Tuesday, December 10, 2013

Basic Concepts: The Centrify Agent

Centrify's Active Directory Client
Typically known as DirectControl (or adclient) is Centrify's Active Directory integration service.  It leverages AD LDAP, Kerberos and Group Policy;  with over 10 years of maturity, the agent has evolved to support diverse platforms and has provides super user privilege management for UNIX/Linux and Windows platforms.


 The architecture of the client in UNIX is as follows:
  • NSS Module:  Uses the NSS facility to present AD as a source of of identity for users (passwd), and groups.
  • PAM Module:  The authentication against AD is implemented as a PAM module.  Centrify implements authentication, account, session and password modules.
  • Kerberos Libraries:  MIT Kerberos compiled libraries with support for Microsoft's Kerberos implementation.  The location of these tools is /usr/share/centrifydc/kerberos/bin.
  • Group Policy Engine:  Processes group policies from AD in the Unix/Linux and Mac platforms
  • Centrify-enhanced sudo:  A version of sudo that leverages Roles and Rights defined in AD with Centrify.
  • Command-line Tools:  Centrify has implemented command for the agent (ad commands), for privilege management (dz commands) and for auditing (da commands). In addition, there are modules for PowerShell for the DirectManage components, as well as an SDK.
  • LDAP and NIS Proxies:  These proxies present AD information to clients that can't have the agent installed (like filers, appliances, or legacy systems)
  • Offline credential cache:  Provides high-performance (by not requiring a persistent LDAP connections to AD) and high-availability (in case AD is not available or there's a network failure)
  • External Modules:  provides SSO facilities for Apache, Tomcat, Websphere, Weblogic Java2EE application servers, SAP (GUI and Netweaver) and DB2
  • Watchdog Process:  provides a backup mechanism for recovery and diagnostics in the case of a daemon failure.

Communicating with Active Directory

To talk to domain controllers, the Centrify agent uses the following communication ports:

TCP 3268
Global Catalog Search
TCP 88
Kerberos TGT
TCP 464
Kerberos password changes (passwd, adpasswd)
Optional: Network Time Protocol (NTP)(*)
TCP 53
DNS query for A and SRV records
TCP 445
Optional:  SMB to read Group Policies
Ephemeral Ports
Required for communication

Communications between the Centrify client are mutually authenticated and encrypted, just like when Windows clients communicate with DCs.

For more information, see this Technet article.

(*) By default, the Centrify AD client will make UNIX, Linux or Mac sync time with Active Directory Domain Controllers;  you can use any NTP service, however you need to make sure that it's within 5 minutes from the DC (that acts as a Kerberos KDC).  This is a Kerberos requirement to protect against replay attacks.

No comments:

Post a Comment