkComputerRoles.tcl script the following objects are created in AD:
and as seen in ADUC:
and as seen in ADUC:
Summary
Using the mkComputerRoles.tcl script with the ComputerRoles.csv definition file, we created in AD a Centrify Zone and Computer Roles; AD groups we called Computer Groups and User Groups; and AD computer objects for UNIX/Linux computers. In addition, we assigned the Centrify UNIX Login Role to Computer Roles using User Groups and added AD computer objects to Computer Groups.
This gets us close to being ready to manage UNIX/Linux identities by leveraging AD with Centrify. However, we need to add users to User Groups, give users a UNIX/Linux profile in the Global Zone and join UNIX/Linux computers to the Global Zone. In the upcoming blogs, I will discuss these issues and other advanced features of the mkComputerRoles.tcl script.