[Discuss] AD/LDAP authentication

[gmongardi at napc.com (Grant Mongardi)]

Your description of how it works isn't really accurate. Centrify
DirectControl (the authentication product) works as a client application
that works via PAM. It is simply a mechanism that authenticates users to
the system via AD and creates objects in AD that store unix attributes in
AD so that they are accessible in such a way as to make those attributes
consistent across systems (they have a patent on this functionality). The
Express product only includes the client functionality for authentication
(and SSO), there is no Windows-side application in that case. For the
commercial version of the product you would have the Windows-side
applications which allow you to create "Zones" with different attributes
for each user so that you can fine-tune access controls on a per-zone
basis. This allows you to do things like allow/disallow access to systems
based upon what Zone those systems are joined to, as well as fine-tune
permissions, apply GPOs, and assign per-zone group memberships (and lots of
other things). It also has DirectAuthorize which is a product that allows
you to manage group- or user-based privilege elevation on a per-zone basis
(sudo-like functionality). The Windows application is only for management
and doesn't run as a service and only needs to be installed on a system
joined to the domain (not necessarily a domain controller). It also doesn't
modify AD schema in any way. There is also an MMC plugin for management
right in ADUC, and a bunch of GPO templates for adding policy for Linux,
Unix and Mac systems.

In short, Centrify DirectControl is simply a client program for
authentication not unlike Windbindd or slapd, except that it behaves more
like a Microsoft product (several of the founders of the company worked at
Microsoft), utilizing the domain itself to ensure redundancy, cross-system
consistency, and to simplify disaster recovery.

Grant M.

On Thu, Dec 21, 2017 at 1:54 PM, Jim Gasek <jim at gasek.net> wrote:

> I've been at several companies that use Centrify (real name was "Centrify
> DirectAccess").  It is a natural fit for companies that are already are, or
> traditionally have been Windows shops.  I.e., have windows talent.
>
> It looks like they have released a "free" version (?) called "express".
> From a quick glance at the web page.
>
> It essentially allows Active Directory to be the authentication method for
> *nix by using a plug-in (not sure if that's the actual term) on the
> AD/server side, and an agent on the *nix side.
> You are essentially outsourcing *nix authentications to AD, and all the
> headaches of AD and Windows Domain Controllers.
>
> The agent installs have quite a few parameters to get straight, but load
> from a single script, "install", I think.
>
> You can be functional on the *nix side pretty easily, re-fetch the config
> cleanly (adflush), overcome the sync delay, and see the config (adinfo).
> The config is the AD config.
>
> I hate it mostly because I hate Windows, and AD, and DC.
> The server (AD) side install, there is a windows app, and hooks into AD.
> They seem to "delegate" a subset (branch/tree?) of the AD configuration,
> called "linux" or "unix", to the *nix administrators.
> When windows has problems, you just have to reload the OS from scratch or
> revert to an earlier VM image.
>
> Have heard good things about FoxT if you want a commercial product which
> is more in line with *nix worldview/philosophy.
> Never used it.
>
> Thanks,
> Jim Gasek
>
> --- invalid at pizzashack.org wrote:
>
> From: Derek Martin <invalid at pizzashack.org>
> To: Richard Pieri <richard.pieri at gmail.com>
> Cc: blu <discuss at blu.org>
> Subject: Re: [Discuss] AD/LDAP authentication
> Date: Thu, 21 Dec 2017 12:04:36 -0600
>
> On Fri, Dec 15, 2017 at 11:57:21AM -0500, Richard Pieri wrote:
> > The Centrify option has been brought up. It's my resort of choice if I
> > can't get native authentication working.
>
> I was going to suggest this as a possible solution also--we use it
> where I work.  I haven't done sysadmin work in many years now so
> I can't really comment on how well it would solve your problem.  The
> folks that do sysadmin here, do seem to be satisfied with how it meets
> our particular needs, but that's really all I can say.
>
> --
> Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
> -=-=-=-=-
> This message is posted from an invalid address.  Replying to it will
> result in
> undeliverable mail due to spam prevention.  Sorry for the inconvenience.
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 

Grant Mongardi
*Senior Systems Engineer*
*NAPC inc*
p: 781-894-3114
a: 307 Waverley Oaks Rd. Waltham, Ma 02452
w: www.napc.com  e: gmongardi at napc.com
<https://facebook.com/napcgroup>   <https://twitter.com/NAPCgroup>
<https://www.linkedin.com/company/205941/>