Active Directory and Linux guideMore info and tips <<previous|next>> :Microsoft meets enterprise Linux: Novell's Open Enterprise Server 2
Enterprise Linux News:
Microsoft shop seeks help with multiplying Linux boxes
By Jack Loftus, News Writer
03 Oct 2007 | SearchEnterpriseLinux.com
The number of Linux boxes that the University of Maryland was adding to its Center for Advanced Study of Language (CASL) department was increasing by leaps and bounds. It was growing so fast, in fact, that the CASL team had recently started to expand physically into new buildings on the Maryland campus.
But for a historically Microsoft-centric shop, this expansion posed a problem.
Physically, the environment was running just fine, said Gerhard Bartsch, an enterprise systems engineer with the CASL department. His staff was performing admirably, and his eclectic mix of Dell 1850s, 2900s, and 6950s running Windows Server 2003 was well supported and humming along without a hitch.
But the new Red Hat Enterprise Linux (versions 3 through 5) boxes the team had deployed to run large parallel-processing applications were new to the CASL staff. "The majority of [our IT staff] are Windows administrators. They are not familiar with Linux, and yet they are using Linux in the same breadth as Windows," Bartsch said.
More Linux meant more cross-platform management. As is often the case in heterogeneous environments, when it came time to authenticate users on Linux machines, the operating system's lack of central management capacity and limited integration with Windows led to a tough choice: hire and train another Linux administrator, or find software that could bridge the gap using already prevalent technology like Microsoft's Active Directory (AD).
Active Directory compatibility
Faced with budget constraints, Bartsch chose the latter approach.
Today, system administrators have a bevy of options at their disposal for synchronizing user data from disparate systems, so the real issue is finding the one that fits best.
Most metadirectory deployments, for example, synchronize data into one or more Lightweight Directory Access Protocol (LDAP) directory servers to ensure that an LDAP application like single sign-on has access to data. System administrators can also create these directories for Linux and Unix boxes. Sun Microsystems' Network Information Service is an option for password management in older systems, but experts warn this approach often fails IT compliance regulations such as the Sarbanes-Oxley Act.
In Bartsch's Windows-heavy environment, staff needed familiar admin tools that would be without posing a detriment to the Linux boxes.
Unfortunately for CASL, most metadirectory vendors charge top dollar for their products, Bartsch said. IBM Corp., CA and Hewlett-Packard Co. all have products available, but at a price point that often climbs into the hundreds of thousands of dollars. While researching less expensive alternatives to Big Blue and HP, Bartsch said he found only two vendors that met his needs: Mountain View, Calif.-based Centrify Corp., and Bellevue, Wash.-based Centeris Corp.
While both vendors pitched a similar price point, Centeris Likewise 3.0 edged out Centrify's quote for DirectControl at roughly $30 per desktop client. Bartsch wouldn't discuss how much each vendor had asked per agent on the server side but said the quotes were relatively competitive with one another. For reference, the Centeris Web site lists Likewise as $249 per server. With its easy-to-install application and the option to integrate with Active Directory without changing any schemas, Centeris became the leading choice. Centeris also promised future support for Macintosh-based clients, as well as several flavors of Unix (Solaris included).
VMware testing brings peace of mind
Before Bartsch "officially" installed Centeris agents on his Linux boxes, he had the opportunity to test the application on a virtual snapshot of his entire infrastructure using VMware ESX Server.
"With VMware, we could take the current backup we had put into VMware and recover the entire copy of our infrastructure," Bartsch said. "We had that copy available for testing and that meant our developers, engineers, system administrators and coordinators could go into the testing environment, test a project on a replica of our system, and have [Centeris] and Active Directory controls already running."
During these project installs, any physical problems became immediately apparent without having any effect on the physical system. Meanwhile, support calls could be made in the exact same way, Bartsch said. "This way I could find out if it was going to be like pulling teeth, or if they were offering gold-level support, whether or not they'd be working when I called," he said.
Linux management via Active Directory
Once testing wrapped up, the installation began. Centeris' support team and the CASL system administrators began installing Likewise clients on every Linux machine, which were then in turn configured with Active Directory so that the updated Linux schemas existed within it. Teams then established new Active Directory groups -- effectively Linux groups – and established UIDs (user IDs) for all 100,000 Linux users on the system that were now managed centrally by AD.
The installation is ongoing today, Bartsch said, with other capabilities, such as policy objects planned but not yet been activated. He said that Centeris has promised a planned Mac-themed upgrade soon with which he will manage a growing base of Mac clients used for graphics and research.
And over the past few months, the install has already paid off. Bartsch saved an estimated $150,000 a year by not hiring a new Linux system administrator as well as intangibles, such as the time he and his Windows-centric staff would have wasted administering Linux machines on a server-by-server basis. Now Bartsch has a heterogeneous infrastructure that he manages though Likewise and AD.
Email Jack Loftus with your comments and suggestions.