Unix and Active Directory Integration with vastool

Vintela(Quest) Authentication Services (VAS) unifies Windows, Unix and Linux authentication and identity management so that regardless of which platform you want to access, you can log in using your Windows Active Directory user name and password. VAS securely and conveniently eliminates the need for manual ”per-system” identity administration, User and Group NIS maps, and password synchronization scripting.

VAS also eliminates the need to layer third-party software on top of the critical security components of Windows 2000/2003. Instead, VAS provides fully compatible client libraries and utilities that transparently and securely redirect the core Unix authentication and identity management functionality to Windows domain controllers using interoperable protocols (such as Kerberos v5 and LDAP).

Other identity management solutions layer additional software on top of Active Directory or replace it altogether. In either case, solutions that interrupt the core Windows 2000/2003 services to provide a gateway for Unix interoperability, add to the windows management complexity and create dangerous security vulnerabilities that affect overall enterprise security and stability.

VAS Benefits and Features

Complete Integration with Active Directory: Active Directory users can authenticate to Unix resources and Active Directory groups can be used to provide access control to Unix resources. No password or account synchronization is used. All Unix authentication identity management features operate in real time with changes made by administrators on Windows domain controllers.

Authentication Using Kerberos: VAS uses Kerberos v5, which is the native authentication protocol for Windows 2000 and Windows 2003. The use of Kerberos eliminates the need to send passwords or password hashes over the network in plain text. All password change requests are performed using Kerberos, and enforce Windows password policies established by the domain administrator. Using Kerberos also eliminates the need for the distribution of SSL certificates to Unix clients and modifying Active Directory to use SSL for LDAP security. All VAS LDAP communication is secured using Kerberos. Finally, VAS maintains compatibility with MIT-style Kerberos implementations and can be used with Unix applications that link with 3rd party Kerberos libraries.

Persistent Client Cache: VAS is a scalable product that uses a persistent client side storage to cache frequently accessed user account information. Intelligent caching algorithms allow VAS to limit the amount of network traffic it uses and simplifies the complexity of LDAP searches for Active Directory. This design also allows for hundreds of concurrent Unix processes to authenticate and resolve Unix account information (UID, GID, etc) without overloading the Active Directory server with search requests. The persistent cache also

allows VAS to be configured to continue working even when it loses contact with the Active Directory server.

Integration with existing Unix utilities and applications: VAS has been designed to seamlessly integrate with the core Unix authentication subsystems (PAM and NSS) so that existing applications can take advantage of Active Directory integration without any modifications. For example, Apache, OpenSSH, telnet, and ftp all easily integrate with VAS and can authenticate Active Directory users immediately after the installation and configuration of VAS.