Complete control and integration of Linux and Mac into Active Directory
- Active Directory authentication for Mac OS X
- Group Policy-Based Management
- Directory Migration
- Reporting and Auditing Tools
- Single Sign-On for Enterprise Applications
- Dual Factor Authentication
Kerberos for Mac
Likewise authenticates Mac users and groups with Kerberos 5. If your Mac OS X users have been authenticating through a difficult-to-manage ad hoc Kerberos key distribution center or NIS, you can consolidate your authentication systems with Active Directory to ease the burden of managing multiple identity management systems, a time-consuming process that can leave security holes.
Likewise's ability to connect Mac machines to an Active Directory domain immediately makes Active Directory's authentication architecture available to Mac OS X computers. Because Active Directory functions as a Kerberos key distribution center, Likewise can validate Mac user names and passwords -- including those based on NIS -- with the Kerberos 5 authentication protocol.
Kerberos lets users, groups, and computers communicating over an insecure network prove their identity to one another in a secure manner. For more information about Likewise's Kerberos for Mac solution, see Kerberos Authentication for Linux, Unix, and Mac.
Providing the Foundation to Integrate Macs with a Windows Enterprise
It is for good reason that Mac OS X computers are gaining market share on Windows and nearing the tipping point for wide-spread use in the enterprise: a robust and secure underlying Unix operating system that limits exposure to viruses and other security threats, an easy-to-learn yet powerful graphical user interface, and an Intel chip that allow users to run Windows on their Macs.
Likewise effectively gives you the basis to use Mac OS X workstations and servers in your IT enterprise and centrally manage them en masse with Active Directory -- just as you already manage your Windows computers, users, and groups.
For example, Likewise Enterprise provides group policy for Mac to manage a variety of Mac settings from Active Directory, including the built-in Mac firewall.
Likewise also integrates Apple's Workgroup Manager product with Active Directory so you can specify Managed Client Settings (MCX) from AD and manage them as group policy objects.
Microsoft Active Directory Group Policy Overview: Group Policy is a Windows policy deployment infrastructure built around Microsoft's Active Directory. Group Policy is used to deliver and apply policy settings to groups of users and computers in Active Directory. Every Windows machine that is joined to Active Directory runs a Group Policy Agent. The Group Policy Agent loads and runs multiple client-side extensions (CSEs) that are responsible of reading specific Group Policy settings from the Directory and writing them to its local store where the settings are affected.
How Group Policy Works with UNIX and Linux: Likewise Enterprise Group Policy works very similar to that of Windows group policy. When a Linux computer has been “joined” to Active Directory, a Likewise Enterprise Group Policy agent runs in the background on the Linux computer. The Likewise Enterprise Group Policy Agent is responsible for determining the list of group policy objects applied to a system. Likewise Software has implemented a set of client side extensions for Linux specific policies. These Linux specific policies are not relevant to Windows computers because the corresponding Linux client side extensions do not exist on a Windows computer.
UNIX and Linux Group Policies: Likewise Enterprise adds support for configuring UNIX and Linux system settings via Group Policy. The following UNIX and Linux Policies can be used to manage and administer computers.
Script Policy: The Script Policy allows you to specify a text-based script file to be executed on the UNIX or Linux system. The script is copied to the local machine at the next Group Policy refresh interval and immediately run. The script will be run as the root user account. The shell script policy is executed every time the system reboots and on the first refresh interval after a change is made to the policy.
Cron Policy: The Cron Policy allows you to specify crontab and /etc/cron.d files. Cron policies are files run at a regularly scheduled interval and include the following lines:
- minute (0-59)
- hour (0-23)
- day of the month (1-31)
- month of the year (1-12)
- day of the week (0-6 with 0=Sunday)
- Command to run
Certain UNIX distributions only support crontab and do not support /etc/cron.d files. Please refer to your UNIX documentation for more information.
Sudo Policy: The Sudo Policy allows you to specify a sudo configuration file that is copied to the local machine and replaces the current sudo file. Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. Sudo files can reference local users and groups or users and groups that reside in Active Directory.
Automount Policy: The Automount policy allows you to specify directories that are auto mounted when you access them. Auto mounts are useful for nfs, samba, and boot mounts/partitions.
Security Policies: Likewise Enterprise allows you to enforce a subset of the Windows Security Policies on a UNIX or Linux computer. The following settings can be enabled under Computer Configuration > Windows Settings > Security Settings. These settings apply to local system accounts when enabled.
Maximum Password Age: This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
Minimum Password Age: This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Minimum Password Length: This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
Certain UNIX and Linux distributions require the minimum password length of 5 characters and will always enforce this minimum length. The enforcement of this policy may be dependent on the specific distribution of Linux or UNIX you are running.
Password Complexity: This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements:
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Log on Locally (Allow Log on Locally): This logon right determines which users can interactively or remotely log on to this computer. Logons can occur locally on the computer or through a remote logon services such as telnet or SSH. The Log on Locally policy allows you to select users or groups who can access the system. Users and groups must also be granted access to the Likewise Cell that contains the computer object. By default, all UNIX and Linux computers are joined to the Default Cell and all members of the Domain Users group are allowed access to the Default Cell.
The migration tool also generates a Windows automation script to associate Unix and Linux UIDs and GIDs with Active Directory users and groups. Before committing the changes, you can resolve ambiguous user names and other conflicts. The migration tool includes a variety of options to ease your NIS migration to Active Directory and to handle your unique set of requirements:
- Migrate account information to the organizational units that you want.
- Create groups in Active Directory to match your Linux and Unix groups.
- Generate scripts to repair file ownership and group settings.
- Change the GID of imported users to that of the AD Domain Users group.
- Automatically set an alias for each migrated user.
- Generate Visual Basic scripts to migrate users and groups in an automated and custom way.
- Modify GIDs during migration.
- Select only the groups and users that you want to migrate from your full list of groups and users.
- Set the home directory and shell for migrated users.
- Filter out standard Unix and Linux accounts, such as mail and news.
- Modify UID information during migration.
- Use NIS map files to migrate netgroups, automounts, and other services to Active Directory.
Likewise Enterprise Reports for Linux/UNIX access: Included with Likewise Enterprise is a reporting module which summarizes commonly needed User, Group, and Machine relationships relevant to a comprehensive systems privilege audit. Pre-defined reports make it easy to view access privilege for all users, groups, containers, and systems managed with Likewise Enterprise. This information can be directly output to screen, print, or saved out to HTML, XML, or CSV formats for use in third party reporting tools such as Excel or Crystal Reports.
Further complicating the business need for reporting is that the regulatory standards are often prescriptive in nature, but lack specifics on criteria and format for the actual reports. Each customer must decide for themselves which style of reporting is most appropriate for their organization or department. To address this variance, Likewise Enterprise reports permit customization of output, including scoping, filtration, column selection, and data limits.
Individual access can be further restricted through the use of account settings and machine policies. When combined with the resultant set of policies, the built-in reporting capabilities found in Likewise Enterprise allow you to both self-check your internal security procedures as well as provide the critical supporting documentation for your regulatory compliance personnel.
Users quickly become frustrated when having to juggle lots of username/password combinations. Security quickly goes out the window when a user is responsible for remembering two, three, ten, or even twenty username and password combinations. This is especially true when IT has no way to enforce password policies via Apache, JBoss, MySQL, WebSphere, and other applications that have their own authentication systems.
Worse, authentication becomes a roadblock between getting things done when users forget their passwords and have to fumble through password recovery systems (and wait for response) or dial up the helpdesk (and wait for response and tie up the helpdesk staff too!).
Application user management is also a hassle. Each new service requires separate provisioning and de-provisioning. And what happens when users fall through the cracks? Are you sure users are being removed from all authorized services when they leave the company?
There's one way to be sure, and that's to introduce a single point of management for user authentication. Likewise Enterprise 6 can help you solve the problem and bring order to the chaos.
Remember One Password. Just One: Most organizations have standardized on Microsoft's Active Directory to authenticate their users on Windows systems and Microsoft services like SharePoint. AD provides an excellent framework for managing users and providing a single management infrastructure for users on Microsoft services.
But that only goes part of the way towards solving the problem. Your users and administrators are also logging in from Linux, UNIX, and Mac OS X systems, and they're logging into services based on Apache, JBoss, MySQL, WebSphere, and other systems via SSH that would ordinarily require separate username/password combinations.
Using Likewise Enterprise, you can tie enterprise applications that support LDAP and Kerberos into a Single Sign-On (SSO) solution that authenticates users against Microsoft's Active Directory. Users will only need one username and password to access your enterprise's most vital services whether it's their desktop, SharePoint, a Linux workstation, a Mac laptop, or a WebSphere-based application.
Even more importantly, users are only prompted for the credentials once. SSO is not just a single username and password, though it is that, but also being prompted only once in a session across all services. This means that when deployed correctly, users can simply authenticate and work continually without the distraction of logging into each service separately.
As an example, imagine logging into your Windows desktop, then accessing a Tomcat-based Web application on your corporate network that requires authentication. Typically this would require signing into the Windows desktop, then logging in separately to your Web application. Using Likewise Enterprise, simply log into Windows and you're automatically joined to all services tied to Microsoft Active Directory via Likewise Enterprise.
Today's complex environments require more advanced tools to combat security threats of all kinds. Stronger authentication is one of the most effective ways to keep attackers at bay and keep data and network safe.
What is Dual-Factor Authentication? Dual-factor authentication (DFA) or two-factor authentication (TFA) are the same thing, a process using two distinct factors to authenticate a computer user. DFA is typically the sign-on process where a computer user has to prove his or her identity with two distinct proofs, such as a password or PIN (something the user knows) and a smartcard or token (something the user has).
Likewise CTO Manny Vellon demonstrates how to authenticate a user with a smart card on a Linux computer in this video. The video shows how easy it is with Likewise Enterprise to authenticate a user on Red Hat Enterprise Linux with smart card authentication.
Industry Standard Support with ActivIdentity: Likewise has partnered with ActivIdentity to support all PIV-compliant cards and the Common Access Card (CAC) used by the U.S. government. Just add Likewise Enterprise and a CCID-compliant smart card reader to the system that you want to support with two-factor authentication, and you're ready join Active Directory and log on with your smart card and PIN. Likewise Enterprise includes several group policies to manage and enforce the use of smart cards.