Active Directory - Unix Integration

Unix Integration

Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as Group Policy and support for one-way trusts.

Third parties offer Active Directory integration for Unix platforms (including UNIX, Linux, Mac OS X, and a number of Java and UNIX-based applications), including:

• Fox Technologies and the product FoxT ServerControl (software) implements AD Bridging capabilities that allows UNIX/Linux systems to join Active Directory and enables the use of the Kerberos (protocol) for authentication of users
• Centrify DirectControl (Centrify Corporation) – Active Directory-compatible centralized authentication and access control
• Centrify Express (Centrify Corporation) – A suite of free Active Directory-compliant services for centralized authentication, monitoring, file-sharing and remote access
• UNAB (Computer Associates)
• TrustBroker (CyberSafe Limited) – An implementation of Kerberos
• PowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly Likewise Software) – Allows a non-Windows client to join Active Directory
• Authentication Services (Quest Software)
• ADmitMac (Thursby Software Systems)
• Samba – Can act as a domain controller

The schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed). Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes.

An alternate option is to use another directory service such as 389 Directory Server (formerly Fedora Directory Server, FDS), ViewDS Identity Solutions - ViewDS v7.2 XML Enabled Directory or Sun Microsystems Sun Java System Directory Server, with the latter two both being able to perform two-way synchronization with AD and thus provide a "deflected" integration, as Unix and Linux clients authenticate to this while Windows Clients authenticate to AD. Another option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched.

Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby.