I just finished evaluating an excellent piece of software for Windows / Linux hybrid shops: Centrify Corporation’s DirectControl Suite. This is a fantastically well executed integration suite which allows administrators to bring their GNU/Linux and Unix boxes into the Windows ActiveDirectory domain. This brings centralized control of UID/GID (like NIS), the mutual authentication of Kerberos, and centralized Group Policy control to Linux/Unix.
First off, I’d like to mention that the software installs first on a Windows “console” system. That install has the option of extending the schema, but it is not required (the extensions allows administrators to use the Centrify Profile tab for users and computers without installing the Centrify Console locally). All required pieces work with the standard out-of-the-box Windows 2003 AD schema. Although the view extensions are well worth it, if you can get them approved by your AD administrative team.
I installed this on a Debian Etch system and a Red Hat Enterprise Linux 4 box. They ship RPM and DEB installers, so installation is a snap, and shows up in your package manager. Restarting the systems was not required, but a few systems may not pick up the new PAM settings without at least a reload (OpenSSH did fine).
One of the best parts of this software, however, is in their updated version of OpenSSH to support Windows Kerberos tickets for authentication of users. Single-signon to any Linux box from Linux or Windows (customized Putty for the same reason) without having to copy RSA keys across your network every time you build a box. Now my Oracle admins can log into the 10g databases seamlessly (yes, they support Oracle authenticating through AD as well).
Of course, no solution that integrates into AD would be complete without support for Group Policy. As a huge user of Group Policy (I have 8 GPOs on my home domain), this is key for me. The thing that makes it so spectacular, is that they just install new ADM files to your console system. That’s it – no new trees needed, just new ADM files with settings specific to Linux like “SuDoers entries” and “SSH settings”. Just like GPO on Windows, they’re applied every 90+-30 minutes, and when you remove the system from the policy, the settings get pulled. For the Sudoers settings, they are appended to the end of the existing file. Also, many of your security settings for Windows boxes are read directly by the Centrify systems as well, including password expiration notices, lockout policy handling, etc.
There are so many other little features that show how well thought-out the system is. The client can be configured to cache logons similar to Windows, so you can control your Linux laptops, and still enable the users to log in when they’re on the road. There are several scripts and other tools to help “suck” the users out of /etc/passwd and NIS into AD, to help keep your UIDs in check if you’re installing the client into existing servers.
And that’s just the operating system. JBoss, WebSphere, Apache and other applications and middleware can be AD-enabled, and anything that uses PAM is automatically AD-enabled, giving you the ability to set up true single sign-on everywhere in your network, if you so choose.
Needless to say, we purchased it, and I’ll be integrating this into all my deployments from this point forward.
