Commercial Interoperability Products

Previous page
Table of content
Next page

There are several commercial, third-party solutions that can help make the integration of Active Directory and Linux clients easier. We've already seen the open -source nss_ldap and pam_ldap modules, and how they can help to connect Linux machines to Active Directory. These are standard in Fedora Core 3 and other popular Linux distributions.

The commercial products we'll describe are

  • VAS by Vintela, Inc.

  • DirectControl by Centrify Corporation

Warning 

It should be noted that the third-party software companies have provided some of the information in this section to us. In short, be sure to test-evaluate any solution before purchasing.

The goal in this section is to leverage Active Directory as the "go to" source for account information. After installation, the idea is that you can just change the password in once place: Active Directory.

Note 

Both commercial products we list here have to complete with the open-source nss_ldap and pam_ldap modules which, as we have seen, are built-in to Fedora Core 3. For the record, it should be noted that nss_ldap and pam_ldap were originally created by PADL Software Pty Ltd., who can be found at http://www.padl.com/ .

VAS by Vintela

Vintela Authentication Services (VAS) is a commercial product from Vintela which aims to centralize Active Directory authentication from a wide variety of Linux and Unix clients. A native binary package is available for most Linux and Unix distributions (as opposed to hand-carving PAM configuration files as we've done throughout this chapter). Additionally, this company has recently received a financial blessing from Microsoft.

Some of the main features VAS includes and notes as reasons it is superior to PADL's offerings are:

  • Native binary packages for a wide variety of Unix/Linux platforms

  • A consistent command-line interface across all platforms

  • Nested Group Support (without recursive LDAP calls)

  • Native Windows installer and MMC snap-in

  • Ability to load another Vintela product, VGP (Vintela Group Policy), to support Group Policy on Unix and Linux systems

  • Disconnected mode for caching credentials when offline

  • Additional single-sign on support

  • NIS Compatibility mode for easy integration with automounter utilities and legacy NIS apps

  • Support for multiple Unix identities per Active Directory user

In Figure 3.20, you can see VAS in action.

image from book
Figure 3.20: Vintela's VAS

You can download a trial of VAS at www.vintela.com/products/vas/ .

From what I can see, the competition between Vintela and the in-the-box solution seems pretty fierce. Multiple comparisons to PADL Software Pty Ltd., the company behind nss_ldap and pam_ldap , are made on the Vintela website, in the FAQ ( www.vintela.com/products/vas/vasfaq.php ) and in multiple places within a paper available at www.vintela.com/support/docs/vas/2.6/VAS_Myths.pdf

PADL does acknowledge that VAS might have the upper hand, but it weighed in its two cents about Vintela's positioning vis- -vis PADL's nss_ldap , which you can read at www.padl.com/Articles/ClarificationonVintelaAut.html .

DirectControl by Centrify

DirectControl by Centrify is another commercially available third-party tool to centralize administration and authorization. DirectControl has the noted distinction of not requiring a schema change (unlike FU 3.5, Vintela's VAS, and nss_ldap ).

DirectControl has a "zones" philosophy that enables administrators to take multiple Unix/Linux usernames and UIDs from different systems and map them directly to one Active Directory account. You can see DirectControl's interface in Figure 3.21. Additionally, Centrify's DirectControl product has some Group Policy functionality built into the product.

image from book
Figure 3.21: Centrify's DirectControl

You can learn more about DirectControl by Centrify at www.centrify.com/index.htm .

Synchronized Peer Directories

In this chapter and the last chapter, we've tried to highlight the most useful cases where Linux clients can authenticate to Active Directory and where Windows clients can authenticate to Linux directory services, such as NIS, SAMBA, and OpenLDAP. The point is to work toward some semblance of single-sign-on.

However, it's certainly possible that we didn't hit on your particular need. Specifically, you might not be able to get Windows to authenticate to Linux or Linux to authenticate to Windows. In these cases, you'll need a way to synchronize different peer directories. Here is a run down of several other ways to accomplish a single-sign-on in mixed environments.

Using a Metadirectory Service

In the best case, you would simply have one directory store for your entire company. You'd use either Active Directory or, say, OpenLDAP as the one source of company wide user-based information.

Except that's not always realistic. The problem is, your company's phone switch likely doesn't know how to talk to Active Directory or OpenLDAP. Neither does your company's pay roll system or the security system the employees use to buzz themselves into the building.

The goal of a metadirectory is to take multiple account stores, such as Active Directory, OpenLDAP, your phone system, your human resources system, etc., and have them all talk with each other. It's a very ambitious goal, but the payout can be great. But be careful: one slip-up and you could be dumping bad data into multiple systems.

There are many metadirectory systems to consider:

  • Microsoft MIIS You can find Microsoft's MIIS at www.microsoft.com/technet/security/topics/identity/idmanage/default.mspx .

  • Novell's Nsure Identity Manager 2.0 (formerly DirXML) At last check, even though DirXML was going though a name change, it could still be found at www.novell.com/products/dirxml/ .

  • Sun ONE Meta-Directory 5.1 You can find out about Sun's product at www.sun.com/software/products/meta_directory/home_meta_dir.xml .

  • SimpleSync SimpleSync's product is fairly inexpensive compared to the competition, and it's easy to set up. You can find it at www.cps-systems.com .

  • Open Source? For now, there doesn't seem to be an open-source metadirectory solution in the works. Stay tuned . Those late-night basement coders are always cooking up something new.

SFU 3.5's Password Synchronization Suite

We loaded this when we loaded SFU 3.5 earlier. The goal is to keep collections of Windows and Linux computers up-to-date should a user's password change on either the Windows or Linux side. There are pieces of code that run on Windows computers and pieces of code that run on Linux computers.

This is a useful set of components but not if you're ultimately planning on utilizing Active Directory as a centralized directory store. This set of tools is ultimately useful when you don't have Active Directory and just have a collection of Windows machines in a workgroup that you want to synchronize with a collection of Linux machines. If you do use this suite, there are components that run on every machine, both Windows and Linux. Should you change your password on a Linux machine, a notification will be sent to all of the Windows machines that you specify. Should you change your password on a Windows machine, all Linux computers that you specify will get the notification of the update. A useful document for its use is at www.microsoft.com/technet/interopmigration/unix/sfu/ psync .mspx , or you can find it at the shortened URL http://tinyurl.com/3vw3k .


Previous page
Table of content
Next page
Windows and Linux Integration. Hands-on Solutions for a Mixed Environment
Windows And Linux Integration Hands-on Solutions for a Mixed Environment - 2005 publication.
ISBN: B003JFRFG0
EAN: N/A
Year: 2005
Pages: 71
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Lotus Notes and Domino 6 Development (2nd Edition)
SQL Hacks
Introduction to 80x86 Assembly Language and Computer Architecture
An Introduction to Design Patterns in C++ with Qt 4
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy