Linux and Active Directory -- the plot thickens
By Jack Loftus, News Writer
31 Jan 2007 | SearchEnterpriseLinux.com
Centeris Corp., a Bellevue, Wash.-based startup, is the latest vendor to make news in the Linux ID management space, with the announcement of Likewise Identity 3.0 last week, but it certainly won't be the last. Integrating Linux servers into a mixed Microsoft Active Directory environment remains a challenge for companies large and small. Add legacy Unix systems to the mix and the problem just gets bigger.
Two of Centeris' more vocal competitors include Centrify Corp. in Mountain View, Calif., and Quest Software Inc., in Aliso Viejo, Calif., with its Vintela Authentication Services (VAS). And while the products all share similarities, IT managers interested in leveraging Active Directory (AD) for their Linux servers would be wise to research each offering to confirm it does not under or over serve their heterogeneous environment.
Centrify -- better than nothing
Centrify's DirectControl shares many of the same features as Centeris Likewise Identity 3.0, including centralized password management and user privileges for Linux servers. DirectControl, like Identity, also features a familiar Windows-based GUI and tool set for Windows administrators managing Linux servers.
"Linux systems administrators will still have root user control to go in and boot systems, but mundane tasks can now be handled by existing AD tools and technologies," said Tom Kemp, CEO of Centrify. DirectControl is designed for enterprise environments of hundreds of servers or more, Kemp said.
For an example of a Centrify user, look to Carlos O'Ryan, chief technology officer of Automated Trading Desk (ATD), a trading services provider for domestic equity markets based in Mount Pleasant, S.C. O'Ryan oversees a data center comprised of 700 Linux and Windows-based IBM BladeCenter LS20s and LS21s.
Like many Linux administrators, O'Ryan had the tedious task of going server to server with password updates. With 700 servers needing individual attention every time an employee left the company, oftentimes ATD's "best practice" was to do nothing at all. "That was basically our big headache; we did not have any way to centrally control access," O'Ryan said.
With Centrify's DirectControl, O'Ryan estimated ATD saved approximately three-quarters of a person per year in personnel costs. "It's been great to have the ability to change configuration parameters from one central point. It was relatively hard to do before," he said. Password and permissions management, which O'Ryan described as "daunting," also became centrally managed.
Stories like these are typical of administrators overseeing large heterogeneous deployments. For all of the flexibility and cost savings associated with Linux, ID management and Group Policy efforts can be a burden as administrators must address each server locally. Before these interoperability players arrived on the scene, many experts agree there was no real way to sync Linux with Active Directory, leaving administrators with the unenviable position of doing nothing, like ATD's O'Ryan, or exploring AD alternatives like the open source Samba 4.0 project.
Questing for Unix/Linux AD tools
Quest's Vintela Authentication Services (VAS) also shares a familiar Windows tool set for managing Linux servers in a Windows environment, but goes a step further and includes several features aimed at Unix administrators working in heterogeneous Windows-Linux-Unix environments. In addition to Linux, Vintela supports IBM AIX, HP-UX, Sun Solaris and Java.
Indeed, the Unix distinction was emphasized by Darin Pendergraft, Quest's director of product management. "What has happened in the past with a lot of Unix customers is that they have used Sun's NIS as a central password management system," he said. "The thing is, NIS is failing Sarbanes-Oxley audits right now."
Sun Microsystems' NIS, or Network Information Service, is the company's client-server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Using it as a password server is a "big no-no," Pendergraft said, especially when Active Directory does such a good job with Group Policies. "Linux and Unix guys don't always get AD; at first, so they use NIS to handle Group Policies," he said. By providing AD policies for both Unix and Linux boxes, Quest and Pendergraft believe they have a leg up on the competition.
Group Policy qualms
Linux administrators wary of relinquishing some of their control to a Microsoft service like Active Directory should rest easy, Quest's Pendergraft said. While the interface of these products is distinctively AD, many of the familiar Unix and Linux security protocols remain available to the user.
"The fear is always that Microsoft is a virus target, and administrators say they don't feel good about AD having control over their box," Pendergraft said. "But then we show them;AD's Group Policy, and how it will still allow full local control over a box if a customer wants a local account."
It's a cultural divide that Linux administrators will have to "just get used to" in this day of Sarbanes Oxley compliance and security risks, he said.