Linux authentication troubles? Try Active Directory
By Jack Loftus, News Writer
26 Jul 2007 | SearchEnterpriseLinux.com
Further complicating things, solutions for Linux authentication in heterogeneous data centers are legion. Finding the right fit can be as difficult as managing the problem itself. And as system administrators weigh the options, a central question is, Do any of the alternatives trump Microsoft's Active Directory (AD)?
Most metadirectory deployments synchronize data into at least one Lightweight Directory Access Protocol (LDAP) directory server to ensure that an LDAP application like single sign-on has access to recent data. System administrators can also create special LDAP directories for their Linux and Unix boxes. Big-box applications from IBM Corp., CA and Hewlett-Packard Co. are also available, but at a higher price point. Legacy approaches, such as Sun Microsystems' Network Information Service for password management, also exist, but experts warn that this approach often fails IT compliance regulations like the Sarbanes-Oxley Act (SOX).Is Active Directory the solution?
But many analysts say AD, Microsoft's implementation of LDAP directory services for central authentication and authorization services in Windows environments, is the answer. Instead of establishing a series of LDAP directories, maintaining a single repository in AD is much more manageable, say experts.
Why Active Directory? "Because it's there," said Dr. Ant Allan, research vice president with Stamford, Conn.-based Gartner Inc. "[Active Directory] is pretty much a ubiquitous platform within most organizations."
And even as Linux becomes more central to mission-critical data center operations, Microsoft's technology still makes sense for environments with multiple points of control and multiple user identity repositories, Allan said.
Sally Hudson, an analyst with Framingham, Mass.-based IDC, said it is in the IT manager's best interest to have an AD strategy in place given strict compliance standards like Sarbanes-Oxley.
"[Active Directory] is pervasive. Users need to leverage their existing investments in AD to remove silos of identity and provide fine-grained access control mechanisms within a mixed environment," she said.Making the case for Active Directory
Centrify Corp. CTO Paul Moore, who will present a session on authentication at the LinuxWorld Conference & Expo in San Francisco next week, said he often has to rationalize AD to Unix and Linux administrators.
"A rationale is necessary because we are trying to win over the Unix community within an enterprise; we are trying to persuade the *nix administrators within an organization that it is OK to trust AD as a master security store," he said.
And a raft of AD tools have cropped up to help make the case. Centrify's AD-syncing management and authentication dashboard Centrify DirectControl is used for centralized passwords and user privilege management on *nix machines. Other third-party applications such as Centeris Likewise Identity 3.0 and Quest Software Inc.'s Vintela Authentication Services offer similar functionality. A mainframe offering from Las Vegas-based Vanguard Integrity Professionals Inc. is also available.
Moore said there's been no history of serious security breaches with AD, even in light of the MS07-039 Active Directory update for Windows 2000 Server and Windows Server 2003 systems released earlier this month. The flaw could have allowed attackers to create malicious LDAP requests to take control of an affected system, but only if they were logged into a company's internal network, a Microsoft advisory on MS07-039 explained.
Even so, Moore said the exploit was a first for Active Directory, and the technology still boasts an 80%-85% market penetration."We often encounter two types of *nix administrators: those that have embraced [Active Directory] and those who see it as a necessary evil," Moore said. For the latter, Moore and his team highlight AD's security chops and the fact that it currently fulfills important regulatory requirements. "If you take a look at the Payment Card Industry Data Security Standard [PCI DSS], a large amount of what is described there is already met by AD. Therefore, if you make AD stretch out onto non-Windows systems, you can bring PCI compliance onto non-Windows systems," he said. The Active Directory checklist
During his LinuxWorld session on August 9, Moore will provide a checklist of considerations for determining the readiness of a data center.
As a preview of his session material, Moore laid out some of the more important questions IT managers should consider when evaluating a centralized Active Directory implementation:
- What kinds of machines will you move over to Active Directory?
- Which policies do you plan to enforce on these systems?
- Which servers will have access to which systems in your environment?
- Do you really know who has access to your system today? (Even if a user ID is taken from an existing Linux server and carried over to AD, the server won't know if the ID is relevant or if it should be granted access or not, he said. This creates security and SOX compliance concerns.)
Bottom line, IT managers need to determine who has access and who should have access. They need to establish the true intersection between technology and business needs.
Email Jack Loftus with your comments and suggestions.