Hello all. New poster here.
What I'm trying to accomplish: Write an integration guide for FreeNAS and Centrify, using the Centrify LDAP Proxy. I am a Centrify employee.
Background:
What do you recommend? am I completely off-base here?
I'd be happy to help you set up the agent + LDAP Proxy. Your product is great and we're looking to provide more integration guides to our customers and community users.
Thanks in advance,
Robertson
What I'm trying to accomplish: Write an integration guide for FreeNAS and Centrify, using the Centrify LDAP Proxy. I am a Centrify employee.
Background:
- Centrify has been around for 10 years and the main focus is AD integration for non-windows platforms. Over 5,00o customers use Centrify for UNIX/Linux/Mac AD integration with close to 50% of the Fortune 50.
- I was recently approached by one of our community posters with a question around FreeNAS integration
http://community.centrify.com/t5/DirectControl-Express-for-UNIX/UID-and-GID-mapping-issues/m-p/19259
- I proceeded to explain to the poster that Centrify does not store UNIX identity data with the user/group objects. There are two modes:
Express/Workstation mode: community version, provides basic authentication. The UNIX identity of users and groups is predetermined (login = AD user, UID/GID=generated uniquely from the AD SID, Gecos=AD Display Name, Shell/Home = default of the OS.
Zone/Licensed mode: provides the ability to use either SFU or Centrify Standard modes and allows flexibility for the UNIX identity. In standard zone mode Centrify stores the RFC 2307 information not with the object but in a container called Zone. This allows for more flexibility and provides authorization services. - Manufacturers like cisco and Quantum have added direct support to their appliances and know how to access this data directly.
- Others like NetApp or EMC can be integrating using the Centrify provided LDAP (OpenLDAP-based) or NIS proxies. These lightweight service abstracts Active Directory for older *NIXes or appliances so they can provide the Unix identity of users.
- First I was looking at version 9.2.x and I realized that only one Directory Service can be active at a time. I was trying to use the NetApp/EMC approach of joining AD and configuring the LDAP proxy as the source of RFC 2397 UNIX attributes fo users; however, the integration seemed to be very tied to Winbind idmap and that simply was not going to work. Also, it seems that using just LDAP, if SAMBA extensions aren't enabled on the OpenLDAP server side, FreeNAS won't enable support for CIFS.
The Centrify LDAP Proxy exposes all AD fields and POSIX info, It even works great using ldapsearch from the FreeNAS. See an example here (engcen6 is my LDAP Proxy):
[root@freenas92] /usr/local/etc# ldapsearch -x -h engcen6.centrifyimage.vms -b "ou=it,ou=staff,dc=centrifyimge,dc=vms" "(&(objectclass=posixaccount)(uid=thomasf))" | more
# extended LDIF
#
# LDAPv3
# base <ou=it,ou=staff,dc=centrifyimge,dc=vms> with scope subtree
# filter: (&(objectclass=posixaccount)(uid=thomasf))
# requesting: ALL
#
# Fred Thomas, IT, Staff, centrifyimage.vms
dn: cn=Fred Thomas,ou=IT,ou=Staff,dc=centrifyimage,dc=vms
description: fred.thomas@CENTRIFYIMAGE.VMS
email: fred.thomas@rpdemo.net
gecos: Fred Thomas
gidNumber: 10015
homeDirectory: /home/thomasf
loginShell: /bin/bash
uid: thomasf
uidNumber: 10015
userPassword:: RnJlZCBUaG9tYXM=
accountExpires: 9223372036854775807
cn: Fred Thomas
displayName: Fred Thomas
lockoutTime: 0
logonHours:: ////////////////////////////
mail: fred.thomas@rpdemo.net
mobile: 781-880-4510
name: Fred Thomas
objectClass: top
objectClass: posixaccount
primaryGroupID: 513
pwdLastSet: 130610537571802760
sAMAccountName: fred.thomas
uSNChanged: 467102
userAccountControl: 512
userPrincipalName: fred.thomas@rpdemo.net
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
- Now I've moved to 9.3.x beta and the capabilities have improved dramatically (congrats to the team), but still I'm running into issues because when I attempt to use Active Directory with the RFC 2307 IdMAP and LDAP Stand Alone, the system continues to use the archaic winbind nomenclature.
(see screenshot attached).
What do you recommend? am I completely off-base here?
I'd be happy to help you set up the agent + LDAP Proxy. Your product is great and we're looking to provide more integration guides to our customers and community users.
Thanks in advance,
Robertson