Centrify provides a portfolio of software products one of which, the Centrify Server Suite (CSS), lets you manage UNIX/Linux user accounts using Active Directory (AD). One advantage for IT administrators is centralized management of user identities (e.g., create, delete or disable user accounts or identities) from a single platform (i.e., AD) across their entire infrastructure (e.g., Windows, UNIX/Linux, mobile devices and the Cloud). One benefit to end users is a single identity and password to remember across all environments.
In these posts I will describe a script that I wrote, mkComputerRoles.tcl, that enables the quick deployment of CSS. The script uses ADEdit, which is a Centrify Tool command language (Tcl) application that enables creation of scripts that modify data in AD directly from UNIX/Linux.
Where to store UNIX/Linux data in Active Directory (AD)
Centrify stores UNIX/Linux data in AD, consequently one of the first major task in deploying Centrify is to decide where in AD to store this data. Centrify has developed a best practice for where to store UNIX/Linux data in AD. It is to create a single Organizational Unit (OU) at the root of the AD domain in which to store UNIX/Linux data. Centrify provides a PowerShell script that can be used to create this structure. It also creates a few AD security groups and delegates to them the minimum AD rights needed to manage UNIX data only in this OU. These groups can be used to implement separation of administrative duties. In this example, the OU is named Centrify and looks like this:
- Centrify Administration: Contains AD groups with delegated rights to manage UNIX/Linux data in the Centrify OU
- Computer Roles: Contains AD groups used to define Centrify Computer Roles
- Licenses: Contains the the Centrify licenses
- Provisioning Groups: Contains AD groups used by the Centrify Zone Provisioning Agent (ZPA)
- Servers: Contains the AD computer objects of UNIX/Linux computers
- UNIX Groups: Contains AD groups used to define UNIX/Linux (secondary) groups
- UNIX Service Accounts: Contains AD user objects (accounts) for UNIX/Linux service accounts
- User Roles: Contains AD groups used to assign Centrify DirectAuthorize Roles on UNIX/Linux computers
- Zones: Contains AD objects used by Centrify to manage UNIX/Linux data
- cfyA_AuthorizationManagers: Can create, delete and modify the membership of AD groups in OU=User Roles and OU= Computer Roles
- cfyA_ComputerManagers: Can create and delete computers objects in OU=Servers
- cfyA_UnixDataManagers: Can create, delete and modify the membership of AD groups in OU=UNIX Groups. Can create, delete, reset password and manage AD user objects in OU=Service Accounts
- cfyA_CentrifyAdministrators: is a member of the previous three AD groups listed above and consequently inherits all the privileges that have been granted to them. In addition, it has rights to create, delete and modify the membership of AD groups in OU=Provisioning Groups. It has several Rights on CN=Licenses, OU=Centrify and many rights on CN=Zones
Note: See the Centrify Deployment and Planning Guide for the complete list of AD privileges that is required to manage UNIX/Linux data in AD.
The Computer Roles Spreadsheet
After the OU structure has been created as described above we can turn our attention to the issue of Centrify Zones. To join a UNIX/Linux computer to AD using Centrify requires the creation of a Centrify Zone. A Centrify Zone is a collection of users and computers that need to share a set of polices and access controls. Because, a computer can be joined to only one Zone, Zones may not provide the flexibility needed to manage access controls on a granular basis.
Centrify provides another means of managing access control called a Computer Role. Computer Roles are logical groupings of computers to which users or groups can be assigned specific roles. In terms of granularity, a Computer Role can apply to a single user and a single server, or to a large group of users and computers and it can span Zone boundaries and hierarchies. A computer can be a member of more than one Computer Roles thereby providing an extremely flexible way to provision system access. It can be used to effect Role Based Access Control (RBAC).
The mkComputerRoles.tcl script can be used to create Computer Roles, add computers to Computer Roles and assign roles to groups of users on those computers. The script requires a CSV file that defines the Computer Roles and related information. A template for the CSV can be created from the sample Excel spreadsheet that is provided with the script. It has formulas to make completing the spreadsheet easier. An example of the spreadsheet is:
- host – is the FQDN of each UNIX/Linux computer that will join AD and that will be a member of one or more Computer Roles
- zone – is the Centrify Zone to which the UNIX/Linux computer will be joined
- computer role name – is the name of the Computer Role
- computer role desc – is a description of the Computer Role and is optional
- computer role group – is the AD group that is used to define the Computer Role. It contains the AD computer objects of each UNIX/Linux computer
- user role group – is the AD group that is used to assign a role to the Computer Role. It contains AD user accounts.
- role – is the Centrify role that is assigned to the Computer Role using the user role group. In this example, it is the role “UNIX Login”.
- start date & time – is the date and time from which the role is in effect
- end date & time – is the date and time when the role expires
The first row in the spreadsheet is the header and the second row can be read as follows:
- The UNIX/Linux computer engcen1.centrifyimage.vms will be joined to the Centrify Zone named Global
- In the Global Zone, a Computer Role named Engineering Servers will be created and given the description Engineering Servers computer role
- The AD group cfyC_Engineering Servers will be created and linked to the Computer Role
- The AD computer object for the engcen1.cenrifyimage.vms computer will be added to the AD group cfyC_Engineering Servers (i.e., the Engineering Servers Computer Role)
- The AD group cfyUC_UNIX Login_Engineering Servers will be created and it will be used to assign the Centrify Role UNIX Login to the Engineering Servers Computer Role (i.e., the AD group cfyC_Engineering Servers)
The net result is that when AD users (or groups of AD users) are added to the AD group cfyUC_UNIX Login_Engineering Servers, those users will have the UNIX Login role (i.e., can access) all the computers that are in the AD group cfyC_Engineering Servers. The AD users must also have a complete UNIX/Linux profile in the Zone to access the UNXI/Linux computers with their AD credentials.
In the part 2, I will describe how to execute the mkComputerRoles.tcl script and review the AD objects it creates and explain how those objects relate to the UNIX/Linux environment.