Configuring Servers to Use the Proxy Service

Before you can use the Server Suite OpenLDAP proxy service to look up information stored in Active Directory, the network appliance, storage device, or file server you want to use must be configured to use LDAP to look up user and group information. In most cases, this is an option you configure when setting up a server or device.

If your vendor supports connecting to LDAP servers for authentication and authorization services, configuring the server or device to use the Server Suite OpenLDAP proxy requires the following high-level steps:

  1. Install Access Manager, create at least one zone, and add users to the zone.

  2. Assign the users to at least one role with the "User is visible" system right.

  3. Install the Server Suite Agent on a Linux or UNIX computer and join the computer to an Active Directory domain.

  4. Install the centrifydc-ldapproxy package on the Linux or UNIX computer.

  5. Start the centrify-ldapproxy service and verify proper operation.

  6. Set up the network appliance, storage device, or file server to use the Server Suite OpenLDAP proxy service to look up user and group information.

  7. Test the solution for proper end-to-end operation.

Installing the Server Suite OpenLDAP Proxy Service

On most platforms, the centrifydc-ldapproxy package is available with the Server Suite agent software package but is not installed by default. You can select the package in the installation script or install it using a native package installer.

To run the Server Suite OpenLDAP proxy service, the computer must:

  • Be joined to an Active Directory domain.

  • Have the Server Suite Agent installed and the adclient running.

In the following example, the agent is installed on a Linux computer and the computer is joined to the acme.org Active Directory domain.

To install the Server Suite OpenLDAP proxy service on a Linux computer

  1. Log on or switch to the root user, then navigate to the directory where you extracted Delinea files.

    For example, if you ran the gunzip and tar commands in the /tmp directory, change to the /tmp directory.

  2. Run install.sh or a native package manager to install the files.

    For example, run the following command:

    ./install.sh

    You can type K to keep any existing packages you have installed. When you see the Install the CentrifyDC-ldapproxy package prompt, type Y. Follow the remaining prompts displayed to complete the installation.

    Alternatively, you can use a native package manager. For example on most Linux distributions, you can run a command similar to this:

    rpm -Uvh centrifydc-ldapproxy-release-arch.rpm

    If you are installing on Solaris, unzip and extract the contents of the package, then run a command like this:

    pkgadd -d CentrifyDC-ldapproxy -a admin

    If you are using an installation program, such as SMIT or YAST, see the documentation for that program.

  3. If you want to start the ldapproxy service with parameters, configure the STARTUP-OPTS option.

    Run the appropriate command for your platform.

    • For CentOS, SLES

      echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/sysconfig/centrify-ldapproxy

    • For Debian

      echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/default/centrifyldapproxy

    • For HPUX

      echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/rc.config.d/centrify-ldapproxy

    • For AIX

      chssys -a "-d 0 -h ldaps:///" -s centrify-ldapproxy

    • For Solaris without Service Management Facility (SMF)

      echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/centrifydc/openldap/centrify-ldapproxy.conf

    • For Solaris with Service Management Facility (SMF)

      svccfg -s centrify-ldapproxy setprop 'slapd/STARTUP_OPTS=("-h""ldaps:///")'

  4. Start the centrify-ldapproxy service.

    For example, on Linux computers:

    /usr/share/centrifydc/bin/centrify-ldapproxy start

  5. Test the service by searching for an object in the Active Directory domain.

    For example, to search for groups in the domain, you might type commands like this:

    cd /usr/share/centrifydc/bin ldapsearch -h localhost -p 389 -x -b “dc=pistolas,dc=org” ‑s sub "objectClass=group" -D "cn=amy.adams,cn=users,dc=pistolas,dc=org" -w password

    The -h and -p options are required to connect to Active Directory using the proxy service and the Delinea Agent. If the LDAP proxy service is not on the local computer, use the -h option to specify the name of the computer where you have installed it.

    You can also connect to Active Directory directly using a valid user name and password. For example:

ldapsearch -D "cn=amy.adams,cn=users,dc=pistolas,dc=org" -W -h dc2012.pistolas.org -p 389 -x -b "dc=pistolas,dc=org" -s sub "objectClass=group"

  1. (Optional) Review and modify, if necessary, the default centrify-ldapproxy service start-up script in the /etc/init.d/ directory.

    You can use the /usr/share/centrifydc/bin/centrifyldapproxy script to start, stop, restart or check the status of the Delinea OpenLDAP proxy service.

    Note: By default, the service starts automatically when the computer

    restarts.

Specifying the LDAP Server

After you have installed and tested the Server Suite OpenLDAP proxy service, the next step is to configure the network appliance, storage device, or file server to use the Server Suite OpenLDAP proxy service to look up user and group information. In most cases, this involves setting configuration options to specify the computer where the Server Suite OpenLDAP proxy service is running as the LDAP server you want to use in a local or system-wide ldap.conf file. You should consult the documentation provided by the vendor you are integrating with for details about how to set up LDAP integration.

Testing the Solution

After you have configured the network appliance, storage device, or file server to use the Server Suite OpenLDAP proxy service on a Server Suite-managed computer, you should verify that files created by a Windows user have the correct UID and GID to access those files from both a UNIX computer and a Windows computer.