WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
15
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 15
Figure 1.5. An example of the internal Active Directory storage hierarchy for a
DirectControl Zone
Since DirectControl Zones add numerous possibilities for dealing with better role-based
access control and enabling the easy migration from existing UNIX directories, the
organization should evaluate and create a logical design and plan for how Zones are
used. This of course only applies if DirectControl is selected as the method for reaching
the End State. Some of the considerations for how to apply Zones in the logical design
include:
·
Using Zones to address multiple legacy UIDs and enable rapid migration to
Active Directory
For existing UNIX systems that have LDAP, NIS or /etc/passwd based directories,
the user information in these directories can be directly imported into multiple
DirectControl Zones. Typically the design would call for one Zone for each
substantially distinct legacy directory store. Usernames in each Zone are then
mapped to existing Active Directory user accounts. This allows the UNIX identity
system to be immediately moved to Active Directory without forcing a change of UIDs
on the legacy UNIX system. Having the option to retain legacy usernames and UIDs
is a major design consideration since the alternative of manually changing UID
ownerships and name-associated files on the UNIX system, for every user, could be
an enormous task and an obstacle to a successful migration.
·
Using Zones and Services for UNIX to address other UNIX services tied to
Active Directory
For organizations that have deployed Services for UNIX and are using the SFU NIS
Server or NFS services, it is likely that they have extended the Active Directory
schema using SFU. If this is the case, the logical design should include reserving a
Zone for the SFU-enabled user accounts, since the UNIX attributes stored with each
account will continue to be used once this new project is completed. DirectControl
fully supports mapping the SFU user attributes into a DirectControl Zone.
·
Using Zones, Group Policy and other methods for enabling true role-based
access control
One of the most powerful capabilities enabled with Zones is the ability to manage
access to systems by using a logical design of Zones mapped to roles and
organizations. The organization of Zones could be designed around geographic
divisions (e.g. a Zone for Europe, a Zone for Asia), around functional groups (e.g. a
Zone for Engineering, a Zone for HR) or any other user defined taxonomy. Since
users only have access to systems in a Zone if they are explicitly added as members
of that Zone, organizations have better control over access to system resources and
data. Additionally, administration of each Zone can be delegated to non-Administrator
individuals on a Zone by Zone basis resulting in better control over the administration
of all systems. Finally by adding controls using group memberships and Centrify's
Group Policy for UNIX capabilities, access control is further refined. For example, it is
possible to lock the configuration of privileged command execution by controlling the
sudoers file via Group Policy. All of these access control capabilities are at the
Summary :
An example of the internal Active Directory storage hierarchy for a DirectControl Zone Since DirectControl Zones add numerous possibilities for dealing with better role-based access control and enabling the easy migration from existing UNIX directories, the organization should evaluate and create a logical design and plan for how Zones are used. Some of the considerations for how to apply Zones in the logical design include: · Using Zones to address multiple legacy UIDs and enable rapid migration to Active Directory For existing UNIX systems that have LDAP, NIS or /etc/passwd based directories, the user information in these directories can be directly imported into multiple DirectControl Zones.
Tags :
directory,using,access,directcontrol,actie,control,design,user,serices,hae,since,each,system