Heterogeneous authentication software solves many companies' basic need for single sign-on (SSO) functionality in all their IT systems. If your company is subject to regulations that require SSO—some companies, for example, have interpreted the Sarbanes-Oxley (SOX) Act as a requirement for this functionality—you'll want to learn the ins and outs of this software.
The three applications that we chose to evaluate in this comparative review are Quest Software Vintela Authentication Services (VAS), Centeris Likewise Identity, and Centrify DirectControl. Each of these programs lets a UNIX or Linux system (in this article, we'll use the term "UNIX" to mean any UNIX or Linux system) to authenticate to Active Directory (AD). However, the applications have both subtle and major differences that you need to understand. Knowing about these differences will help you choose the perfect solution for your organization.
How Heterogeneous Authentication Software Works
You might be wondering how in the world a UNIX platform can authenticate to Windows, or where information would be stored in such a scenario. The answer to both questions is Active Directory Schema Extensions. If you've worked with Microsoft Exchange Server, you're familiar with the concept of extensions: Microsoft's Exchange team added fields such as msExchHomeServer to AD to let you keep track of where your system stores email. AD can also be extended to store UNIX user account information. However, extending the schema isn't allowed in some environments and is done cautiously in others. After the schema has been extended, it can't be easily undone. If extending AD concerns you, pay attention to how each vendor does it, because each adds UNIX support in slightly different ways.
After extending AD to store UNIX user account information, the vendor must provide the means for the client to "understand" the new functionality. To that end, all three vendors offer a client piece that you install on each UNIX machine. The ease of client installation and the client's effect on the machine might be important to consider. For example, who will deploy the client onto the UNIX machine? If an administrator is installing it, then ease of installation isn't as important as it would be if users were installing it. Be aware of your internal requirements so that you won't be surprised later. Additionally, if you have an existing UNIX server infrastructure with multiple user IDs, be sure to take a close look at how each vendor supports it. Beyond the products' basic authentication pieces, other features set each vendor apart—for example, the ability to apply Group Policy Objects (GPOs) to your Linux and UNIX systems.
UNIX Personality Management
When you're choosing a heterogeneous authentication solution, consider how the product manages multiple UNIX personalities. A UNIX personality is a user ID similar to a SID or globally unique identifier (GUID) in Windows. In Windows, we seldom consider our users' GUIDs unless we're performing a migration or consolidation. However, in UNIX, this information is located in text files, which are easily accessible. You need to understand how UNIX user IDs work, and you need to have a method for managing different UNIX personalities.
When you create a new user in UNIX, the system creates a unique numerical ID. However, different UNIX vendors use different starting numbers for the user IDs. Some systems start with 100, whereas others start with 500. A person's user ID could be 107 on one system and 517 on another system. This scenario is called "multiple UNIX personalities."
To make things a bit muddier, group IDs also differ among vendors. A user might belong to a group named DEV with a group ID of 37 on one system and a group ID of 104 on another system.
Imagine how complicated it would be to try to map one AD user account to these different user IDs and group IDs. UNIX personalities management—a key feature of all three products in this review—takes this problem into account and lets AD authenticate multiple personalities.
Testing the Products
Our test lab consisted of a simple network with one Windows Server 2003 SP1 AD domain controller (DC) and a Linux PC. Each system ran in a VMware virtual machine (VM) for easy duplication and rollback capability. Because Windows 2003 R2 introduced UNIX user account support, we specifically chose not to use this newer version of Windows 2003—we don't believe most shops have upgraded their DCs to R2. Instead, we wanted to see how each vendor dealt with the more common pre-R2 scenario. If you do decide to upgrade the schema to either R2 or one of the proprietary updates, be sure you have a detailed plan in place first. In the Web-exclusive article "Plan Your Dive, Dive Your Plan" (InstantDoc ID 94735), you'll find a tried-and-true method for ensuring that your major upgrades don't go sideways.
Without exception, all three applications performed well. Each let us quickly add the necessary functionality to the DC, set up a small client on the Linux PC, then log on to the Windows domain from the Linux PC within a few minutes. At that point, however, the similarities ended.
Quest Software Vintela Authentication Services
The VAS installation script runs through a basic text-based wizard that takes only a few minutes. UNIX client installation occurs in the form of a Red Hat Package Manager. In our tests, the installation was quick and simple. After the installation was complete, we performed a short configuration.
For the Windows installation, you get a nice GUI that helps you find the setup wizards, manuals, and other information. The Windows installation is smooth and straightforward. If you're not running a Windows 2003 R2 schema, you'll need to run the Schema Wizard to extend AD to support UNIX account attributes. Don't take this important advice lightly. Although we're sure that Quest did its due diligence when writing the scripts to extend AD, you shouldn't attempt AD extension without proper planning and a good recovery plan. It would be better to upgrade to R2 and extend the schema that way, if only because the R2 extensions were written by Microsoft. Given a choice, we would rather support a "standard" AD than one created by a third party.
In addition to the UNIX account attribute extensions, Quest also extends the schema to support the Personality Management Schema Extension. Again, it's probably perfectly safe to use Quest's extensions, but if your organization doesn't allow these kinds of core changes to AD, you might want to look at solutions that don't require the schema to be extended. On a positive note, the changes that are necessary appear to be pretty small. You can find further information about these extensions in a PDF file in the evaluation software.
Adding additional UNIX personalities isn't an intuitive process. When we tried to create a UNIX personality, we kept getting the error There are no personality containers defined. Create a personality container, then retry the operation. We had trouble determining how to create a personality container. Eventually, we solved the problem: You can't create a UNIX personality container in an AD container—for example, the default user's common name (CN). Instead, you must create it in an organizational unit (OU). Figure 1, shows the dialog box you use.
VAS also supports extending AD's Group Policy to push down policies to UNIX clients. The default settings that you can change are scripts, cron, files, login prompt, message of the day, sudu, symbolic links, and syslog—a pretty good start right out of the box. If you need to push down a policy to your UNIX clients, and that policy isn't included by default, you can write your own. A detailed section of the documentation explains how to write and apply your own policies.
VAS supports many UNIX clients, including Red Hat Linux, SuSE Linux, Tru64, and VMware ESX Server. The full list of supported clients can be found at http://www.quest.com/vintela-authentication-services.
Centeris Likewise Identity
The GUI-driven Likewise Identity UNIX installation worked flawlessly in our tests. After the installation was complete, the software prompted us to choose either GUI or command-line based client setup. We chose the GUI option and were surprised how similar the process and interface looked to a Windows machine.
The installation of Likewise Identity on the Windows side took a bit longer because the installation routine had to download Microsoft.NET Framework 2.0 and Microsoft Management Console (MMC) 3.0. We don't consider this delay a major concern, but you should be aware of it, especially if your network doesn't have an Internet connection. After the system took care of its prerequisites, the installation went very smoothly.
As we discussed at the beginning of this article, AD schema changes shouldn't be taken lightly. Unlike VAS, Likewise Identity permitted an installation without extending the schema. The lack of a requirement to extend the schema sets this Centeris product apart from its competitors. Whereas the other two applications can use the default R2 UNIX account schema extensions instead of adding their own, Likewise Identity adds this functionality without requiring any R2 or third-party schema updates. It does this by stacking, or putting the data into unused portions of AD. The downside to not updating the AD schema is that, as you add UNIXenabled users to AD, performance could take a hit. We were unable to test large numbers of UNIX computers and users in our test lab to compare performance between extended and non-extended environments, so we can't tell you where this performance cut-off is. If you have many UNIX-enabled users, you should consider adding the default R2 schema extensions to take advantage of the indexing they offer. Either way, this product gives you a lot of flexibility in implementation.
The Likewise Identity Console has a decent set of features, including a report tool and a UNIX Identity Migration Tool. This migration tool helps you migrate existing UNIX accounts, password files, and group files into AD. It can also create a script to reset the ownership of files on the UNIX system if they're affected by the migration. Figure 2 shows the dialog box for joining the AD domain.
To enable support for multiple user and group IDs, we had to create a separate OU and enable what Centeris calls cells on the OU. This process wasn't at all intuitive, so we had to dig out the Likewise-Identity-Administrators-Guide.pdf in the documentation. In the end, the functionality is similar to the way that the other vendors support multiple UNIX personalities.
Likewise Identity also provides Centeris Group Policies, but these policies are limited in what they push to the UNIX clients. Out of the box, these policies can change the sudu file, change Automount files, set cron jobs, and run login scripts.
We discovered by accident that with Likewise Identity, the UNIX client boots cleanly when the Windows 2003 AD DC is down. Obviously, you can't log on to the domain if the DC is down, but if it is, UNIX machines with the Centeris client don't have any problems booting up. The other two clients appeared to slow down slightly while they looked for the DC during boot-up (but they did eventually come up without any problems).
Likewise Identity supports many UNIX clients, including Mac OS X, Red Hat Linux, SuSE Linux, and Ubunto. For a full list of supported UNIX clients, see http://www.centeris.com/products/likewise_identity/supported_platforms.php.
Of the three products, the DirectControl text-based UNIX installation was the simplest. It asked a few simple questions and was installed in minutes. And as with the other two applications, the Windows installation of DirectControl went smoothly.
After the installation is complete, you can either start with the MMC AD Users and Computers snap-in to configure DirectControl or go straight to the Centrify DirectControl snap-in. Unlike the other two products, the Centrify product walks you through a comprehensive wizard to set up UNIX personality management in what DirectControl calls zones. Figure 3 shows the Create New Zone wizard. Of the three products, DirectControl is by far the most complex when it comes to setting up and using UNIX personality management, but it's also the most robust.
According to Centrify, zones are similar to AD domains and organize the different flavors of UNIX in your environment. For example, you could group all your Red Hat machines in one zone and your Solaris machines in another zone, then assign the separate zones different login shells or assign the zones to different groups.
DirectControl offers Group Policy support that's similar to that of VAS. Enabling this support in our tests was as simple as adding the centrifydc.adm template to a new GPO. We were surprised by just how many options you can configure, including password policies and UNIX login settings.
An interesting feature is Personality Account Management (PAM) Conflict Resolution. With the many user IDs, GUIDs, and accounts floating around in a large organization, there's bound to be a conflict or two. What should the system do if it discovers a conflict? You can choose Ignore (i.e., do nothing), Warn (i.e., warn the user of the conflict after logon), or Error (i.e., don't let the user log on). You control all these options, including the text of the error message that the user will see, via Group Policy.
DirectControl supports many UNIX clients, including Mac OS X, Red Hat Linux, SuSE Linux, and VMware ESX Server. To see a full list of supported UNIX clients, visit http://www.centrify.com/directcontrol
All three products performed admirably in our tests and can accomplish what they advertise. Centeris Likewise Identity receives kudos for finding a way to let UNIX-based machines authenticate to AD without altering the AD schema. If you have many users, this shortcut can come at a price with reduced performance, but it's nice to have the option. For Group Policy functionality, Centrify DirectControl impressed us. We really liked the way that DirectControl uses ADM templates instead of adding additional bloat to AD Users and Computers. Quest Software Vintela Authentication Services stood out with such smart features as letting you choose which OU a new PC would be added to, and it doesn't make the user preface a logon name with the domain name.
What didn't we like? For all three products, adding or enabling UNIX personality management wasn't as easy as we thought it could be. In many cases, the vendors should just make the pop-up error messages more informative—rather than just telling the user to create a cell or a zone, let the user know where the tool is to accomplish the task.