Importing existing users and groups
This chapter describes how to import users and groups from an existing identity store and map those users and groups to Active Directory users and groups with the Access Manager console. If you are not importing existing users and groups from local configuration files, such as /etc/passwd and /etc/group, or existing NIS domains, you can skip this chapter.
The following topics are covered:
Determining the source for existing user information Preparing to import users and groups
Using the Import from UNIX wizard
Checking for conflicts and matching candidates Mapping UNIX profiles to Active Directory accounts Resolving conflicts for pending users and groups Resolving other issues for pending users and groups Making imported information available to NIS clients
Determining the source for existing user information
In many cases, you may already have UNIX account information defined in local
configuration files (such as /etc/passwd and /etc/group) or in a networked identity store,
such as NIS, NIS+, or LDAP, or in both. If you do, you can import that information and map it to Active Directory users and groups. To prepare for migration, you first need to determine where each computer gets its user information. You also need to analyze the existing information to determine if there are any conflicts and how the existing user population should be mapped into zones.
Once you have collected the appropriate information and determined your zone requirements, you can import the existing information into Active Directory and the appropriate zones using the Access Manager console and the Import from Unix wizard.
Note The next sections describe the steps for importing users and groups from an existing
identity store into a zone. For more detailed information about planning the migration of an existing user population, including how to analyze and consolidate existing information before importing, see the Planning and Deployment Guide.
Preparing to import users and groups
Preparing to import users and groups
With the Import from UNIX wizard, you can import directly from NIS servers and domains or from properly-formatted text files, such as local /etc/passwd and /etc/group
files or files generated using the getent passwd and getent group commands. Each
identity store may require its own zone, at least during initial deployment, and, therefore, is imported separately.
To prepare for an import:
Identify each source of user information and analyze the information to determine your
zone requirements.
Run getent passwd, getent group, or niscat commands to export user information
and save it in properly-formatted text files. These commands enable you to import user information from multiple identity stores, for example, both local files and NIS
domains, or from a source that cannot be imported directly, such as NIS+ servers and domains.
Verify that you can access NIS servers and domain from the Windows network if you
want to import information directly from NIS maps rather than export the information to a text file.
Verify that you can access individual /etc/group and /etc/passwd files from the
Windows network if you want to import information directly from individual /etc/ group and /etc/passwd files.
Copy any text files from which you want to import information to a file share on the
Windows network.
Review the /etc/passwd, /etc/group, or text files you generated to remove account
entries that don’t need to be mapped to Active Directory accounts. You can
automatically exclude system accounts with UID or GID values from 0 to 99 during the import process, but may want to remove other accounts prior to the import. You may also want to review the remaining entries to determine whether the entries map to existing Active Directory accounts or require new Active Directory objects.
Using the Import from UNIX wizard
You can import user and group information from local /etc/group and /etc/passwd files
or from data exported from another identity store to a properly-formatted text file; see the previous section for information about identifying and preparing identity stores for import.
Using the Import from UNIX wizard
To import user and group information:
1 Open Access Manager console, expand Zones and if necessary Child Zones, and expand the zone into which you want to import users and groups. Select UNIX Data, right-click, then click Import from Unix.
2 Select the import source to use:
Select Deployment Manager then click Browse to import information from
Deployment Manager.
If you use Deployment Manager to find computers in your environment, it stores information, including local users and groups, in a database file named datastore.sdf.
Depending on your operating system, this file is located by default in one of these locations:
C:\Users\userName\AppData\Roaming\Centrify\DeploymentManager
or
C:\Documents and Settings\User\Application Data \Centrify\DeploymentManager
Click Next and go to Step 2.
Select Network Information Service (NIS) to import information from an NIS
server. If you select this option, you must also type the name of the NIS or NIS+ domain and the host name of the NIS or NIS+ server from which you want to import information into Active Directory. The NIS domain and server must be accessible from the Windows network for information to be imported successfully.
Click Next and go to Step 4.
Select UNIX configuration files to import information from text files, such as / etc/passwd and /etc/group.
Click Browse to locate each file.The text files can be named with any file names you choose, but must be in the proper format for /etc/group and /etc/passwd files for
fields to be imported correctly. Although the files can be imported independently, Centrify recommends you import both files at the same time.
Click Next and go to Step 4.
3 If you selected Deployment Manager in Step 2, select the computers from which to import UNIX information.
If you selected Network Information Service or UNIX configuration files in
Step 2, go to Step 4.
Using the Import from UNIX wizard
The available options vary depending on whether you are importing from UNIX files or from Deployment Manager or NIS. For example:
5 Select a location for storing pending import data, then click Next.
For example, to store pending data for the current zone in an XML file, select Store in XML file and specify the location for the file. If the file does not already exist in the default location, you are prompted to create it. To select another location for the XML file, click Browse.
6 Review the summary of information to be imported, and check the Check data conflicts while importing option if you want to check for conflicts and potential matching candidates during the import process, then click Finish.
Note If you select the Check data conflicts while importing option in the Import
from Unix wizard, the import process may take some time to complete if you have a large number of users or groups. If you don’t check this option, you must check the status of users or groups before you can map them to users and groups in Active Directory.
Select this To do this Include option types
Users Groups
Specify whether to import users, groups, or both.
Note: These options are available for NIS and Deployment Manager import only. When importing from UNIX files, you select whether to import only users, only groups, or both, on the previous page. The current page shows the choice you made.
Include system accounts Import all accounts from the data source including accounts with UID or GID values from 0 to 99. This option is available only when importing from UNIX files.
By default, the import wizard ignores accounts with UID or GID values from 0 to 99 during the import process. On most systems, UIDs and GIDs in this range are reserved for system or application accounts, such as root, tty, and ftp, which typically do not need to be imported and managed through Active Directory. If you select the Include system accounts option, these accounts will be included in the list of “Pending Import” Groups and “Pending Import” Users. You can then choose to map the accounts to Active Directory or remove them.
Note There can be other system accounts with UID or GID values greater than 100. By default, the import manager can only automatically filter the accounts with UID or GID values less than 100. Even if you choose to allow automatic filtering, you may need to remove additional system accounts from the “Pending Import” list.
Automatically shorten the Unix name to 8 characters
Limit UNIX user and group names to a maximum of 8 characters. By default, the import wizard imports user and groups name as they are defined in the data source. In some operating environments, however, user and group names cannot be longer than 8 characters. If you have an environment that does not support user and group names longer than 8 characters, you can select Automatically shorten the Unix name to 8 characters to automatically remove any extra characters in the name during the import process.
Checking for conflicts and matching candidates
When you click Finish to close the Import from Unix wizard, all of the user and group information to be imported is placed in Active Directory or in an XML file as Pending Import. You can then decide how each user and group should be mapped to accounts in Active Directory.
Checking for conflicts and matching candidates
The process of moving information from Pending Import to UNIX profiles in Active Directory is a manual one. It requires you to review each group and user object and determine how it should be handled.
To move a user or group from Pending Import to a UNIX profile attached to an Active Directory user or group account, you must first check for potential conflicts and for potential matching user or group candidates in Active Directory. After this initial check, you need to resolve any conflicts and determine the Active Directory group or user each pending group or user should be mapped to.
To check the status of pending information:
1 In the Access Manager console, open UNIX Data > Users or UNIX Data > Groups
under the zone where you imported user and group information.
For example, if you imported information for the “Finance” zone, open that zone, then expand the UNIX Data and Groups or Users node.
2 Select Pending Import to display the list of users or groups to be imported.
If you did not select the Check data conflicts while importing option in the Import from UNIX wizard, the Pending Import list will not display any status. For example:
If the Pending Import list displays other icons and the result of the initial check for the Status column, you can skip to “Mapping UNIX profiles to Active Directory accounts” on page 92.
If the current status is not displayed for the groups and users to be imported, you must check the status before continuing.
3 Select a user or group in the Pending Import list, right-click, then click Check status.
If you select a Pending Import group, Access Manager checks for an Active Directory
group with a common name (CN) or samAccountName that is the same as the UNIX
group name.
If you did not check the data in the Import from UNIX wizard, no status is displayed.
Check for conflicts and potential matches in Active Directory
Mapping UNIX profiles to Active Directory accounts
If you select a Pending Import user, Access Manager checks for an Active Directory
user with a common name (CN) that is the same as the pending user’s GECOS field, or samAccountName that is the same as the UNIX user name.
If there is a match, Access Manager displays that group or user as the default Active Directory candidate. For example:
Note You can check the status of multiple users or groups at a time, but it is best to work
with subsets of users and groups to reduce the impact on performance and improve the manageability of the import process.
If a potential matching candidate is found in Active Directory, the status for the UNIX profile is Ready to import. If Access Manager can’t identify a potential candidate in Active Directory or there are other issues, the status for the pending group or user displays a warning, such as No import candidate found. If a pending group or user cannot be imported because of a conflict, the status for the pending group or user describes the type of error encountered.
Mapping UNIX profiles to Active Directory accounts
After you check the status of a pending group or user, you can choose the appropriate action to take to map the pending group or user to an Active Directory group or user. The actions you can take depend on the object you select and its current state. For example, if you select a pending group, you can choose to:
Accept the default Active Directory candidate for the selected group if a candidate is
identified.
Create a new Active Directory group and attach the selected UNIX group profile to it. Extend an existing Active Directory group to include the selected UNIX group profile. Merge the members of the selected UNIX group with an existing UNIX group in Active
Directory.
Delete the selected UNIX group.
View and modify the properties of the selected UNIX group.
Note You should map pending group profiles to Active Directory groups before mapping
pending user profiles to Active Directory users to ensure the necessary groups are available for Pending Import users.
The Status column indicates conflicts and potential issues y
Mapping UNIX profiles to Active Directory accounts
Accepting the Active Directory candidate
If Access Manager finds a potential match for the group or user in Active Directory, it displays the matching candidate in the details pane. If the matching candidate is the appropriate group or user to map the pending group or user to, you can accept the suggested candidate.
To accept the Active Directory group or user candidate suggested by Access Manager:
1 In the Access Manager console, open UNIX Data > Users or Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of users or groups to be imported.
3 Select the group or user in the Pending Import list.
4 Right-click, then click Accept.
After you accept the Active Directory candidate for a pending group or user, the group or user is removed from the Pending Import list.
Accepting pending group members
If you accept the default Active Directory candidate for a pending import group, all of the pending members that have an Active Directory candidate associated with them are also imported, and added as members of the Active Directory group. If any of the group’s members fail to be imported, the status of the pending import group is changed to Imported, but the group remains in the Pending Import list until the remaining members can be successfully imported.
Modifying pending group members
You can modify the members of a group while it is in a Pending Import or Imported state by selecting the group and viewing its properties. From the Properties dialog box, you can click the Members tab to add or remove members of the group or find and assign the Active Directory user each member of the group should be associated with.
Creating a new Active Directory account
If Access Manager did not find a potential match for the group or user in Active Directory, you may need to add a new Active Directory account for the pending group or user.
To create a new Active Directory group or user object for the group or user you are importing: 1 In the Access Manager console, open UNIX Data > Users or Groups under the zone
where you imported user and group information.
2 Click Pending Import to display the list of users or groups to be imported.
Mapping UNIX profiles to Active Directory accounts
4 Right-click, then click Create new AD group or Create new AD user.
When you select this action, you are prompted to provide the additional information needed to create the group or user account. For example, if you are creating a new group account you are prompted to specify:
Location of the container for the group, typically Users. Active Directory name for the group.
Pre-Windows group name. Scope of the group.
Similarly, if you are creating a new Active Directory user account you are prompted to specify:
Location of the container for the user, typically Users. Display name for the user.
Initial password for the user. Windows logon name for the user. 5 Review your settings, then click Next.
6 Verify that the option to Enable the Active Directory group or user is selected, then click Finish to add the group or user profile available to the zone and complete the import process.
Note Enabling the Active Directory group or user for the zone moves the UNIX profile
out of the Pending Import list. If you skip this step, the UNIX profile remains in the Pending Import list until you accept the Active Directory candidate at a later time.
Adding a profile to an existing Active Directory account
If Access Manager did not find a potential match for the group or user in Active Directory but an appropriate Active Directory account exists, you need to select the Active Directory group or user account that should be extended to include the UNIX profile.
Select to enable the UNIX profile
Mapping UNIX profiles to Active Directory accounts
To extend an existing Active Directory group or user object to include the UNIX profile you are importing:
1 In the Access Manager console, open UNIX Data > Users or Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of users or groups to be imported.
3 Select the group or user in the Pending Import list.
4 Right-click, then click Extend existing AD group or Extend existing AD users to