Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] AD/LDAP authentication

Your description of how it works isn't really accurate. Centrify
DirectControl (the authentication product) works as a client application
that works via PAM. It is simply a mechanism that authenticates users to
the system via AD and creates objects in AD that store unix attributes in
AD so that they are accessible in such a way as to make those attributes
consistent across systems (they have a patent on this functionality). The
Express product only includes the client functionality for authentication
(and SSO), there is no Windows-side application in that case. For the
commercial version of the product you would have the Windows-side
applications which allow you to create "Zones" with different attributes
for each user so that you can fine-tune access controls on a per-zone
basis. This allows you to do things like allow/disallow access to systems
based upon what Zone those systems are joined to, as well as fine-tune
permissions, apply GPOs, and assign per-zone group memberships (and lots of
other things). It also has DirectAuthorize which is a product that allows
you to manage group- or user-based privilege elevation on a per-zone basis
(sudo-like functionality). The Windows application is only for management
and doesn't run as a service and only needs to be installed on a system
joined to the domain (not necessarily a domain controller). It also doesn't
modify AD schema in any way. There is also an MMC plugin for management
right in ADUC, and a bunch of GPO templates for adding policy for Linux,
Unix and Mac systems.

In short, Centrify DirectControl is simply a client program for
authentication not unlike Windbindd or slapd, except that it behaves more
like a Microsoft product (several of the founders of the company worked at
Microsoft), utilizing the domain itself to ensure redundancy, cross-system
consistency, and to simplify disaster recovery.

Grant M.

On Thu, Dec 21, 2017 at 1:54 PM, Jim Gasek <jim at> wrote:

> I've been at several companies that use Centrify (real name was "Centrify
> DirectAccess").  It is a natural fit for companies that are already are, or
> traditionally have been Windows shops.  I.e., have windows talent.
> It looks like they have released a "free" version (?) called "express".
> From a quick glance at the web page.
> It essentially allows Active Directory to be the authentication method for
> *nix by using a plug-in (not sure if that's the actual term) on the
> AD/server side, and an agent on the *nix side.
> You are essentially outsourcing *nix authentications to AD, and all the
> headaches of AD and Windows Domain Controllers.
> The agent installs have quite a few parameters to get straight, but load
> from a single script, "install", I think.
> You can be functional on the *nix side pretty easily, re-fetch the config
> cleanly (adflush), overcome the sync delay, and see the config (adinfo).
> The config is the AD config.
> I hate it mostly because I hate Windows, and AD, and DC.
> The server (AD) side install, there is a windows app, and hooks into AD.
> They seem to "delegate" a subset (branch/tree?) of the AD configuration,
> called "linux" or "unix", to the *nix administrators.
> When windows has problems, you just have to reload the OS from scratch or
> revert to an earlier VM image.
> Have heard good things about FoxT if you want a commercial product which
> is more in line with *nix worldview/philosophy.
> Never used it.
> Thanks,
> Jim Gasek
> --- invalid at wrote:
> From: Derek Martin <invalid at>
> To: Richard Pieri <richard.pieri at>
> Cc: blu <discuss at>
> Subject: Re: [Discuss] AD/LDAP authentication
> Date: Thu, 21 Dec 2017 12:04:36 -0600
> On Fri, Dec 15, 2017 at 11:57:21AM -0500, Richard Pieri wrote:
> > The Centrify option has been brought up. It's my resort of choice if I
> > can't get native authentication working.
> I was going to suggest this as a possible solution also--we use it
> where I work.  I haven't done sysadmin work in many years now so
> I can't really comment on how well it would solve your problem.  The
> folks that do sysadmin here, do seem to be satisfied with how it meets
> our particular needs, but that's really all I can say.
> --
> Derek D. Martin   GPG Key ID: 0xDFBEAD02
> -=-=-=-=-
> This message is posted from an invalid address.  Replying to it will
> result in
> undeliverable mail due to spam prevention.  Sorry for the inconvenience.
> _______________________________________________
> Discuss mailing list
> Discuss at
> _______________________________________________
> Discuss mailing list
> Discuss at


Grant Mongardi
*Senior Systems Engineer*
*NAPC inc*
p: 781-894-3114
a: 307 Waverley Oaks Rd. Waltham, Ma 02452
w:  e: gmongardi at
<>   <>

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /