WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
If you choose to use Centrify DirectControl as part of an integrated solution for security
and directory services, your conceptual design should address how you want to use
Zones, how you will migrate user identities to Active Directory, and how legacy identity
stores such as /etc/passwd files and NIS servers fit into your solution.
To develop your conceptual design with Centrify DirectControl in mind, you should
consider the following:
Whether you have multiple UNIX identity stores or a single identity store for all UNIX
Which UNIX computers users log on to locally or remotely and which UNIX
computers are used as application servers that only require infrequent administrative
The nature of the user community and how and when different users access UNIX
As an example, if you have multiple identity stores, your conceptual design should define
how those identity stores should map to Centrify DirectControl Zones. If you already
group users in NIS domains, you can keep this structure by mapping each NIS domain to
a Zone. If you have a more ad-hoc environment, you should identify the computers that
form a natural administrative set. For example, you may want to use Zones to group
computers based on specific criteria, such as computers managed by the same security
group, located in the same area, or used by the same department. In your conceptual
design, you should also determine how various computers are used. For example, you
should determine which computers users log on to directly and which computers are
used as application servers that only require administrative access for housekeeping
purposes. You should consider how many users log on to different computers and the
tasks different sets of users perform on those computers.
If all of your UNIX user identities (UIDs) and group identities (GIDs) are unique for all of
the computers you want to bring into the Active Directory forest, you can use a single
For simplicity or migrating in phases, you can start with a single Zone and add Zones
over time, but your conceptual design should take into account this migration strategy
and Zone design.
Logical Design of Centrify DirectControl Solution
With Centrify DirectControl, many of the logical design considerations that were required
for a pure Kerberos / LDAP solution are no longer applicable. This is because
DirectControl automatically handles the configuration of many of the supporting services
that are required to reach the End State. For example, when DirectControl gets installed,
the time service and time synchronization elements that are required for proper Kerberos
operation are automatically setup correctly without the need for user intervention.
Likewise, the configuration of UNIX components such as PAM and NSS are also
automatically configured when DirectControl is installed.
Another logical design consideration highlighted in other solutions is the strategy for
handling Active Directory schema extensions for storing UNIX user attributes such as a
UID or home directory. DirectControl simplifies the whole schema extension issue by
simply eliminating the need for any schema extensions. Instead, DirectControl
automatically stores UNIX user attributes in a well defined Active Directory storage class
reserved for use by applications. Again, using the DirectControl Zones feature, multiple
sets of UNIX user attributes can be tied to a single Active Directory user. Management of
these attributes can be accomplished by using the Active Directory Users and Computers
MMC or the Centrify Administrator Console. If the organization has already deployed
Microsoft-supported UNIX schema extensions, such as the UNIX extensions included
with Microsoft Windows Services for UNIX, then DirectControl can be easily configured to
use that storage mechanism in addition to or as an alternative to DirectControl Zones.