Typically known as DirectControl (or adclient) is Centrify's Active Directory integration service. It leverages AD LDAP, Kerberos and Group Policy; with over 10 years of maturity, the agent has evolved to support diverse platforms and has provides super user privilege management for UNIX/Linux and Windows platforms.
- NSS Module: Uses the NSS facility to present AD as a source of of identity for users (passwd), and groups.
- PAM Module: The authentication against AD is implemented as a PAM module. Centrify implements authentication, account, session and password modules.
- Kerberos Libraries: MIT Kerberos compiled libraries with support for Microsoft's Kerberos implementation. The location of these tools is /usr/share/centrifydc/kerberos/bin.
- Group Policy Engine: Processes group policies from AD in the Unix/Linux and Mac platforms
- Centrify-enhanced sudo: A version of sudo that leverages Roles and Rights defined in AD with Centrify.
- Command-line Tools: Centrify has implemented command for the agent (ad commands), for privilege management (dz commands) and for auditing (da commands). In addition, there are modules for PowerShell for the DirectManage components, as well as an SDK.
- LDAP and NIS Proxies: These proxies present AD information to clients that can't have the agent installed (like filers, appliances, or legacy systems)
- Offline credential cache: Provides high-performance (by not requiring a persistent LDAP connections to AD) and high-availability (in case AD is not available or there's a network failure)
- External Modules: provides SSO facilities for Apache, Tomcat, Websphere, Weblogic Java2EE application servers, SAP (GUI and Netweaver) and DB2
- Watchdog Process: provides a backup mechanism for recovery and diagnostics in the case of a daemon failure.
Communicating with Active Directory
To talk to domain controllers, the Centrify agent uses the following communication ports:
Port
|
Description
|
TCP/UDP 389
|
LDAP
|
TCP 3268
|
Global Catalog Search
|
TCP 88
|
Kerberos TGT
|
TCP 464
|
Kerberos password changes (passwd, adpasswd)
|
UDP123
|
Optional: Network Time Protocol (NTP)(*)
|
TCP 53
|
DNS query for A and SRV records
|
TCP 445
|
Optional: SMB to read Group
Policies
|
Ephemeral Ports
|
Required for communication
|
Communications between the Centrify client are mutually authenticated and encrypted, just like when Windows clients communicate with DCs.
For more information, see this Technet article.
(*) By default, the Centrify AD client will make UNIX, Linux or Mac sync time with Active Directory Domain Controllers; you can use any NTP service, however you need to make sure that it's within 5 minutes from the DC (that acts as a Kerberos KDC). This is a Kerberos requirement to protect against replay attacks.
No comments:
Post a Comment