Cross-Platform Identity Management Solutions for Single Sign-On - 30 Aug 2007
3 great products with different strengths, similar weaknesses
Heterogeneous authentication software solves manycompanies' basic need for single sign-on (SSO) functionality in all theirIT systems. If your company is subject toregulations that require SSO—some companies, for example, have interpreted theSarbanes-Oxley (SOX) Act as a requirementfor this functionality—you'll want to learnthe ins and outs of this software.
The three applications that we chose to evaluate in this comparative review are Quest Software Vintela Authentication Services (VAS), Centeris Likewise Identity, and Centrify DirectControl. Each of these programs lets a UNIX or Linux system (in this article, we'll use the term "UNIX" to mean any UNIXor Linux system) to authenticate to Active Directory (AD).However, the applications have both subtle and major differences that you need to understand. Knowing about thesedifferences will help you choose the perfect solution for yourorganization.
How Heterogeneous Authentication Software Works
You might be wondering how in the world a UNIX platformcan authenticate to Windows, or where information would be stored in such a scenario. The answer to both questions isActive Directory Schema Extensions. If you've worked withMicrosoft Exchange Server, you're familiar with the conceptof extensions: Microsoft's Exchange team added fields suchas msExchHomeServer to AD to let you keep track of whereyour system stores email. AD can also be extended to storeUNIX user account information. However, extending theschema isn't allowed in some environments and is donecautiously in others. After the schema has been extended,it can't be easily undone. If extending AD concerns you, pay attention to how each vendor doesit, because each adds UNIX support inslightly different ways.
After extending AD to store UNIX user account information, the vendor must provide the means for the client to "understand" the new functionality. To that end, all three vendors offer a client piece that you install on each UNIX machine. The ease of client installation and the client's effect on the machine might be important to consider. For example, who will deploy the client onto the UNIX machine? If an administrator is installing it, then ease of installation isn't as important as it would be if users were installing it. Be aware of your internal requirements so that you won't be surprised later. Additionally, if you have an existing UNIX server infrastructure with multiple user IDs, be sure to take a close look at how each vendor supports it. Beyond the products' basic authentication pieces, other features set each vendor apart—for example, the ability to apply Group Policy Objects (GPOs) to your Linux and UNIX systems.
UNIX Personality Management
When you're choosing a heterogeneous authentication solution, consider how the product manages multiple UNIX personalities. A UNIX personality is a user ID similar to a SID or globally unique identifier (GUID) in Windows. In Windows, we seldom consider our users' GUIDs unless we're performing a migration or consolidation. However, in UNIX, this information is located in text files, which are easily accessible. You need to understand how UNIX user IDs work, and you need to have a method for managing different UNIX personalities.
When you create a new user in UNIX, the system creates a unique numerical ID. However, different UNIX vendors use different starting numbers for the user IDs. Some systems start with 100, whereas others start with 500. A person's user ID could be 107 on one system and 517 on another system. This scenario is called "multiple UNIX personalities."
To make things a bit muddier, group IDs also differ among vendors. A user might belong to a group named DEV with a group ID of 37 on one system and a group ID of 104 on anothersystem.
Imagine how complicated it would be to try to map one AD user account to these different user IDs and group IDs. UNIX personalities management—a key feature of all three products in this review—takes this problem into account and lets AD authenticate multiple personalities.
Testing the Products
Our test lab consisted of a simple network with one Windows Server 2003 SP1 AD domain controller (DC) and a Linux PC. Each system ran in a VMware virtual machine (VM) for easy duplication and rollback capability. Because Windows 2003 R2 introduced UNIX user account support, we specifically chose not to use this newer version of Windows 2003—we don't believe most shops have upgraded their DCs to R2. Instead, we wanted to see how each vendor dealt with the more common pre-R2 scenario. If you do decide to upgrade the schema to either R2 or one of the proprietary updates, be sure you have a detailed plan in place first. In the Web-exclusive article "Plan Your Dive, Dive Your Plan" (InstantDoc ID 94735), you'll find a tried-and-true method for ensuring that your major upgrades don't go sideways.
Without exception, all three applicationsperformed well. Each let us quickly add thenecessary functionality to the DC, set up asmall client on the Linux PC, then log on to theWindows domain from the Linux PC within afew minutes. At that point, however, the similarities ended.
Quest Software VintelaAuthentication Services
The VAS installation script runs through abasic text-based wizard that takes only a fewminutes. UNIX client installation occurs in theform of a Red Hat Package Manager. In ourtests, the installation was quick and simple.After the installation was complete, we performed a short configuration.
For the Windows installation, you get anice GUI that helps you find the setup wizards,manuals, and other information. The Windowsinstallation is smooth and straightforward.If you're not running a Windows 2003 R2schema, you'll need to run the Schema Wizardto extend AD to support UNIX account attributes. Don't take this important advice lightly.Although we're sure that Quest did its due diligence when writing the scripts to extend AD,you shouldn't attempt AD extension withoutproper planning and a good recovery plan. Itwould be better to upgrade to R2 and extendthe schema that way, if only because the R2extensions were written by Microsoft. Given achoice, we would rather support a "standard"AD than one created by a third party.
In addition to the UNIX account attributeextensions, Quest also extends the schema to support the Personality Management SchemaExtension. Again, it's probably perfectly safe touse Quest's extensions, but if your organizationdoesn't allow these kinds of core changes toAD, you might want to look at solutions thatdon't require the schema to be extended. Ona positive note, the changes that are necessaryappear to be pretty small. You can find furtherinformation about these extensions in a PDFfile in the evaluation software.
Adding additional UNIX personalities isn't an intuitive process. When we tried to create a UNIX personality, we kept getting the error There are no personality containers defined. Create a personality container, then retry the operation. We had trouble determining how to create a personality container. Eventually, we solved the problem: You can't create a UNIX personality container in an AD container—for example, the default user's common name (CN). Instead, you must create it in an organizational unit (OU). Figure 1, shows the dialog box you use.
VAS also supports extending AD's Group Policy to push down policies to UNIX clients. The default settings that you can change are scripts, cron, files, login prompt, message of the day, sudu, symbolic links, and syslog—a pretty good start right out of the box. If you need to push down a policy to your UNIX clients, and that policy isn't included by default, you can write your own. A detailed section of the documentation explains how to write and apply your own policies.
VAS supports many UNIX clients, including Red Hat Linux, SuSE Linux, Tru64, and VMware ESX Server. The full list of supported clients can be found at http://www.quest.com/vintela-authentication-services.
SummaryQuest software Vintela authentication servicesPROS: When adding new UNIX machines to AD, VAS lets you choose a CN or OU other than the default "Computers"; logging on doesn't require the user to use "Domain Username"; integrates with Vintela Group Policy (Group Policy for UNIX)CONS: Creating a personality container for multiple personalities isn't intuitive; requires AD Schema Extensions if not running Windows Server 2003 R2RATING: 4 out of 5|PRICE: $325/UNIX server, $45/UNIX workstationRECOMMENDATION: If you need strong Group Policy support for your UNIX machines, we recommend Quest Software Vintela Authentication Services.CONTACT: Quest Software • http://www.quest.com/unix-linux • 800-306-9329 |
Centeris Likewise Identity
The GUI-driven Likewise Identity UNIX installation worked flawlessly in our tests. After the installation was complete, the software prompted us to choose either GUI or command-line based client setup. We chose the GUI option and were surprised how similar the process and interface looked to a Windows machine.
The installation of Likewise Identity on the Windows side took a bit longer because the installation routine had to download Microsoft.NET Framework 2.0 and Microsoft Management Console (MMC) 3.0. We don't consider this delay a major concern, but you should be aware of it, especially if your network doesn't have an Internet connection. After the system took care of its prerequisites, the installation went very smoothly.
As we discussed at the beginning of this article, AD schema changes shouldn't be taken lightly. Unlike VAS, Likewise Identity permitted an installation without extending the schema. The lack of a requirement to extend the schema sets this Centeris product apart from its competitors. Whereas the other two applications can use the default R2 UNIX account schema extensions instead of adding their own, Likewise Identity adds this functionality without requiring any R2 or third-party schema updates. It does this by stacking, or putting the data into unused portions of AD. The downside to not updating the AD schema is that, as you add UNIXenabled users to AD, performance could take a hit. We were unable to test large numbers of UNIX computers and users in our test lab to compare performance between extended and non-extended environments, so we can't tell you where this performance cut-off is. If you have many UNIX-enabled users, you should consider adding the default R2 schema extensions to take advantage of the indexing they offer. Either way, this product gives you a lot of flexibility in implementation.
The Likewise Identity Console has a decent set of features, including a report tool and a UNIX Identity Migration Tool. This migration tool helps you migrate existing UNIX accounts, password files, and group files into AD. It can also create a script to reset the ownership of files on the UNIX system if they're affected by the migration. Figure 2 shows the dialog box for joining the AD domain.
To enable support for multiple user and group IDs, we had to create a separate OU and enable what Centeris calls cells on the OU. This process wasn't at all intuitive, so we had to dig out the Likewise-Identity-Administrators-Guide.pdf in the documentation. In the end, the functionality is similar to the way that the other vendors support multiple UNIX personalities.
Likewise Identity also provides Centeris Group Policies, but these policies are limited in what they push to the UNIX clients. Out of the box, these policies can change the sudu file, change Automount files, set cron jobs, and run login scripts.
We discovered by accident that with Likewise Identity, the UNIX client boots cleanly when the Windows 2003 AD DC is down. Obviously, you can't log on to the domain if the DC is down, but if it is, UNIX machines with the Centeris client don't have any problems booting up. The other two clients appeared to slow down slightly while they looked for the DC during boot-up (but they did eventually come up without any problems).
Likewise Identity supports many UNIX clients, including Mac OS X, Red Hat Linux, SuSE Linux, and Ubunto. For a full list of supported UNIX clients, see http://www.centeris.com/products/likewise_identity/supported_platforms.php.
SummaryCenteris likewise IdentityPROS: Familiar GUI for install routine for UNIX; doesn't require AD Schema Extensions; reporting and migration tools includedCONS: Setting up a cell for multiple personalities wasn't intuitiveRATING: 4 out of 5 PRICE: $249/UNIX server, $49/UNIX workstation; charged per agent installed; can run as many versions of the console on as many desktops as you wantRECOMMENDATION: If you need UNIX authentication in AD and don't want to extend the AD schema, we recommend Centeris Likewise Identity.CONTACT: Centeris • http://www.centeris.com/products |
Centrify DirectControl
Of the three products, the DirectControl text-based UNIX installation was the simplest. It asked a few simple questions and was installed in minutes. And as with the other two applications, the Windows installation of DirectControl went smoothly.
After the installation is complete, you can either start with the MMC AD Users and Computers snap-in to configure DirectControl or go straight to the Centrify DirectControl snap-in. Unlike the other two products, the Centrify product walks you through a comprehensive wizard to set up UNIX personality management in what DirectControl calls zones. Figure 3 shows the Create New Zone wizard. Of the three products, DirectControl is by far the most complex when it comes to setting up and using UNIX personality management, but it's also the most robust.
According to Centrify, zones are similar to AD domains and organize the different flavors of UNIX in your environment. For example, you could group all your Red Hat machines in one zone and your Solaris machines in another zone, then assign the separate zones different login shells or assign the zones to different groups.
DirectControl offers Group Policy support that's similar to that of VAS. Enabling this support in our tests was as simple as adding the centrifydc.adm template to a new GPO. We were surprised by just how many options you can configure, including password policies and UNIX login settings.
An interesting feature is Personality Account Management (PAM) Conflict Resolution. With the many user IDs, GUIDs, and accounts floating around in a large organization, there's bound to be a conflict or two. What should the system do if it discovers a conflict? You can choose Ignore (i.e., do nothing), Warn (i.e., warn the user of the conflict after logon), or Error (i.e., don't let the user log on). You control all these options, including the text of the error message that the user will see, via Group Policy.
DirectControl supports many UNIX clients, including Mac OS X, Red Hat Linux, SuSE Linux, and VMware ESX Server. To see a full list of supported UNIX clients, visit http://www.centrify.com/directcontrol
SummaryCentrify DirectControlPROS: Doesn't require user to use "Domain Username" when logging on; detailed documentation explains how to authenticate multiple platforms and databases; software development kit (SDK) available to extend the default functionality; reporting capability; robust UNIX personality managementCONS: Requires AD Schema Extensions if not running Windows 2003 R2RATING: 5 out of 5 PRICE: Starts at $800 for three nodesRECOMMENDATION: If you want a seasoned contender with strong UNIX personality management and robust migration management, Centrify DirectControl gets our highest recommendation.CONTACT: Centrify • http://www.centrify.com |
Editors' Choice
All three products performed admirably in our tests and can accomplish what they advertise. Centeris Likewise Identity receives kudos for finding a way to let UNIX-based machines authenticate to AD without altering the AD schema. If you have many users, this shortcut can come at a price with reduced performance, but it's nice to have the option. For Group Policy functionality, Centrify DirectControl impressed us. We really liked the way that DirectControl uses ADM templates instead of adding additional bloat to AD Users and Computers. Quest Software Vintela Authentication Services stood out with such smart features as letting you choose which OU a new PC would be added to, and it doesn't make the user preface a logon name withthe domain name.
What didn't we like? For all three products, adding or enabling UNIX personality management wasn't as easy as we thought it could be. In many cases, the vendors should just make the pop-up error messages more informative—rather than just telling the user to create a cell or a zone, let the user know where the tool is to accomplish the task.
Although all three products are first rate, Centrify DirectControl wins the Editors' Choice award, as it is the most robust product of all three. You can't go wrong if you choose Centrify.
About the Authors
You May Also Like