Cached Credentials
Cell Technology
Compliance - HIPAA
Compliance - PCI
Compliance - Reporting
Cross-Forest Trusts
Group Policy
Gnome Group Policy
Kerberos Authentication
Likewise Administrative Console
Likewise Identity Service
Likewise Enterprise Screenshots
Linux Active Directory Integration
Single Sign-On for Apache Web Server
Single Sign-On for Databases
Single Sign-On with PuTTY
Single Sign-On for Web Applications
Single Sign-On for ERP & Storage Applications
Workgroup Manager Overview
Workgroup Manager Policies
Likewise Enterprise Centrally Manages Unix Accounts in Active Directory
This page describes how Likewise Enterprise solves a several problems that have traditionally clouded Unix account management. Likewise Enterprise connects Unix systems to Microsoft Active Directory to centrally manage Unix accounts, strengthen network security with Kerberized authentication and role-based access control, and significantly lower operational costs associated with the ad hoc management of Unix accounts.
Unix provides a variety of mechanisms for authentication (ensuring that users are who they say they are) and authorization (ensuring that users are authorized to perform operations). Most distributions of Sun Solaris, IBM AIX, and HP-UX support such systems as PAM and nsswitch that allow the use of local files, networked information services (NIS), and LDAP directory services. Such a built-in flexibility, however, often results in the following problems with managing Unix accounts:
- Ad hoc management of local password files and the security problems that result
- Synchronization issues
- NIS and NIS+ security vulnerabilities
- LDAP directory services without support for multiple platforms
This page addresses each of these problems in turn and describes how Likewise Enterprise can help.
Local Password Files
Given the flexible infrastructure of Unix systems, it is surprising to find that a large number of Unix systems use only the most rudimentary authentication and authorization mechanism: local password files. With this mechanism, each Unix computer stores user accounts in a local file (usually, /etc/passwd). A second file (usually, /etc/group) contains additional information that determines group membership.
The weakness of this approach is evident. If you have 100 computers, you must maintain 200 files. If a new user is added to your organization and needs access to all 100 machines, you have to add him or her to 100 passwd files and as many as 100 group files. If that user changes his or her password, the password change has to be performed on all 100 machines. As a result, one or more of the following solutions -- with their inherent security problems -- often take root in organizations that use only local password files:
- Administrators employ scripts or other automated techniques to try to keep password files synchronized.
- Administrators give up maintaining synchronized password files and leave it up to users to maintain their passwords on all the systems to which they have access.
- When users have different accounts and different passwords on different systems, they end up writing down their passwords, as they are incapable of remembering all of them.
Relying on Root User Accounts
In some organizations, administrators give up trying to maintain multiple local password and group files and just have everyone log on with a service account. Too often, this service account is root -- a practice that runs counter to commonly accepted regulatory and security standards.
Sharing the root superuser account across the organization has obvious drawbacks:
- Everyone comes to know the root password.
- Whenever you change the root password, you have to inform everyone of the new password.
- When something goes wrong, it’s impossible to figure out who was at fault because all you know is that the root account did it.
Synchronization
Unix systems that rely on local password files for authentication and authorization are well advised to employ some type of mechanism to keep their systems synchronized. This can be done with tools such as scp or rsync or can be done with expensive edirectory synchronization programs.
Synchronization itself, however, can introduce security flaws:
- The synchronization process may need a stored password to connect to the systems that it needs to update.
- The synchronization process may need to store passwords instead of password hashes (especially if different systems use different hashing techniques) and the password store may be subject to attack.
- Systems that are temporarily offline (for example, servers under repair or laptop computers) might be skipped by the synchronization process and remain vulnerable to compromised passwords.
NIS and NIS+
A step up from using local password files, NIS and NIS+ provide a way of sharing a password file. Rather than having separate password files on Unix computers, NIS lets you maintain a single password file on a NIS server and set up other computers as NIS clients to retrieve the data from the NIS server. The benefit of this approach is that since the NIS clients can access the file over the network when they need account information, you need to maintain only a single password file.
Here's the fundamental problem with NIS: It is not considered a secure authentication mechanism. NIS uses encryption techniques (for example, DES hashes) that are considered inadequate by modern standards.
Additionally, because NIS clients have access to the shared password file, a rogue NIS client can try to use brute force techniques to crack the encrypted password hashes stored in the file. Companies running NIS typically do not pass regulatory compliance audits.
NIS+ addresses some of the security weaknesses of NIS, but has seen very little adoption. Early versions of NIS+ were plagued with problems and were unavailable on many platforms. NIS+ servers are difficult to configure and manage; even Sun, the inventors of the protocol, are recommending LDAP-based solutions, such as Active Directory (AD), over NIS+.
LDAP Directory Services
Directory services are, essentially, databases designed for the efficient access of directory information. Directory services are frequently combined with security protocols (for example, Kerberos) to serve as authentication and authorization systems. Additionally, they provide functionality that makes them the preferred solution for this purpose:
- Automatic replication to multiple servers – this provides redundancy, performance and high availability
- Extensible schemas for flexibility in storing data
- Standardized protocols such as LDAP v3 and Kerberos 5 that can be used by a variety of operating systems
- In spite of these standard features, not all LDAP-based solutions are created equal. Most vendor-specific LDAP directories do not work well with Windows, leading to additional complexity in managing multiple identity stores and directories.
Active Directory LDAP
Likewise Enterprise minimizes the complexity often inherent with LDAP while providing a multi-platform LDAP system by leveraging a directory service that many enterprises already have in place: Microsoft Active Directory. Likewise integrates Unix account management with Active Directory's LDAP service either by taking advantage its Unix-specific RFC 2307 object classes and attributes to store Unix account information or by exploiting existing object classes and attributes to store Unix account data. In a nutshell, Likewise Enterprise eases LDAP Active Directory integration for Unix by connecting more than 120 different platforms to Active Directory and providing methods by which you can perform Unix account management with Active Directory's LDAP directory service.
Solving Unix Account Management Problems
Likewise Enterprise solves nearly all the problems traditionally associated with Unix account management by connecting Unix computers with Active Directory -- a secure, scalable, stable, and proven identity management system that includes a built-in Kerberos key distribution center for authentication and an LDAP directory for Unix account management and access control.
Likewise eliminates the ad hoc management of local password files and the security problems that result because Unix users and groups are managed in Active Directory in the same way as Windows users. In addition, users get one password and one ID: Each user can use his or her AD credentials to log on both Windows and Unix machines. Meantime, users in Active Directory can be associated with groups, such as enterprise system administrators, that end the reliance on root user accounts.
Synchronization issues evaporate because Active Directory includes a built-in, enterprise-class synchronization service that keeps passwords up to date and secure. For Unix computers that lose connectivity with the network, Likewise caches credentials.
NIS and NIS+ security vulnerabilities are eliminated because Likewise uses the highly secure Kerberos authentication protocol to securely prove the identity of users transmitting data over a non-secure network.
Without the complexity of configuring a custom LDAP system to support multiple platforms, Likewise Enterprise seamlessly extends Active Directory's LDAP directory service to more than 120 Unix, Linux, and Mac OS X platforms, including the following:
- Sun Solaris
- IBM AIX
- HP-UX
- Oracle Enterprise Linux
- Scientific Linux
- Mac OS X
Related Information
- For a discussion of Likewise's approach to extending LDAP to Unix, see Considering a Custom LDAP Solution?
- Likewise Enterprise can automate the migration of NIS data to Active Directory; for more information, see NIS Migration.
- For more information about managing Unix data in AD, see Unix User Account Management in Active Directory.
Next > > Workgroup Manager Overview
