Recap

In part one of this blog, I discussed how Centrify can be used to leverage Active Directory (AD) to manage access to UNIX/Linux computers. I described a best practice for where to store UNIX/Linux data in AD and the Centrify construct called Computer Role. I explained that the script mkComputerRoles.tcl can be used to create Computer Roles as specified in a CSV formatted file which defines the Computer Roles and related information. In this blog I will examine the options to the mkComputerRoles.tcl script.

The mkComputerRoles.tcl Command Line Options

The mkComputerRoles.tcl script can be used to create AD objects as defined in a CSV formatted file (e.g., ComputerRoles.csv). The script along with the CSV file must be copied to a UNIX/Linux computer on which the Centrify agent has been installed. It uses the Centrify ADEdit library that is stored in /usr/share/centrifydc/lib/ade_lib/ade_lib.tcl. The computer does not need to be joined to AD.

The mkComputerRoles.tcl script has the following options:

mkComputerRoles.tcl -d {AD domain} -f {CSV file} [-o {servers ou}] [-c {computer role groups ou}] [-r {user role groups ou}] [-j {ad,scp,czone,all}] [-a] [-i {passwdDir|mapFile}|{passwdDir|mapFile}] [-v] [-u {AD account}] [-p {AD password}]

where,

{AD domain} – is the Active Directory domain where the computer roles and related objects will be created

{CSV file} – is the CSV formatted file with the definition of the Computer Roles and related information as described in the previous blog post

{servers ou} - is the OU where the computer objects will be created

{computer role groups ou} -is the OU where the Computer Role groups will be created

{user role groups ou} - is the OU where the User Role groups will be created

-j {ad,scp,czone,all} - the “-j” option will create AD computer objects for the UNIX/Linux computers and must be followed by one or more, comma separated, arguments. The “ad” argument will create the computer object in the specified OU or the default OU as defined by the Centrify best practice OU structure. This operation will fail if the computer object already exists. The “scp” argument will create the Service Connection Point (SCP) object for the computer in the zone specified in the ComputerRoles.csv file. This operation will fail if the computer object does not exist. The “czone” argument will create a computer zone in the zone specified in the ComputerRoles.csv file. The “all” argument will create the computer object, the SCP and the computer zone.

-a - will add the computer objects to the Computer Roles (i.e., Computer Group or Computer Role Groups)

{passwdDir|mapFile}|{passwdDir|mapFile} - will add AD user accounts to the User Groups (or User Role Groups) from either passwd files or a “mapfile”, respectively.

PasswdDir is a directory containing the UNIX/Linux passwd files of the computers listed in the ComputerRoles.csv file. The passwd files must be named “computer”.passwd, where “computer” is the name of the computer as listed in the ComputerRoles.csv file. The users in the passwd files will be added to the corresponding User Groups (or User Role Groups) for each computer as defined in the ComputerRoles.csv file. Note: The UNIX/Linux login names in the passwd files must define the user’s UPN as in “login@ADdomain”.

MapFile is a CVS formatted file that lists the User Groups (i.e., User Role Groups) and the AD user accounts that should be added to the User Groups (i.e., User Role Groups). The format of the file is:

            UserRoleGroup,ADuser[,ADuser,…]

Where UserRoleGroup is an AD group and ADuser is an AD user account that will be added to UserRoleGroup.

-v – is a debug flag that will enable printing of verbose output

{AD account} - specifies an AD account with privilege to create the objects in Active Directory

- specifies the AD passwd for the AD account above

Result of Executing the mkComputerRoles.tcl Script

To demonstrate using the mkComputerRoles.tcl script the sample CSV file, ComputerRoles.csv, that was described in the first blog will be used. The script is executed with the following command line options:

mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -j ad,scp -a -u tetsu

After executing the mkComputerRoles.tcl script the following objects are created in AD:

• The Zone Global and Computer Roles Engineering Servers and Finance Servers. The Description field is written and an AD group, called a Computer Group (or Computer Role Group) is created for each Computer Role. For example, as seen in Access Manager:

•  The AD groups called Computer Groups (or Computer Role Groups) are created in the Computer Roles OU. Computer Groups will contain the AD computer objects of UNIX/Linux computers. For example, as seen in Active Directory Users and Computers (ADUC):

• For each Computer Role, an AD group called a User Group (or User Role Group) is created in the User Roles OU. User Groups will contain the AD user objects of users that have UNIX/Linux profiles (or accounts). For example, as seen in ADUC:

• For each Computer Role, the corresponding User Group (or User Role Group) is used to assign the UNIX Login role to the Computer Role. The result is that any user who is a member of a User Group will have the right or privilege to logon to all the computers that are members of the corresponding Computer Role (i.e. Computer Group or Computer Role Group). In the example below, as seen in Access Manager, the AD group cfyUC_UNIX Login_Finance Servers was used to assign the UNIX Login role (defined in the Global zone) to the Finance Servers Computer Role:

• For each computer in the ComputerRoles.csv file, an AD computer object is created in the Servers OU. For example, as seen in ADUC:

• For each computer in the ComputerRoles.csv file, a Service Connection Point (SCP) object is created. For example, as seen in Access Manager:

and as seen in ADUC:

• The AD computer object of each computer in the ComputerRoles.csv file is added to the corresponding Computer Role (i.e., Computer Group or Computer Role Group). For example, the Finance Servers Computer Role Members, as seen in Access Manager:

and as seen in ADUC:

Summary

Using the mkComputerRoles.tcl script with the ComputerRoles.csv definition file, we created in AD a Centrify Zone and Computer Roles; AD groups we called Computer Groups and User Groups; and AD computer objects for UNIX/Linux computers. In addition, we assigned the Centrify UNIX Login Role to Computer Roles using User Groups and added AD computer objects to Computer Groups.

This gets us close to being ready to manage UNIX/Linux identities by leveraging AD with Centrify. However, we need to add users to User Groups, give users a UNIX/Linux profile in the Global Zone and join UNIX/Linux computers to the Global Zone. In the upcoming blogs, I will discuss these issues and other advanced features of the mkComputerRoles.tcl script.