Place the above title words into a Google search, and you will receive a million results. You will find a decade's worth of articles, white papers, blogs, and vendor solutions which tackle various aspects of Linux and Active Directory integration. The subject remains as fresh today as ever. And although File and Print and various standards-based wire protocols have matured into seamless commodities out of the box, managing Access and Identity across disparate systems remains more of a journey than a destination. You're often left to tackle the Identity Integration problem either on your own or through a consulting engagement. This costs time, money and often yields less than satisfactory solutions.
> How We Got Here
The technology marketplace tends to reward differentiation, and sometimes punishes interoperability. This both rewards and punishes customers by encouraging innovation but often at a cost-a lack of integration with legacy and/or competing systems.
Add to this the challenges of running your business today with limited resources. Needs and technologies change rapidly, but legacy systems take years to transition. In all probability, the network, hardware, application and OS flavors found in your environment are extremely mixed. You have a heterogeneous state, a growing supply of Linux, a growing supply of Windows, a user base that wants to access both worlds: and a decreasing supply of aspirin to deal with the headaches.
> Where Do You Want To Go Today?
When it comes to user provisioning and managing Access and Identity across competing directories, the typical approaches are:
- Separate Islands: This effectively requires a duplication of work to manage different directories whenever users require access to
multiple platforms. This requires strong technical skill sets across all technologies. Due to the manual nature, this often results in a highly inconsistent Identity state.
- Synchronization: A directory synchronization solution tracks changes across multiple directory platforms and applies changes across platforms appropriately. Single password and single-sign is semi-achieved by having an entry for a user in each system.
- Meta Directory: A directory that is layered on top of other directory services. Administrative operations interact with the meta directory which in turn ensures that changes to the meta directory objects are propagated to the actual physical directory services.
- Consolidation: Move toward a single vendor's directory. Integrate all Windows, Linux and Unix machines under a common Identity model, and ensure the appropriate client configurations are performed to honor the model for true single sign-on.
The recent trend, which factors in infrastructure disruptions, feature maturity, and overall total costs in time and personnel, is to favor consolidation. But just selecting a single directory model alone, such as Active Directory, still leaves unanswered issues in managing cross platform user access, application access, preserving legacy rights, effecting machine security policies, and providing for a coherent management interface.
Managing Access and Identity across disparate systems remains more of a journey than a destination.
More than 100 account policies exist for Active Directory
> But Linux Isn't Windows
Fortunately, Linux is very modular and flexible in its design, and with the proper domain join sequencing and configuration file updates, Linux can readily participate at a server or workstation level within Active Directory. Some things to consider include:
- Across-the-Wire Domain Join: Ensures that your Linux or UNIX system is joined to Active Directory to both honor AD credentials and to be validated itself by AD. Additionally, time is synchronized to ensure appropriate Kerberos certificate grants and revocations.
- Kerberos Authentication and Credential Caching: Ensures that Linux has been properly configured for Kerberos. As domain controllers may be intermittent in their availability, credentials are locally cached on the Linux system to honor user and application requests.
- ID Mapping: Ensures the appropriate User ID (UID) and Group ID (GID) is presented to each target Linux system. A user, DDallas, would have a forest-wide
SID for Active Directory access, but may also have unique UIDs on the dozens of Linux resources they may access. Properly mapping each system + user + UID becomes both a technical and logistical challenge.
- Account and Machine Policies: More than 100 account policies exist for Active Directory and these would ideally be honored by Linux systems. Additionally,
new policies could be defined which control features unique to Linux, such as the sudoers list and crontab.
- Home Directories and Shell choices: Flexibility to define local user home directory and shell choices depending on the Linux or UNIX flavor being accessed.
- Management and Reporting: Ensures that consolidation yields additional returns on the investment in continued flexibility, embracing a common and familiar means to manage your directory, and providing for richer reporting and monitoring
> Making It Simple
To consolidate directories and perform all of the above tasks manually would take far more time and energy than would be saved. That's not job security, it's job futility. It is imperative that an automated and integrated solution be used. One with a proven track record, a streamlined deployment, clean and scalable architecture, common UI, with support for the key Linux and UNIX distributions, and focused on solving the key pain points found in your heterogeneous environment.
Centeris Likewise Identity 3.0 seamlessly integrates UNIX, Linux and other systems/applications with Microsoft Active Directory and allows them to use Active Directory for authentication needs. It also provides cross-platform single sign-on for applications and extends Active Directory group policy to Linux and UNIX systems.
We've made it easy to evaluate and deploy Likewise Identity in your environment today. To review an online demo or download trial product, visit centeris.com.