Writing a FreeNAS/Centrify Integration Guide - Need Input

[newrp01]

Hello all. New poster here.

What I'm trying to accomplish: Write an integration guide for FreeNAS and Centrify, using the Centrify LDAP Proxy. I am a Centrify employee.
Background:

• Centrify has been around for 10 years and the main focus is AD integration for non-windows platforms. Over 5,00o customers use Centrify for UNIX/Linux/Mac AD integration with close to 50% of the Fortune 50.
• I was recently approached by one of our community posters with a question around FreeNAS integration
  http://community.centrify.com/t5/DirectControl-Express-for-UNIX/UID-and-GID-mapping-issues/m-p/19259
  
• I proceeded to explain to the poster that Centrify does not store UNIX identity data with the user/group objects. There are two modes:
  Express/Workstation mode: community version, provides basic authentication. The UNIX identity of users and groups is predetermined (login = AD user, UID/GID=generated uniquely from the AD SID, Gecos=AD Display Name, Shell/Home = default of the OS.
  Zone/Licensed mode: provides the ability to use either SFU or Centrify Standard modes and allows flexibility for the UNIX identity. In standard zone mode Centrify stores the RFC 2307 information not with the object but in a container called Zone. This allows for more flexibility and provides authorization services.
• Manufacturers like cisco and Quantum have added direct support to their appliances and know how to access this data directly.
  
• Others like NetApp or EMC can be integrating using the Centrify provided LDAP (OpenLDAP-based) or NIS proxies. These lightweight service abstracts Active Directory for older *NIXes or appliances so they can provide the Unix identity of users.

The problem(s)

• First I was looking at version 9.2.x and I realized that only one Directory Service can be active at a time. I was trying to use the NetApp/EMC approach of joining AD and configuring the LDAP proxy as the source of RFC 2397 UNIX attributes fo users; however, the integration seemed to be very tied to Winbind idmap and that simply was not going to work. Also, it seems that using just LDAP, if SAMBA extensions aren't enabled on the OpenLDAP server side, FreeNAS won't enable support for CIFS.
  
  The Centrify LDAP Proxy exposes all AD fields and POSIX info, It even works great using ldapsearch from the FreeNAS. See an example here (engcen6 is my LDAP Proxy):
  [root@freenas92] /usr/local/etc# ldapsearch -x -h engcen6.centrifyimage.vms -b "ou=it,ou=staff,dc=centrifyimge,dc=vms" "(&(objectclass=posixaccount)(uid=thomasf))" | more
  # extended LDIF
  #
  # LDAPv3
  # base <ou=it,ou=staff,dc=centrifyimge,dc=vms> with scope subtree
  # filter: (&(objectclass=posixaccount)(uid=thomasf))
  # requesting: ALL
  #
  
  # Fred Thomas, IT, Staff, centrifyimage.vms
  dn: cn=Fred Thomas,ou=IT,ou=Staff,dc=centrifyimage,dc=vms
  description: fred.thomas@CENTRIFYIMAGE.VMS
  email: fred.thomas@rpdemo.net
  gecos: Fred Thomas
  gidNumber: 10015
  homeDirectory: /home/thomasf
  loginShell: /bin/bash
  uid: thomasf
  uidNumber: 10015
  userPassword:: RnJlZCBUaG9tYXM=
  accountExpires: 9223372036854775807
  cn: Fred Thomas
  displayName: Fred Thomas
  lockoutTime: 0
  logonHours:: ////////////////////////////
  mail: fred.thomas@rpdemo.net
  mobile: 781-880-4510
  name: Fred Thomas
  objectClass: top
  objectClass: posixaccount
  primaryGroupID: 513
  pwdLastSet: 130610537571802760
  sAMAccountName: fred.thomas
  uSNChanged: 467102
  userAccountControl: 512
  userPrincipalName: fred.thomas@rpdemo.net
  
  # search result
  search: 2
  result: 0 Success
  
  # numResponses: 2
  # numEntries: 1
  
  
  
• Now I've moved to 9.3.x beta and the capabilities have improved dramatically (congrats to the team), but still I'm running into issues because when I attempt to use Active Directory with the RFC 2307 IdMAP and LDAP Stand Alone, the system continues to use the archaic winbind nomenclature.
  (see screenshot attached).

My question is:
What do you recommend? am I completely off-base here?

I'd be happy to help you set up the agent + LDAP Proxy. Your product is great and we're looking to provide more integration guides to our customers and community users.

Thanks in advance,

Robertson

 

[jkh]

Hi Robertson,

This definitely sounds like an issue you need to engage directly with our developers on. Can I ask you to file a bug report at bugs.freenas.org with all of the above information (you can also attach that screenshot to the bug) and I'll make sure it gets to our Active Directory / LDAP engineer for follow-up, and hopefully whatever needs to happen to support Centrify will happen in time for 9.3-RELEASE!

Thanks.

 

[newrp01]

JKH,

Thanks for the follow-up. I will file a bug.
Whatever your engineers need I can make available (test bits, etc.).

Have a great weekend,

R.P