Enterprise Linux News:

Linux and Active Directory -- the plot thickens

By Jack Loftus, News Writer

31 Jan 2007 | SearchEnterpriseLinux.com

Centeris Corp., a Bellevue, Wash.-based startup, is the latest vendor to make news in the Linux ID management space, with the announcement of Likewise Identity 3.0 last week, but it certainly won't be the last. Integrating Linux servers into a mixed Microsoft Active Directory environment remains a challenge for companies large and small. Add legacy Unix systems to the mix and the problem just gets bigger.

Linux/Active Directory ID services summary:
Centeris, Centrify and Quest offer similar AD tools for Linux and Unix administrators -- the promise of better network security and SOX compliance. Here are some of the specifics at a glance to each product:

Centeris Likewise Identity 3.0 – A relative newcomer launched in January 2007. Identity 3.0 is priced at $249 per server in the standalone version and $349 per bundle when packaged with Likewise Administrator.

Centrify DirectControl – On the market since 2004. Many of the tools and AD GUIs found in Identity 3.0 have similar iterations here, but Centrify is pitching the product to enterprise-class customers with deployments in the hundreds of servers. Pricing is $300 per server and $50 per workstation.

Quest Vintela Authentication Services (VAS) – Re-launched in February 2006 after Quest Software acquired Vintela in 2005. Executives stress product focus is split between Linux and Unix systems administrators because of Unix-specific tool sets. $325 per server and $45 per user.

Two of Centeris' more vocal competitors include Centrify Corp. in Mountain View, Calif., and Quest Software Inc., in Aliso Viejo, Calif., with its Vintela Authentication Services (VAS). And while the products all share similarities, IT managers interested in leveraging Active Directory (AD) for their Linux servers would be wise to research each offering to confirm it does not under or over serve their heterogeneous environment.

Centrify -- better than nothing

Centrify's DirectControl shares many of the same features as Centeris Likewise Identity 3.0, including centralized password management and user privileges for Linux servers. DirectControl, like Identity, also features a familiar Windows-based GUI and tool set for Windows administrators managing Linux servers.

"Linux systems administrators will still have root user control to go in and boot systems, but mundane tasks can now be handled by existing AD tools and technologies," said Tom Kemp, CEO of Centrify. DirectControl is designed for enterprise environments of hundreds of servers or more, Kemp said.

For an example of a Centrify user, look to Carlos O'Ryan, chief technology officer of Automated Trading Desk (ATD), a trading services provider for domestic equity markets based in Mount Pleasant, S.C. O'Ryan oversees a data center comprised of 700 Linux and Windows-based IBM BladeCenter LS20s and LS21s.

Like many Linux administrators, O'Ryan had the tedious task of going server to server with password updates. With 700 servers needing individual attention every time an employee left the company, oftentimes ATD's "best practice" was to do nothing at all. "That was basically our big headache; we did not have any way to centrally control access," O'Ryan said.

With Centrify's DirectControl, O'Ryan estimated ATD saved approximately three-quarters of a person per year in personnel costs. "It's been great to have the ability to change configuration parameters from one central point. It was relatively hard to do before," he said. Password and permissions management, which O'Ryan described as "daunting," also became centrally managed.

Stories like these are typical of administrators overseeing large heterogeneous deployments. For all of the flexibility and cost savings associated with Linux, ID management and Group Policy efforts can be a burden as administrators must address each server locally. Before these interoperability players arrived on the scene, many experts agree there was no real way to sync Linux with Active Directory, leaving administrators with the unenviable position of doing nothing, like ATD's O'Ryan, or exploring AD alternatives like the open source Samba 4.0 project.

Questing for Unix/Linux AD tools

Quest's Vintela Authentication Services (VAS) also shares a familiar Windows tool set for managing Linux servers in a Windows environment, but goes a step further and includes several features aimed at Unix administrators working in heterogeneous Windows-Linux-Unix environments. In addition to Linux, Vintela supports IBM AIX, HP-UX, Sun Solaris and Java.

Indeed, the Unix distinction was emphasized by Darin Pendergraft, Quest's director of product management. "What has happened in the past with a lot of Unix customers is that they have used Sun's NIS as a central password management system," he said. "The thing is, NIS is failing Sarbanes-Oxley audits right now."

Sun Microsystems' NIS, or Network Information Service, is the company's client-server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Using it as a password server is a "big no-no," Pendergraft said, especially when Active Directory does such a good job with Group Policies. "Linux and Unix guys don't always get AD; at first, so they use NIS to handle Group Policies," he said. By providing AD policies for both Unix and Linux boxes, Quest and Pendergraft believe they have a leg up on the competition.

Group Policy qualms

Linux administrators wary of relinquishing some of their control to a Microsoft service like Active Directory should rest easy, Quest's Pendergraft said. While the interface of these products is distinctively AD, many of the familiar Unix and Linux security protocols remain available to the user.

For more information:
Samba's Andrew Bartlett: Samba 4.0 brings Active Directory 'streamlining'

Linux servers join with Active Directory

"The fear is always that Microsoft is a virus target, and administrators say they don't feel good about AD having control over their box," Pendergraft said. "But then we show them;AD's Group Policy, and how it will still allow full local control over a box if a customer wants a local account."

It's a cultural divide that Linux administrators will have to "just get used to" in this day of Sarbanes Oxley compliance and security risks, he said.

Related Content

Related glossary terms

Terms from Whatis.com − the technology online dictionary
Linux management and configuration

Related Resources