Adding additional UNIX personalities isn't
an intuitive process. When we tried to create a
UNIX personality, we kept getting
the error There are no personality containers defined. Create a
personality container, then retry
the operation. We had trouble
determining how to create a personality container. Eventually,
we solved the problem: You can't
create a UNIX personality container in an AD container—for
example, the default user's common name (CN). Instead, you
must create it in an organizational unit (OU). Figure 1, shows the dialog box you use.
VAS also supports extending AD's Group Policy to push
down policies to UNIX clients.
The default settings that you can
change are scripts, cron, files,
login prompt, message of the
day, sudu, symbolic links, and
syslog—a pretty good start right
out of the box. If you need to push down a policy to your UNIX clients, and
that policy isn't included by default, you can
write your own. A detailed section of the documentation explains how to write and apply
your own policies.
VAS supports many UNIX clients, including Red Hat Linux, SuSE Linux, Tru64, and
VMware ESX Server. The full list of supported
clients can be found at http://www.quest.com/vintela-authentication-services.
Summary
Quest software Vintela
authentication services
PROS: When adding new UNIX machines
to AD, VAS lets you choose a CN or OU other
than the default "Computers"; logging on
doesn't require the user to use "Domain Username"; integrates with Vintela Group
Policy (Group Policy for UNIX)
CONS: Creating a personality container
for multiple personalities isn't intuitive;
requires AD Schema Extensions if not running
Windows Server 2003 R2
RATING: 4 out of 5|
PRICE: $325/UNIX server, $45/UNIX
workstation
RECOMMENDATION: If you need strong
Group Policy support for your UNIX machines,
we recommend Quest Software Vintela
Authentication Services.
CONTACT: Quest Software • http://www.quest.com/unix-linux • 800-306-9329 |
Centeris Likewise Identity
The GUI-driven Likewise Identity UNIX installation worked flawlessly in our tests. After
the installation was complete, the software
prompted us to choose either GUI or command-line based client setup. We chose the
GUI option and were surprised how similar
the process and interface looked to a Windows
machine.
The installation of Likewise Identity on the
Windows side took a bit longer because the
installation routine had to download Microsoft.NET Framework 2.0 and Microsoft Management Console (MMC) 3.0. We don't consider
this delay a major concern, but you should be
aware of it, especially if your network doesn't
have an Internet connection. After the system
took care of its prerequisites, the installation
went very smoothly.
As we discussed at the beginning of this
article, AD schema changes shouldn't be
taken lightly. Unlike VAS, Likewise Identity
permitted an installation without extending
the schema. The lack of a requirement to
extend the schema sets this Centeris product apart from its competitors. Whereas the
other two applications can use the default
R2 UNIX account schema extensions instead
of adding their own, Likewise Identity adds
this functionality without requiring any R2
or third-party schema updates. It does this
by stacking, or putting the data into unused
portions of AD. The downside to not updating the AD schema is that, as you add UNIXenabled users to AD, performance could take
a hit. We were unable to test large numbers of
UNIX computers and users in our test lab to
compare performance between extended and
non-extended environments, so we can't tell
you where this performance cut-off is. If you
have many UNIX-enabled users, you should
consider adding the default R2 schema extensions to take advantage of the indexing they
offer. Either way, this product gives you a lot
of flexibility in implementation.
The Likewise Identity Console has a decent
set of features, including a report tool and a
UNIX Identity Migration Tool. This migration
tool helps you migrate existing UNIX accounts,
password files, and group files into AD. It can
also create a script to reset the ownership of
files on the UNIX system if they're affected
by the migration. Figure 2 shows
the dialog box for joining the AD
domain.
To enable support for multiple
user and group IDs, we had to create a separate OU and enable what
Centeris calls cells on the OU. This
process wasn't at all intuitive, so we
had to dig out the Likewise-Identity-Administrators-Guide.pdf in the
documentation. In the end, the functionality is similar to the way that
the other vendors support multiple
UNIX personalities.
Likewise Identity also provides
Centeris Group Policies, but these
policies are limited in what they
push to the UNIX clients. Out of the
box, these policies can change the
sudu file, change Automount files,
set cron jobs, and run login scripts.
We discovered by accident that
with Likewise Identity, the UNIX client boots cleanly when the Windows 2003 AD DC is down. Obviously, you can't log on to the
domain if the DC is down, but
if it is, UNIX machines with the
Centeris client don't have any
problems booting up. The other
two clients appeared to slow
down slightly while they looked
for the DC during boot-up (but
they did eventually come up
without any problems).
Likewise Identity supports
many UNIX clients, including
Mac OS X, Red Hat Linux, SuSE
Linux, and Ubunto. For a full
list of supported UNIX clients,
see http://www.centeris.com/products/likewise_identity/supported_platforms.php.
Summary
Centeris likewise Identity
PROS: Familiar GUI for install routine for
UNIX; doesn't require AD Schema Extensions;
reporting and migration tools included
CONS: Setting up a cell for multiple personalities wasn't intuitive
RATING: 4 out of 5
PRICE: $249/UNIX server, $49/UNIX workstation; charged per agent installed; can run
as many versions of the console on as many
desktops as you want
RECOMMENDATION: If you need UNIX
authentication in AD and don't want to extend
the AD schema, we recommend Centeris
Likewise Identity.
CONTACT: Centeris • http://www.centeris.com/products |
Register
