Your description of how it works isn't really accurate. Centrify DirectControl (the authentication product) works as a client application that works via PAM. It is simply a mechanism that authenticates users to the system via AD and creates objects in AD that store unix attributes in AD so that they are accessible in such a way as to make those attributes consistent across systems (they have a patent on this functionality). The Express product only includes the client functionality for authentication (and SSO), there is no Windows-side application in that case. For the commercial version of the product you would have the Windows-side applications which allow you to create "Zones" with different attributes for each user so that you can fine-tune access controls on a per-zone basis. This allows you to do things like allow/disallow access to systems based upon what Zone those systems are joined to, as well as fine-tune permissions, apply GPOs, and assign per-zone group memberships (and lots of other things). It also has DirectAuthorize which is a product that allows you to manage group- or user-based privilege elevation on a per-zone basis (sudo-like functionality). The Windows application is only for management and doesn't run as a service and only needs to be installed on a system joined to the domain (not necessarily a domain controller). It also doesn't modify AD schema in any way. There is also an MMC plugin for management right in ADUC, and a bunch of GPO templates for adding policy for Linux, Unix and Mac systems.
In short, Centrify DirectControl is simply a client program for authentication not unlike Windbindd or slapd, except that it behaves more like a Microsoft product (several of the founders of the company worked at Microsoft), utilizing the domain itself to ensure redundancy, cross-system consistency, and to simplify disaster recovery. Grant M. On Thu, Dec 21, 2017 at 1:54 PM, Jim Gasek <[email protected]> wrote: > I've been at several companies that use Centrify (real name was "Centrify > DirectAccess"). It is a natural fit for companies that are already are, or > traditionally have been Windows shops. I.e., have windows talent. > > It looks like they have released a "free" version (?) called "express". > From a quick glance at the web page. > > It essentially allows Active Directory to be the authentication method for > *nix by using a plug-in (not sure if that's the actual term) on the > AD/server side, and an agent on the *nix side. > You are essentially outsourcing *nix authentications to AD, and all the > headaches of AD and Windows Domain Controllers. > > The agent installs have quite a few parameters to get straight, but load > from a single script, "install", I think. > > You can be functional on the *nix side pretty easily, re-fetch the config > cleanly (adflush), overcome the sync delay, and see the config (adinfo). > The config is the AD config. > > I hate it mostly because I hate Windows, and AD, and DC. > The server (AD) side install, there is a windows app, and hooks into AD. > They seem to "delegate" a subset (branch/tree?) of the AD configuration, > called "linux" or "unix", to the *nix administrators. > When windows has problems, you just have to reload the OS from scratch or > revert to an earlier VM image. > > Have heard good things about FoxT if you want a commercial product which > is more in line with *nix worldview/philosophy. > Never used it. > > Thanks, > Jim Gasek > > --- [email protected] wrote: > > From: Derek Martin <[email protected]> > To: Richard Pieri <[email protected]> > Cc: blu <[email protected]> > Subject: Re: [Discuss] AD/LDAP authentication > Date: Thu, 21 Dec 2017 12:04:36 -0600 > > On Fri, Dec 15, 2017 at 11:57:21AM -0500, Richard Pieri wrote: > > The Centrify option has been brought up. It's my resort of choice if I > > can't get native authentication working. > > I was going to suggest this as a possible solution also--we use it > where I work. I haven't done sysadmin work in many years now so > I can't really comment on how well it would solve your problem. The > folks that do sysadmin here, do seem to be satisfied with how it meets > our particular needs, but that's really all I can say. > > -- > Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 > -=-=-=-=- > This message is posted from an invalid address. Replying to it will > result in > undeliverable mail due to spam prevention. Sorry for the inconvenience. > > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss > > > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss > -- Grant Mongardi *Senior Systems Engineer* *NAPC inc* p: 781-894-3114 a: 307 Waverley Oaks Rd. Waltham, Ma 02452 w: www.napc.com e: [email protected] <https://facebook.com/napcgroup> <https://twitter.com/NAPCgroup> <https://www.linkedin.com/company/205941/> _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
