Embed Size (px)
Citation preview
H18208
Technical White Paper
Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration
Abstract This document provides technical design considerations for integrating Dell
EMC™ PowerScale™ storage with the Centrify OpenLDAP proxy service.
June 2020
Revisions
2 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
Revisions
Date Description
March 2020 Initial release
June 2020 PowerScale rebranding
Acknowledgments
Author: Lieven Lin
Support: Fab Viguier
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2020 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell
Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. [6/6/2020] [Technical White Paper [H18208]
Table of contents
3 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
Table of contents
Revisions............................................................................................................................................................................. 2
Acknowledgments ............................................................................................................................................................... 2
Table of contents ................................................................................................................................................................ 3
Executive summary ............................................................................................................................................................. 4
Audience ............................................................................................................................................................................. 4
1 Overview ....................................................................................................................................................................... 5
2 Concepts ...................................................................................................................................................................... 6
2.1 Centrify Zones and UNIX profile ......................................................................................................................... 6
2.2 PowerScale and Centrify OpenLDAP proxy ....................................................................................................... 6
3 Deployment and validation ........................................................................................................................................... 8
4 Considerations............................................................................................................................................................ 11
4.1 Centrify Zones and PowerScale access zones ................................................................................................ 11
4.2 Order of resolving UNIX attributes in a Centrify Zone ...................................................................................... 13
4.3 Centrify SFU-compatible Zones ....................................................................................................................... 17
A Technical support and resources ............................................................................................................................... 18
A.1 Related resources............................................................................................................................................. 18
Executive summary
4 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
Executive summary
This document provides configuration details and considerations that can help storage architects and
administrators plan and integrate the Centrify® OpenLDAP proxy service with Dell EMC™ PowerScale™
products. This document addresses the following topics:
• PowerScale multiprotocol access challenges in a Centrify managed environment
• Basic Centrify concepts to integrate with PowerScale
• Planning, deployment, and validation to use the Centrify OpenLDAP proxy service
• Key considerations including Centrify Zones and the UNIX® profile
Audience
The guide is intended for experienced system and storage administrators who are familiar with file services
and network storage administration.
The guide assumes that the reader has a working knowledge of the following:
• Network-attached storage (NAS) systems
• PowerScale scale-out storage architecture and the PowerScale OneFS operating system
• PowerScale multi-protocol access and unified permissions model
• Identifiers for Microsoft® Windows® users and UNIX users
• Familiarity with PowerScale documentation on the PowerScale Info Hubs including OneFS release
notes that contain important information about resolved and known issues
For more information about the topics discussed in this paper, review the following publications:
• Dell EMC PowerScale OneFS: A Technical Overview
• Dell EMC PowerScale OneFS: Authentication, Identity Management, and Authorization
• PowerScale OneFS User Mapping
• PowerScale OneFS Web Administration Guide
• PowerScale OneFS CLI Administration Guide
• Current PowerScale Software Releases
Overview
5 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
1 Overview Dell EMC PowerScale is a scale-out network-attached storage (NAS) product that supports multiple protocols.
In a multiprotocol environment, UNIX® and Microsoft® Windows® users access the same file through the same
directory structure, but through different protocols. PowerScale OneFS™ has its own unified permission
model to verify identities from different identify stores for authentication and authorization. For example, it can
verify identities of Microsoft Active Directory® (AD) for Windows users and Lightweight Directory Access
Protocol (LDAP) servers for UNIX users.
Organizations usually implement AD as an identity store for their Windows systems. However, they also use
LDAP servers as an identity store for UNIX systems. As the business grows, the numbers of managed
systems and users increase. Maintaining two separate identity stores (AD for Windows and LDAP for UNIX) is
costly and inefficient. Therefore, more organizations are integrating their UNIX systems with AD through other
commercial products. Also, they are enabling AD as the back-end unified identity store for both Windows and
UNIX.
Centrify Authentication and Privilege Elevation Service are commercial products that simplify cross-platform
identity management. They include rich functions such as role-based authorization for administrative tasks.
Centrify adds AD users, groups them into Centrify Zones, and applies one or more profiles to generate UNIX
attributes. These attributes can include the details such as the login name, UID, GID, and home directory
which are then used by UNIX systems. After authorization rules are configured through Centrify Access
Manager and a Centrify Agent is installed on UNIX systems, these UNIX systems can join Centrify Zones and
the AD domain. Ultimately, AD users can log in to the UNIX system with generated UNIX attributes.
If PowerScale storage is used for multiprotocol access in a Centrify environment, OneFS can only look up
user information from AD. It cannot recognize the user UNIX attributes generated by Centrify. This is a
challenge when AD users want to access files with different protocols from different operating systems. To
ensure that users are granted proper access to files, PowerScale storage must be able to recognize user
attributes in AD and UNIX attributes in Centrify. This white paper explains how to achieve this goal. It also
provides design considerations for understanding and configuring the PowerScale integration with the Centrify
Authentication and Privilege Elevation Services.
Concepts
6 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
2 Concepts This section introduces concepts that are related to Centrify integration with PowerScale storage.
2.1 Centrify Zones and UNIX profile A Centrify Zone is a logical object that manages computers, users, groups, and other information about
organizations. Centrify Zones can be based on organizational principles and structured using classic zones,
hierarchical zones, or a combination of both. Classic zones provide a simple structure for delineating users
and groups with manually specified UID and GID. By contrast, hierarchical zones support inheritance,
enabling creating parent and child zones that share information as needed. Also, hierarchical standard zones
and hierarchical RFC-2307-compatible zones provide the following capabilities to generate the UID or GID of
users:
• Centrify method: Generates identical UIDs and GIDs across different Centrify Zones based on the
object security identifier (SID) in AD
• Apple method: Generates identical UIDs and GIDs across different Centrify Zones that are based on
the objectGuid in AD
• RFC 2307 attributes: Generates UIDs and GIDs based on the RFC 2307 attributes that are stored in
AD user and group objects, if applicable
• Manually specified UIDs and GIDs
See the Centrify page about Supported zone types for more information.
Centrify allows applying a UNIX profile to domain user accounts defined in an AD forest by adding the users
to Centrify Zones. Alternately, they can be added to a specific computer in a Centrify Zone. Multiple UNIX
profiles can be applied to an AD user account for different purposes. Associating a user profile with an AD
user account determines how the AD user UNIX attributes are identified by UNIX systems. This includes the
following UNIX attributes:
• User name (UNIX login name)
• Unique numeric user identifier (UID)
• User’s primary group profile numeric identifier (GID)
• General information about the user account (GECOS)
• The default home directory for the user
• The default login shell for the user
Like the other storage products, PowerScale storage cannot consume the above UNIX attributes directly to
resolve users. The Centrify OpenLDAP proxy service allows AD users to access file storage with UNIX
attributes. More detail is explained in section 2.2.
2.2 PowerScale and Centrify OpenLDAP proxy The Centrify OpenLDAP proxy is an OpenLDAP server process that runs on a Centrify managed computer. It
enables LDAP clients to resolve the UID, GID, and group membership efficiently for AD users who have a
Centrify UNIX profile applied. It is commonly used in storage servers which provide multiprotocol access.
Concepts
7 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
Figure 1 shows the integration for the PowerScale and Centrify OpenLDAP proxy service. For more
information about the Centrify OpenLDAP proxy, see the Centrify article Using Centrify OpenLDAP proxy
service.
AD is the back-end data storage for Centrify Zones, and Centrify user and group UNIX attributes are stored in
AD objects. As Figure 1 shows, the Centrify OpenLDAP proxy server collects user and group UNIX attributes
from AD through the Centrify Agent. Then, it requests these attributes from the PowerScale system through
the LDAP protocol. Meanwhile, the PowerScale system requests the user and group SID through AD directly.
In this way, PowerScale storage provides consistent, multiprotocol access to different operating systems in a
Centrify environment.
Centrify OpenLDAP
proxy
Active Directory
domain controller
Centrify agent
Retrieve SIDs
through AD
Retrieve
UIDs/GIDs
through LDAP
Integrating PowerScale storage with Centrify OpenLDAP proxy service
Deployment and validation
8 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
3 Deployment and validation This section introduces the process to deploy PowerScale storage using the Centrify OpenLDAP proxy
service.
Before planning a Centrify OpenLDAP proxy service for PowerScale, become familiar with key concepts for
the Centrify Authentication and Privilege Elevation Services. Also, gather information about the existing
environment as follows:
• Collect a list of AD users who require access to PowerScale data with Centrify UNIX attributes.
• Collect Centrify Zone information which contains the AD users. The Centrify OpenLDAP proxy server
is a Centrify-managed computer under a Centrify Zone. If multiple Centrify Zones are involved,
multiple OpenLDAP proxy servers are required.
• Collect Centrify OpenLDAP proxy information if it already exists in each Centrify Zone. PowerScale
storage can reuse the existing Centrify OpenLDAP proxy server instead of requiring a new one to be
installed.
The following steps summarize the procedures to integrate PowerScale OneFS with the Centrify OpenLDAP
proxy server.
1. The Centrify administrator prepares the Centrify OpenLDAP proxy server by installing a new one or
using the existing server. PowerScale storage requires the following information about the proxy
server:
• Centrify Agent 19.9 and above is required on the OpenLDAP proxy server
• FQDN or IP address of the proxy server
• Base DN where the AD users located
• Bind DN and password to retrieve users
Note: Prior to Centrify Agent version 19.9, the OpenLDAP proxy service misses an LDAP
pagedResultControl flag in response to client for the last page result. PowerScale storage cannot retrieve a
full list of users or groups through the OpenLDAP proxy when using old version of Centrify Agent. This
limitation may result in a failed user lookup. An error LW_ERROR_LDAP_CONTROL_NOT_FOUND is
observed on PowerScale storage when using an older version of Centrify Agent.
2. OneFS retrieves the AD user Centrify UNIX attributes by adding the Centrify OpenLDAP proxy server
as its LDAP authentication provider. Use either the OneFS CLI or WebUI to perform this task.
The following example adds the proxy server as the OneFS LDAP authentication provider by using
the OneFS CLI:
# isi auth ldap create --name=centrify-proxy --server-
uris=ldap://centrifyproxy.vlab.local --base-dn=cn=users,dc=vlab,dc=local -
-bind-dn=cn=administrator,cn=users,dc=vlab,dc=local --bind-
password=password
3. Add the LDAP authentication provider to the OneFS access zone as needed.
#isi zone modify --zone=System --add-auth-providers=ldap:centrify-proxy
Deployment and validation
9 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
4. Validate the AD user access token that contains the UNIX attributes from Centrify, including the UID
and GID information. Figure 2 shows the Centrify UNIX attributes of AD user centrifyuser10 in the
Centrify Access Manager Console. As highlighted, the user has a UID that is generated by Centrify
along with other attributes.
Centrify UNIX attribute for AD users
Deployment and validation
10 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
By default, the UNIX login name in Centrify is identical with the AD username sAMAccountName, and
OneFS applies the default user mapping to join the two users together. The following example output shows
the access token of the AD user after the Centrify OpenLDAP proxy server is added to OneFS. As
highlighted, the Centrify-generated UID/GID is contained in the AD user access token, which ensures
consistent data access across multiple protocols.
# isi auth mapping token vlab\\centrifyuser10
User
Name: VLAB\centrifyuser10
UID: 1879598772 (UID from Centrify UNIX attributes)
SID: S-1-5-21-2305304489-2399219675-2279148276-1146
On Disk: 1879598772
ZID: 1
Zone: System
Privileges: -
Primary Group
Name: VLAB\vlabgp01
GID: 1992295527 (GID from Centrify UNIX attributes)
SID: S-1-5-21-2305304489-2399219675-2279148276-1127
On Disk: 1992295527
Supplemental Identities
Name: VLAB\vlabgp02
GID: 1992295528 (GID from Centrify UNIX attributes)
SID: S-1-5-21-2305304489-2399219675-2279148276-1128
Name: Authenticated Users
SID: S-1-5-11
Name: centrifyuser10
GID: 1879598772
SID: S-1-22-2-1879598772
Note: Adding AD users into Centrify Zones with a different login name requires applying a OneFS user-
mapping rule to ensure the AD-user access token contains a Centrify-generated UID/GID.
Considerations
11 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
4 Considerations This section introduces considerations for integrating PowerScale storage with the Centrify OpenLDAP proxy
service.
4.1 Centrify Zones and PowerScale access zones The Centrify OpenLDAP proxy is zone-based as mentioned previously. Multiple Centrify Zones may be
involved when integrating multiple Centrify OpenLDAP proxy servers with PowerScale storage. The basic
configuration model shown in Figure 3 adds them into the same PowerScale access zone as an identity store.
OpenLDAP proxy
Centrify Zone: zone01
OpenLDAP proxy
Centrify Zone: zone02
OneFS access zone: AZ01
LDAP provider:
proxy01
LDAP provider:
proxy02
Adding multiple OpenLDAP proxy servers into a single PowerScale access zone
Considerations
12 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
However, when using different mechanisms to generate a user UID/GID, an AD user may have different UID
information across different Centrify Zones. When a user has multiple UIDs from a different Centrify
OpenLDAP proxy, PowerScale storage uses the first UID that it retrieves from Centrify in a single PowerScale
access zone. This behavior results in inaccurate file ownership and file permissions. It is recommended to
add a Centrify OpenLDAP proxy server under Centrify to a dedicated PowerScale access zone. This action
eliminates a user who has multiple UIDs from Centrify in a single PowerScale access zone. Figure 4 shows
this configuration model.
OpenLDAP proxy
Centrify Zone: zone01
OpenLDAP proxy
Centrify Zone: zone02
OneFS access zone: AZ01
LDAP provider:
proxy01
OneFS access zone: AZ02
LDAP provider:
proxy02
Adding an OpenLDAP proxy server into a dedicated PowerScale access zone
Considerations
13 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
To validate whether a user has different UIDs across different Centrify Zones, perform the following: Log in to
the Centrify Access Manager console, locate the user, right-click AD Properties, and click Centrify Profile in
the prompt window. Figure 5 shows an example of the AD user centrifyuser10 added into three Centrify
Zones. The UID in testzone is generated using the Apple method that is based on the objectGuid in AD. The
UID in zone01 and zone02 is generated using the Centrify method that is based on the SID in AD.
User UIDs in different Centrify Zones
4.2 Order of resolving UNIX attributes in a Centrify Zone AD users can be added to a Centrify Zone or a specific zone-managed computer. Multiple UNIX profiles may
apply to an AD user in different levels, including the parent zone, child zone, and Centrify managed computer.
The profile information in the zone hierarchy is resolved from top to bottom for each user.
Considerations
14 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
Figure 6 shows an example in which user joe has a UID of 90000 defined in the parent zone, and those
profile settings are inherited by the child zone without changes. In the Centrify OpenLDAP proxy computer,
under the child zone, the UID for joe is set to 80000 to override the inherited UID.
Users
Parent zone
Login name: joeUID: 90000Primary GID: 90000GECOSS: %{u:displayName}Home directory: %{home}/%{user}Shell: %{shell}
Child zone
Centrify OpenLDAP
proxy
Users
Login name: joeUID: 80000Primary GID: InheritedGECOSS: InheritedHome directory: InheritedShell: Inherited
Users
Login name: joeUID: InheritedPrimary GID: inheritedGECOSS: inheritedHome directory: InheritedShell: inherited
Resolving UNIX attribute in Centrify
When using the Centrify OpenLDAP proxy server to look up user UNIX attributes, the UNIX attributes are
resolved from the top of Centrify Zone structure to the Centrify managed computer which is the OpenLDAP
proxy server itself. Only the attributes nearest to the Centrify OpenLDAP proxy computer are replied to
PowerScale storage. Users under Centrify managed computers other than the OpenLDAP proxy computer
are not visible and retrievable by PowerScale storage.
Considerations
15 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
To check all available AD users through an OpenLDAP proxy server, perform the following steps: Locate the
OpenLDAP proxy computer in the Centrify Access Manager console, right-click the computer, click Effective
UNIX User Rights, and ensure that the Show AD users option is selected. Then, view all available AD users
and their final effective UNIX attributes for PowerScale storage (see Figure 7).
Check all available AD users through the OpenLDAP proxy server
Considerations
16 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
You can also view UIDs for a specific user in different zones and computers directly. Figure 8 shows the
centrifyuser20 UIDs in Centrify. When PowerScale storage looks up centrifyuser20, the final UID under
ldapproxy computer overrides the inherited UID from the Centrify Zone testzone and is replied to
PowerScale storage.
UID generated at a different level
Check for the UID by using the OneFS CLI as highlighted in the following example. PowerScale storage
retrieves the UID 1992295556 under the ldapproxy computer with the OpenLDAP proxy service.
# isi auth mapping token vlab\\centrifyuser20
User
Name: VLAB\centrifyuser20
UID: 1992295556
SID: S-1-5-21-2305304489-2399219675-2279148276-1156
On Disk: 1992295556
ZID: 1
Zone: System
Privileges: -
Primary Group
Name: VLAB\vlabgp01
GID: 1992295527
SID: S-1-5-21-2305304489-2399219675-2279148276-1127
On Disk: 1992295527
Supplemental Identities
Name: VLAB\vlabgp02
Considerations
17 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
GID: 1992295528
SID: S-1-5-21-2305304489-2399219675-2279148276-1128
Name: Authenticated Users
SID: S-1-5-11
4.3 Centrify SFU-compatible Zones When the Microsoft Services for UNIX (SFU) schema extension is enabled in AD, Centrify uses only SFU-
compatible zones. The AD user and group UNIX attributes are stored in the AD user and AD group objects.
PowerScale storage does not have to look up these users through the OpenLDAP proxy service. You can
enable the SFU support for AD providers when joining PowerScale storage into the domain. In this way,
PowerScale storage can directly retrieve the AD user UNIX attributes generated by the SFU schema
extension that is stored in AD.
Run the following to enable PowerScale SFU support for the AD provider using the OneFS CLI:
# isi auth ads create --name=<domain_name> --user=<ad_user> --
password=<password> --sfu-support=true
To enable PowerScale SFU support for AD provider using the OneFS WebUI, click Access > Authentication
providers > Active Directory > Join a domain. Specify the Services for UNIX option with rfc2307, as
Figure 9 shows.
Enable SFU for OneFS AD provider
Technical support and resources
18 Dell EMC PowerScale OneFS: Centrify OpenLDAP Proxy Integration | H18208
A Technical support and resources
Dell.com/support is focused on meeting customer needs with proven services and support.
Storage technical documents and videos provide expertise that helps to ensure customer success on Dell
EMC Storage platforms.
A.1 Related resources
The following documentation provides additional and relevant information. Accessing these documents may
require a login.
• PowerScale Info Hubs
• Dell EMC PowerScale OneFS: Authentication, Identity Management, and Authorization
• PowerScale OneFS User Mapping
• PowerScale OneFS Web Administration Guide
• PowerScale OneFS CLI Administration Guide
• Centrify Authentication and Privilege Elevation Services
