This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
Price: $290 per Unix/Linux server, $45 per workstation
Centralized directory services such as Active Directory are key to identity management initiatives, but one of the stumbling points has been integrating non-Microsoft platforms into the authentication infrastructure. Symark PowerADvantage eases integration of Unix/Linux and AD authentication.
All major enterprise Unix and Linux platforms are supported. Other Linux platforms such as Fedora are likely to work, provided they have relatively modern Kerberos and LDAP implementations.
Installation is a breeze: a straightforward MSI install on Windows and a tarball under Unix, which includes a text-based install script that walks you through the setup.
Normally, setting up Kerberos/LDAP on Unix hosts can be tricky, since each platform implements the protocols slightly differently with different flavors and locations of configuration files. Symark addresses this, abstracting Keberos/LDAP protocol implementation quirks on many Unix implementations, easing the headaches of configuring protocols on a given platform.
Our testing focused on managing from AD. Power-ADvantage uses the concept of contexts to manage Unix hosts with the same login configurations (username, primary group, home directory and shell). Contexts are mainly used to compartmentalize unique user and group attributes.
Once the contexts are created, admins can add users and groups from AD to the Unix hosts and use them to secure file system data as if they were local user accounts. PowerADvantage gives you the ability to map existing user/group IDs to AD accounts and import existing local Unix accounts to AD.
There are some rough spots, mainly around integrating smoothly with the Active Directory MMC console. For example, we found ourselves jumping back and forth between Symark's management console and the Active Directory Users and Computers MMC.
Unix GPO support is limited to managing various PowerADvantage settings on the hosts that will be authenticating against AD. A successful large-scale integration depends on other related components functioning properly (e.g., Kerberos auth will fail if KDC DNS entries are incorrect or if system time skew is too great), so it would be great to be able to centrally manage DNS and NTP settings on the Unix hosts.
PowerADvantage provides basic reporting that can keep the administrator informed on day-to-day activity.
Testing methodology: We installed the PowerADvantage Windows components on a Windows 2003 SP2 domain controller running in Windows 2003 Native Mode, and agents on Unix clients.
This was first published in November 2008