Price: Starts at $50 per workstation and $300 per server
Microsoft Active Directory (AD) has always been able to provide cross-platform authentication services to Unix and Linux hosts via its Kerberos/LDAP implementation, but does not extend its rich Group Policy Objects (GPO) management capabilities to non-Microsoft platforms. Now, Centrify's DirectControl suite puts Unix/Linux platforms under the GPO umbrella and allows *nix hosts to authenticate against AD, so enterprises of all sizes can leverage it to provide a true single sign-on (SSO) environment.
Policy Control: B+
The management console allows you to create one or more zones, which experienced Unix managers will find conceptually similar to NIS domains. You can, in fact, import and manage existing NIS maps, as well as local /etc/passwd and /etc/group files. You then assign specific users and groups to the appropriate zones and set their basic profile information (default shell, UID/GID, etc.). AD's native delegation capabilities can be used to ensure that only authorized accounts can manage the Centrify container.
Microsoft's Group Policy Management Console allows you to define a variety of settings, ranging from changing the login message to modifying PAM settings and Kerberos/LDAP integration.
However, there are relatively few managed settings, and they are somewhat generic, such as setting the /etc/issue message that users see when logging on via SSH or Telnet. DirectControl does provide a mechanism for creating custom group policies and then mapping them to scripts on the *nix hosts, but it would be handy to have common settings--such as managing domain name resolution through resolv.conf--available out of the box.
Installation via the setup wizard is a breeze. On the server, you simply create a new container and management extensions within AD. The client installation consists of standard gzipped .tar files containing a nifty install shell script and the appropriate installation binaries. The install script does a great job of prompting the user for the necessary information (domain name, etc.), which it uses to configure Kerberos, LDAP, PAM and application server (Apache, Tomcat, JBoss, WebLogic, etc.) authentication. Platform support is excellent: AIX, Solaris, HP-UX, Red Hat, Debian, SUSE, Mac OS X and VMware ESX.
Centrify has done an admirable job of getting AD-based SSO to work on a variety of platforms, extending the GPO paradigm to the most popular *nix platforms. Although an experienced UNIX admin can reproduce a large amount of DirectControl's functionality through some fancy scripting, the depth of Kerberos, LDAP and programming knowledge required to do so may make this impractical.
DirectControl's reporting capabilities are pretty rudimentary, more or less limited to showing which resources belong to which zones. This can be useful for inventory purposes, but falls short of the reporting requirements for today's enterprise. For example, we would like to see more detailed information on what AD accounts have attempted to access given *nix resources, along with success/failure and timestamps. Additionally, it would be very useful to have reports showing a complete configuration map of a given host for system documentation and auditing.
Centrify's DirectControl Suite gives organizations the benefits of SSO and centralized policy management for Windows and *nix platforms with minimal hassle and good results. We hope to see more extensive configuration options and better reporting in future releases.
We installed DirectControl on a Windows 2003 R2 domain controller with all current MS patches. The client software was installed on both a SUSE 9.2 and Red Hat 9 host, both with all the latest security patches deployed, per vendor recommendations.
This review originally appeared in the Sept. 2006 edition of Information Security magazine.
Dig Deeper on Active Directory and LDAP Security