Adding UNIX Profiles Automatically

Adding UNIX user accounts to Active Directory on a large scale poses several challenges:

  • Provisioning: How do you provision large numbers of UNIX users and map them to unique Active Directory user objects?

  • Assigning roles: Once the UNIX users have profiles stored in Active Directory, how do you give each user just the privileges required?

  • Accommodating legacy UIDs: How do you migrate UNIX users who have different UIDs on different servers and maintain existing file ownership requirements?

One strategy for adding and managing a large number of UNIX profiles is to use the Zone Provisioning Agent and provisioning properties. The Zone Provisioning Agent can automatically provision new users with the full complement of UNIX profile attributes when you add them to an Active Directory group. Configuring the environment to illustrate automated provisioning with the Zone Provisioning Agent, however, requires several steps that are only applicable if you choose that deployment scenario.

The following steps summarize the process, but are not recommended for an evaluation.

To deploy the Zone Provisioning Agent

  1. Create an Active Directory service account with the “Log on as a service” user right.

  2. Open the Centrify Zone Provisioning Agent Configuration Panel and configure the service to use the service account you created for it.

  3. Create or identify the Active Directory groups you will use as source groups for UNIX users.

  4. Set the provisioning properties for the zone or zones where users will be automatically provisioned.

    For example, open Access Manager, select the parent zone, right-click, then select Properties to see the Provisioning properties. You can then set theActive Directory source group and how you want UNIX attributes to be automatically generated.

  5. Migrate all existing users using the appropriate override attributes into zones to preserve their profiles.

  6. Start the Zone Provisioning Agent service.

Keep in mind that the Zone Provisioning Agent takes over all user provisioning if enabled for a zone. After you start the service, you cannot use the Access Manager Add User option to add a user to the zone. This ensures that all UIDs are unique in the domain.

If you configure the Zone Provisioning Agent, you can add and remove users from selected Active Directory groups to automatically add or remove their UNIX profiles in a zone.

To add users after configuring zone provisioning

  1. Open the users.txt file in the /usr/share/centrifydc/samples/adedit directory to add more or change names.

    Use an editor that does not insert a carriage return at the end of each line. Each line must end with a line feed.

  2. Run the AddUnixUsers sample script in the directory to create the Active Directory account for each UNIX user and add each user to the Active Directory UNIX Users group.

    ./AddUnixUsers users.txt.

  3. Follow the prompts displayed to provide the following information for connecting to Active Directory:

    • Domain name.

    • The Active Directory account name that has administrator privileges in the organizational unit you’re using for the IBM Security zones.

    • The password for the Active Directory account.

  4. Type an initial password that meets the Active Directory requirements to be used for all of the accounts added.

  5. Open the IBM Security Zone Provisioning Agent Configuration Panel and click Restart.

  6. Open Access Manager or Active Directory Users and Computers and assign users to the appropriate Active Directory groups to assign rights.