Mapping settings to a virtual registry

In the Windows environment, most of the configuration settings defined in a Group Policy Object are implemented through entries in the local Windows registry. For Linux, UNIX, and Mac OS X computers and users, however, local configuration details are typically defined using a set of configuration files stored in the /etc directory. In addition, the Window and Linux, UNIX, and Mac OS X environments have different configuration requirements, and consequently require different settings to be available through group policy.

To address these differences, Centrify provides its own group policies that allow administrators to use Group Policy Objects to configure settings for Centrify-managed computers and users. To enable you to use Group Policy Objects to configure settings for Linux-, UNIX-, and Mac OS X-based computers and users, Centrify...

  • Provides its own administrative templates (.xml and .admx files) that define Linux-, UNIX-, and Mac OS X-specific configuration settings.
  • Uses the adclient daemon to collect configuration details from Active Directory based on the Group Policy Objects applied for the current computer or user and create a virtual registry of those configuration settings on the local Linux, UNIX, or Mac OS X computer.
  • Runs local programs that map the configuration details in the virtual registry to the appropriate configuration file changes on the local Linux, UNIX, or Mac OS X computer.

The virtual registry is a collection of files that contain all of the group policy configuration settings from the group policies applied to the computer through the group policy hierarchy, including settings that apply only to Windows computers. Because the files that make up this virtual registry are not native to the Linux, UNIX, or Mac OS X environment, the Centrify software then uses a set of mapping programs to read the files, determine the settings that are applicable to Linux, UNIX, or Mac OS X computers and users, and make the appropriate changes in the corresponding Linux, UNIX, or Mac OS X configuration files to implement the configuration specified. The mapping programs ignore any Windows-specific settings that have been applied and only map the settings that are appropriate for the Linux, UNIX, or Mac OS X environment.

Note:   The virtual registry only supports the group policies that are implemented through registry settings. Group policies that are implemented in other ways, for example, by running an executable script on each computer, aren’t supported.

The authentication service daemon, adclient, retrieves policy settings from the Active Directory domain controller and starts the program runmappers (/usr/share/centrifydc/mappers/runmappers). The runmappers program runs the individual mapping programs that are stored in the /usr/share/centrifydc/mappers/machine and /usr/share/centrifydc/mappers/user directories. Those individual mapping programs read settings from the virtual registry and write them as the appropriate settings in application-specific configuration files.

The individual mapping programs also keep track of local changes that conflict with group policy settings, so those changes can be restored if the computer is removed from the domain, or if the configuration setting is removed from a Group Policy Object.