This is the second in a two-part series by contributor Kevin Ferguson on the use of multi-platform management tools to unify heterogeneous environments under Microsoft Active Directory. Part one examined network administrators' growing need to unify Unix, Linux, Macintosh and Windows access. It also looked at users' experiences with multiple-platform managers, such as Centrify Corp.'s DirectControl and Quest Software Inc.'s Vintela Authentication Services -- both programs unify heterogeneous environments under Microsoft Active Directory -- and IBM's Tivoli Directory Server.
Part two continues that examination and looks at some of the specifics in managing a heterogeneous computing environment.
The push by Windows-dominant shops for tighter authentication control represents a significant paradigm shift in IT politics, according to Jackson Shaw, senior director of Quest Software's Active Directory product management. "We're now seeing Active Directory organizations within the enterprise taking much more of a firm hold on the tiller," said Shaw. "Maybe part of it is the need for greater regulatory compliance, maybe part of it is because AD has been in the market for a while. A few years ago, because they were running the high-end app servers, Unix administrators tended to call more shots. Now, these guys want to be part of AD because it's simpler."
The shift in allegiance is still in its infancy, though, said John Enck, a research vice president with Gartner Inc., Stamford, Conn. "We're talking about customers numbered in the hundreds. That's pretty small," he said. Still, he noted that even that little movement signaled dissatisfaction with Unix vendors. "No one has risen to the occasion," said Enck.
Just how easily non-Windows environments can be made to work with Microsoft Active Directory is a matter of contention between supporters of AD and the backers of AD's competitors, notably IBM Tivoli.
"I know that AD can be made to work in a heterogeneous environment, but I have heard that since Microsoft did not follow all the standards for LDAP [Lightweight Directory Access Protocol], it can lead to issues," said Martin Carnegie, a software trainer with Gulf Breeze Software, a consultant specializing in Tivoli Enterprise. "One experience I did have with AD was trying to write a Perl script to pull information out. This was worse than pulling teeth."
Quest's Shaw begs to differ. "I was the product manager for Active Directory for five and a half years," he said. "[It] is a typical response from any Microsoft competitor. Microsoft's AD is fully LDAP V3 compliant, which means de-facto it is also V2 compliant. It is the most widely deployed LDAP directory in existence."
From point A to point B
Once you've decided to unify user and group IDs, how do you begin the migration?
Centrify suggests two methods for its DirectControl users. The first, for users who have only one system for storing existing Unix, Linux and Java identities, involves importing existing Unix directory information directly into Active Directory and then mapping each Unix account to the appropriate Active Directory account. Once you complete that task, you can have DirectControl handle user logins on the Unix systems instead of using the legacy directory system, according to Centrify.
Organizations that have multiple existing stores for Unix user accounts will need to use a two-step migration. The first step involves moving the information from existing Unix directories into Active Directory, as is, to minimize the disruption of having to remap file ownerships or confuse users with new usernames. The second step involves a gradual effort of consolidating the multiple imported Unix identities into smaller zones of identity, according to Centrify. These zones might be organized by geographic region, subsidiary or group role. You can have business needs dictate the groupings and naming conventions for users and groups instead of having to live with a legacy of multiple systems for defining usernames.
Quest has a different approach. Rather than requiring that conflicting Unix user IDs be rationalized on the systems joining the Active Directory domain, Quest's Vintela Authentication Services (VAS) allows the simple creation of alternate Unix "personalities" to define profiles in Active Directory for different systems.
Vintela Authentication Services has a scriptable utility that can create Unix-enabled users and groups in Active Directory, migrate existing Unix account information to existing Active Directory users and groups and create customized migration scripts. VAS also allows for the creation of alternative Unix personality objects when migrating conflicting account domains, according to Quest.
For its part, IBM's Tivoli Directory Integrator helps synchronize identity data residing in directories, databases and collaborative systems. As a synchronization layer, IBM says that Tivoli Directory Integrator eliminates the need for centralized directory data storage. However, Tivoli Directory Integrator can also be used to connect identity data from various Unix and Linux servers into a central repository, according to IBM.
Identifying and locating users is the hardest part, no matter which tools you employ, according to users. "The return on investment is tied to administrative time, the man hours that you can gain," said Habitat for Humanity International's network engineering manager Dmitri Thorpe. "I would say that now we are able to truly help our Mac users."
Kevin Ferguson is a freelance writer living in Arlington, Mass.