Heterogeneous authentication software solves many
companies' basic need for single sign-on (SSO) functionality in all their
IT systems. If your company is subject to
regulations that require SSO—some companies, for example, have interpreted the
Sarbanes-Oxley (SOX) Act as a requirement
for this functionality—you'll want to learn
the ins and outs of this software.
The three applications that we chose to evaluate in this comparative review are Quest Software Vintela Authentication Services (VAS), Centeris Likewise Identity, and Centrify DirectControl. Each of these programs lets a UNIX or Linux system (in this article, we'll use the term "UNIX" to mean any UNIX
or Linux system) to authenticate to Active Directory (AD).
However, the applications have both subtle and major differences that you need to understand. Knowing about these
differences will help you choose the perfect solution for your
organization.
How Heterogeneous
Authentication Software Works
You might be wondering how in the world a UNIX platform
can authenticate to Windows, or where information would be stored in such a scenario. The answer to both questions is
Active Directory Schema Extensions. If you've worked with
Microsoft Exchange Server, you're familiar with the concept
of extensions: Microsoft's Exchange team added fields such
as msExchHomeServer to AD to let you keep track of where
your system stores email. AD can also be extended to store
UNIX user account information. However, extending the
schema isn't allowed in some environments and is done
cautiously in others. After the schema has been extended,
it can't be easily undone. If extending AD concerns you, pay attention to how each vendor does
it, because each adds UNIX support in
slightly different ways.
After extending AD to store UNIX
user account information, the vendor
must provide the means for the client
to "understand" the new functionality. To that end, all three vendors
offer a client piece that you install on
each UNIX machine. The ease of client installation and the client's effect
on the machine might be important to
consider. For example, who will deploy
the client onto the UNIX machine? If an
administrator is installing it, then ease
of installation isn't as important as it
would be if users were installing it. Be
aware of your internal requirements so
that you won't be surprised later. Additionally, if you have an existing UNIX
server infrastructure with multiple user
IDs, be sure to take a close look at
how each vendor supports it. Beyond
the products' basic authentication
pieces, other features set each vendor
apart—for example, the ability to apply Group
Policy Objects (GPOs) to your Linux and UNIX
systems.
UNIX Personality
Management
When you're choosing a heterogeneous
authentication solution, consider how the
product manages multiple UNIX personalities. A UNIX personality is a user ID similar to
a SID or globally unique identifier (GUID) in
Windows. In Windows, we seldom consider
our users' GUIDs unless we're performing a
migration or consolidation. However, in UNIX,
this information is located in text files, which
are easily accessible. You need to understand
how UNIX user IDs work, and you need to
have a method for managing different UNIX
personalities.
When you create a new user in UNIX, the
system creates a unique numerical ID. However, different UNIX vendors use different starting numbers for the user IDs. Some systems
start with 100, whereas others start with 500.
A person's user ID could be 107 on one system
and 517 on another system. This scenario is
called "multiple UNIX personalities."
To make things a bit muddier, group IDs
also differ among vendors. A user might belong
to a group named DEV with a group ID of 37 on one system and a group ID of 104 on another
system.
Imagine how complicated it would be to try
to map one AD user account to these different
user IDs and group IDs. UNIX personalities
management—a key feature of all three products in this review—takes this problem into
account and lets AD authenticate multiple
personalities.
Testing the Products
Our test lab consisted of a simple network with
one Windows Server 2003 SP1 AD domain controller (DC) and a Linux PC. Each system ran in
a VMware virtual machine (VM) for easy duplication and rollback capability. Because Windows 2003 R2 introduced UNIX user account
support, we specifically chose not to use this
newer version of Windows 2003—we don't
believe most shops have upgraded their DCs to
R2. Instead, we wanted to see how each vendor
dealt with the more common pre-R2 scenario.
If you do decide to upgrade the schema to
either R2 or one of the proprietary updates, be
sure you have a detailed plan in place first. In
the Web-exclusive article "Plan Your Dive, Dive
Your Plan" (InstantDoc ID 94735), you'll find a
tried-and-true method for ensuring that your
major upgrades don't go sideways.
Without exception, all three applications
performed well. Each let us quickly add the
necessary functionality to the DC, set up a
small client on the Linux PC, then log on to the
Windows domain from the Linux PC within a
few minutes. At that point, however, the similarities ended.
Quest Software Vintela
Authentication Services
The VAS installation script runs through a
basic text-based wizard that takes only a few
minutes. UNIX client installation occurs in the
form of a Red Hat Package Manager. In our
tests, the installation was quick and simple.
After the installation was complete, we performed a short configuration.
For the Windows installation, you get a
nice GUI that helps you find the setup wizards,
manuals, and other information. The Windows
installation is smooth and straightforward.
If you're not running a Windows 2003 R2
schema, you'll need to run the Schema Wizard
to extend AD to support UNIX account attributes. Don't take this important advice lightly.
Although we're sure that Quest did its due diligence when writing the scripts to extend AD,
you shouldn't attempt AD extension without
proper planning and a good recovery plan. It
would be better to upgrade to R2 and extend
the schema that way, if only because the R2
extensions were written by Microsoft. Given a
choice, we would rather support a "standard"
AD than one created by a third party.
In addition to the UNIX account attribute
extensions, Quest also extends the schema to support the Personality Management Schema
Extension. Again, it's probably perfectly safe to
use Quest's extensions, but if your organization
doesn't allow these kinds of core changes to
AD, you might want to look at solutions that
don't require the schema to be extended. On
a positive note, the changes that are necessary
appear to be pretty small. You can find further
information about these extensions in a PDF
file in the evaluation software.