Zone containers and nodes

Many ADEdit commands require you to specify the zone container. This container is the root container used by Centrify to store the zone information for the users, groups, computers and child zones. This container can have any name and can be anywhere in Active Directory. This container can also be an organizational unit.

Before you proceed, you need to know the location of the zone containers in Active Directory and the distinguished names you use to specify the zone container and its objects.

This section illustrates some sample cases with different locations for the zone container and the distinguished name for commonly used variables in the scripts.

In this example, the installer defined a base organizational unit called Centrify. This architecture is often used because it puts all the UNIX-related information in a single branch. The container with the zone information is called Zones.

In addition to the Zones container location, the installation script requires the installer to specify a location for a container to store the Centrify software licenses. In this figure, the node—Licenses—is in the base organizational unit. However, it does not need to be there.

In this figure, the installer also created another organizational unit called UNIX Groups for the Active Directory groups used for the UNIX users. Keeping all of the groups recreated for the UNIX users in a single node simplifies managing them and the privileges assigned to each user. (With few exceptions, the UNIX users get their rights from the role assigned to the group in which they are a member.) Often, more organizational units are created for managing different classes of UNIX user and UNIX services.

There are two zones in this figure: the parent zone HQ and a child zone named Alpha. Each zone contains nodes labeled Computers, Groups, Users, and Authorization. When you specify a zone, computer, user, or group in an ADEdit command you must use the distinguished name. The following table illustrates the distinguished names.

Object type Example Example distinguished name

Domain

demo.test

dc=demo,dc=test

Base organizational unit

Centrify

ou=Centrify,dc=demo,dc=test

Zone container

Zones

cn=Zones,ou=Centrify,dc=demo,dc=test

Parent zone

HQ

cn=HQ,cn=Zones,ou=Centrity,dc=demo,dc=test

Child zone

Alpha

cn=Alpha,cn=HQ,cn=Zones,ou=Centrity,dc=demo,dc=test

Organizational unit

UNIX Groups

“ou=UNIX Groups,ou=Centrify,dc=demo,dc=test”

UNIX group

ApacheAdmins

“cn=ApacheAdmin,ou=UNIX Groups,ou=Centrify,dc=demo,
dc=test”

Computer in Alpha zone

RHEL

cn=RHEL,cn=Computers,cn=Alpha,cn=HQ,cn=Zones,ou=Centrity,dc=demo,dc=test

You should note that distinguished names can contain space, as illustrated by the UNIX Groups organizational unit. To prevent Tcl from interpreting a space as new element in a list, you can enclose the distinguished name with double quotes (“ “) or using braces ({ }). When specifying distinguished names, you should also be sure to use ou and cn correctly. Commands will fail if you refer to an organizational unit using cn.