WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
19
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 19
Developing the Centrify DirectControl Solution
This section describes the tasks that are required to use the Centrify DirectControl suite
to implement the End State--that is, using Active Directory to authenticate UNIX clients
with Kerberos and to access UNIX authorization and identity information with LDAP.
Although authentication and authorization services are treated separately in many parts
of this guide, the DirectControl solution delivers a user experience for UNIX users that
works seamlessly much like the user experience on Windows clients. After you install
DirectControl, when a user attempts to log on to a UNIX computer, the user enters a
username and password that is then validated by Active Directory through the underlying
Kerberos authentication system. After the user is authenticated, Active Directory
determines how the user can use the UNIX computer based on authorization properties
associated with that user's account, the computer the user is logging on to, and the
groups to which the user belongs. For example, a setting might be configured in Active
Directory to prevent access to the computer at the time of day when the user attempts to
log on. Even though the user is authenticated, the log on session fails because the user
is not authorized to use the computer at that time.
In addition, other properties associated with the user account are now stored in Active
Directory and can be used to establish the user's session on the UNIX computer or used
by applications on the UNIX computer. For example, the user's UNIX home directory is
stored in Active Directory. After the user is successfully authenticated and authorized,
this attribute is used to establish the user's home directory, which is then used during the
log on session on the UNIX computer.
DirectControl includes capabilities well beyond the scope of the End State solution
described in this guide. For example, DirectControl includes a component for using
Microsoft Group Policy to manage computer and user policies on UNIX and Linux
computers. DirectControl also provides capabilities for seamless file sharing, a NIS pass-
through server, and authentication modules for Web and application platforms. For more
information related to capabilities in DirectControl that go beyond the End State, see
"Evolving the Centrify DirectControl Solution" later in this guide, and see the Centrify Web
site at
http://www.centrify.com
.
Introduction and Goals
The development information provided here focuses only on the aspects of DirectControl
that directly support achieving the End State.
Major Tasks and Deliverables
This section describes the installation and configuration of DirectControl that you need to
perform in order to develop the End State solution. The following list summarizes the
major tasks required to install and configure DirectControl for this solution:
·
Preparing your environment
Install a domain controller, configure DNS, create test users and groups, and verify
time synchronization.
·
Choose DirectControl Zones or Active Directory schema extensions
Decide whether to use DirectControl Zones, Active Directory schema extensions for
SFU, or both, for storing UNIX user data.
·
Install Centrify DirectControl on a Windows Server 2003 computer
Decide whether to use a trial or commercial license, and then run the setup program
to install DirectControl components on a Windows computer.