WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
13
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 13
Centrify DirectControl introduces a new concept that needs to be understood and taken
into consideration when planning this solution. This new concept is the DirectControl
Zones feature. DirectControl Zones is a facility to allow groups of UNIX machines, groups
and users to be treated as a distinct identity cluster for the purposes of partitioning off
systems that have common identity attributes. Users can be members of more than one
Zone and can have different user attributes (e.g. a different username) in each Zone. For
example, all machines in the finance department could be grouped into a single Zone
called "finance" and the members of that Zone could be restricted to finance employees
and all senior managers. This gives the organization better control over access to
systems based on well defined roles. Additionally DirectControl Zones can be used to
restrict access to certain types of applications running on the UNIX systems.
Zones also become important when dealing with multiple existing UNIX identity systems
that are being migrated to Active Directory. For example, most organizations have
multiple identity stores in use on their current UNIX platforms including LDAP directories,
NIS/NIS+ and local account stores using /etc/passwd. Often a single user can be a
member of more than one identity store and may even have a different username, UID or
group memberships in each. DirectControl Zones would allow the organization to import
the information from their legacy UNIX identity stores into separate Zones without forcing
the organization to consolidate the multiple identities that each user might have. The
result might be a structure with three Zones in Active Directory one with the pre-existing
UNIX LDAP directory information, one with the imported information from an existing NIS
directory and one with the imported contents from an /etc/passwd file from a single UNIX
system. If a user has an account in all three systems, these can now be mapped back to
a single Active Directory identity, even if the user's identity attributes were different in
each of the legacy directories. This means that the user can now access all of these
systems using either their Active Directory credentials or their old credentials from the
previous system. Regardless of which credentials they use, the user has only one
password across all systems their existing Active Directory password. More information
on DirectControl Zones can be found on:
http://www.centrify.com
.
Windows Domain
HR Zone
Engineering Zone
Windows Domain
Controller
Administrator
Active Directory
Active Directory Account
User Name: Fred Thomas
Fred's Solaris Account
Userid: fthomas
UID: 2387
Shell: /bin/csh
Homedir: /nfshome/fthomas
Fred's Linux Account
Userid: fred
UID: 94582
Shell: /bin/bash
Homedir: /home/fred
Solaris Host
HR App Server
Fred's Windows Account
Userid: fred.thomas
Homedir:
\\server1\users\fred.thomas
Finance Zone
Fred's HR App Account
Userid: fredt
UID: 5381
Linux Workstation
Windows XP Laptop
Active Directory Account
User Name: Fred Thomas
Userid: fred.thomas
Zone: Engineering
Userid: fred
UID: 94582
Shell: /bin/bash
Homedir: /home/fred
Zone: Finance
Userid: fthomas
UID: 2387
Shell: /bin/csh
Homedir: /nfshome/fthomas
Zone: HR
Userid: fredt
UID: 5381
Figure 1.4. Example of using Zones to map multiple identities to a single Active
Directory user account.
Summary :
Windows Domain HR Zone Engineering Zone Windows Domain Controller Administrator Active Directory Active Directory Account User Name: Fred Thomas Fred's Solaris Account Userid: fthomas UID: 2387 Shell: /bin/csh Homedir: /nfshome/fthomas Fred's Linux Account Userid: fred UID: 94582 Shell: /bin/bash Homedir: /home/fred Solaris Host HR App Server Fred's Windows Account Userid: fred.thomas Homedir: \\server1\users\fred.thomas Finance Zone Fred's HR App Account Userid: fredt UID: 5381 Linux Workstation Windows XP Laptop Active Directory Account User Name: Fred Thomas Userid: fred.thomas Zone: Engineering Userid: fred UID: 94582 Shell: /bin/bash Homedir: /home/fred Zone: Finance Userid: fthomas UID: 2387 Shell: /bin/csh Homedir: /nfshome/fthomas Zone: HR Userid: fredt UID: 5381 Figure 1.4.
Tags :
actie,zones,account,user,userid,identity,unix,systems,uid,directcontrol,all,homedir,single