Cross-Platform Identity Management Solutions for Single Sign-On

Centrify DirectControl
Of the three products, the DirectControl text-based UNIX installation was the simplest. It asked a few simple questions and was installed in minutes. And as with the other two applications, the Windows installation of DirectControl went smoothly.

After the installation is complete, you can either start with the MMC AD Users and Computers snap-in to configure DirectControl or go straight to the Centrify DirectControl snap-in. Unlike the other two products, the Centrify product walks you through a comprehensive wizard to set up UNIX personality management in what DirectControl calls zones. Figure 3 shows the Create New Zone wizard. Of the three products, DirectControl is by far the most complex when it comes to setting up and using UNIX personality management, but it's also the most robust.

According to Centrify, zones are similar to AD domains and organize the different flavors of UNIX in your environment. For example, you could group all your Red Hat machines in one zone and your Solaris machines in another zone, then assign the separate zones different login shells or assign the zones to different groups.

DirectControl offers Group Policy support that's similar to that of VAS. Enabling this support in our tests was as simple as adding the centrifydc.adm template to a new GPO. We were surprised by just how many options you can configure, including password policies and UNIX login settings.

An interesting feature is Personality Account Management (PAM) Conflict Resolution. With the many user IDs, GUIDs, and accounts floating around in a large organization, there's bound to be a conflict or two. What should the system do if it discovers a conflict? You can choose Ignore (i.e., do nothing), Warn (i.e., warn the user of the conflict after logon), or Error (i.e., don't let the user log on). You control all these options, including the text of the error message that the user will see, via Group Policy.

DirectControl supports many UNIX clients, including Mac OS X, Red Hat Linux, SuSE Linux, and VMware ESX Server. To see a full list of supported UNIX clients, visit http://www.centrify.com/directcontrol

Editors' Choice
All three products performed admirably in our tests and can accomplish what they advertise. Centeris Likewise Identity receives kudos for finding a way to let UNIX-based machines authenticate to AD without altering the AD schema. If you have many users, this shortcut can come at a price with reduced performance, but it's nice to have the option. For Group Policy functionality, Centrify DirectControl impressed us. We really liked the way that DirectControl uses ADM templates instead of adding additional bloat to AD Users and Computers. Quest Software Vintela Authentication Services stood out with such smart features as letting you choose which OU a new PC would be added to, and it doesn't make the user preface a logon name with the domain name.

What didn't we like? For all three products, adding or enabling UNIX personality management wasn't as easy as we thought it could be. In many cases, the vendors should just make the pop-up error messages more informative—rather than just telling the user to create a cell or a zone, let the user know where the tool is to accomplish the task.

Although all three products are first rate, Centrify DirectControl wins the Editors' Choice award, as it is the most robust product of all three. You can't go wrong if you choose Centrify.