TOM KEMP'S CENTRIFY BLOG
Case Study: Replacing Sun ONE Directory Server with DirectControl and Active Directory for UNIX Single Sign-on
Wednesday, January 30, 2008
Now that I've posted on some of our recent awards (e.g. here and here), let me go back to focusing on some recent customer case studies ala how I highlighted Wyse. The first one I'll focus on is Wyeth Research. We recently posted a case study on Wyeth that discusses their migration from a Sun ONE Directory Server for their Linux and UNIX systems to using Active Directory and Centrify DirectControl as the basis of UNIX authentication, and I want this blog post to highlight a few interesting points.
[Side note: I believe Sun's directory is now called "Sun Java System Directory Server" which seems like a stretch to slip in "Java" brand into the name of their LDAP directory. Potentially an example of "marketing gone crazy" treating a product like a racing car with unrelated brand stickers on it - it would be like Microsoft calling Active Directory ".Net Active Directory." No doubt a year from now some marketing person at Sun will also try to slip "MySQL" into their LDAP directory product name as well to further promote another one of Sun's brands, but I digress]
First of all, a little bit about Wyeth Research: they are one of the largest research-driven pharmaceutical and health care products companies in the world, with major divisions including Wyeth Pharmaceuticals, Wyeth Consumer Healthcare and Fort Dodge Animal Health.
Like many enterprises, they had multiple islands of identity:
"Users would automatically have a corporate eDirectory account, an Active Directory account, and would then be granted a Sun ONE-based LDAP account for access to those UNIX and Linux servers that supported their activities in the Bioinformatics compute lab."
But not surprising, the current environment had multiple issues (see this blog for other issues that we see with a plethora of identity silos):
"Those servers themselves also had local password files, which required intermittent maintenance. Like many point solutions intended to solve an immediate problem-performance issues on the corporate directory-the Sun ONE server became an established presence, requiring local administration and management. It also meant that users had passwords maintained on yet another directory that had to be reset according to the corporate policy. Also, for corporate compliance, they were subject to regular IT security audits and needed to ensure that any systems they deployed met or exceeded established policies."
A decision was made to improve the situation:
"The Sun ONE server ultimately reached the end of its effective life and this provided an opportunity for improvement to the environment in the ARC group. In addition, the corporate strategic direction was to reduce the number of directories. Regardless of whether the Sun ONE system was upgraded or replaced, the administrators wanted to reduce the administrative burden, provide authentication and access control for users in a mixed operating environment, strengthen their security profile, and increase the quality of the user experience."
The solution? Leverage Active Directory ...
"With all users having an Active Directory account and password reset utilities already available, it seemed clear that extending Active Directory to the Linux and UNIX systems would offload the administrative burden and centralize authorization."
... and use DirectControl deployed on the UNIX and Linux systems, making those systems in effect "Active Directory clients." Benefits of Active Directory + DirectControl?
"After a brief installation period, Kennamer reports that they quickly began to see the benefits. Scientists have one less password to remember and maintain, and the ARC staff no longer has to maintain a separate directory server that would enforce non- Active Directory password policies. While there is no appreciable increase in work for the Active Directory administrator, "We've saved several hours a week in our group that were previously spent doing password resets, directory server maintenance, and other tasks," observed David Kennamer. "We're able to spend that time on improving services and enabling new capabilities for the scientists.""
Other benefits included:
"Looking further at DirectControl, they discovered other advantages - it had no significant performance impact on their compute cluster nodes; it had a straightforward installation whereby they didn't have to bring down the servers in order to install and join the domain; and the support for Kerberos meant that their SSH client application, SecureCRT, could use their Kerberos tickets for authentication and access, enabling single sign-on.
With the reporting capability that DirectControl includes, the ARC group is able to quickly find out who has access to any given system and reciprocally can as easily find out all of the systems that an individual can access. This simplifies audit reporting and provides important information as personnel leave the company or change roles. In addition, they now have consistent user identity across platforms, which will allow them to easily expand their grid computing capabilities to other groups in the company if needed."
And their final thoughts:
"By enabling us to centralize identity management, reducing passwords for our users, and eliminating the Sun ONE Directory Server, DirectControl makes our lives a lot easier, and lets us focus more on the research goals of the business," said Kennamer.
This is quite consistent with what we are hearing from other customers re: the challenges they are facing with maintaining multiple silos of identity and the benefits they are getting from the Centrify approach of leveraging Active Directory across a heterogeneous environment. The net net is that Centrify customers can now leverage an existing infrastructure and skillset they have with Active Directory, easily extend it across the enterprise without making intrusive changes to either Active Directory or those non-Microsoft systems, and gain real value in terms of addressing compliance and reducing complexity by collapsing silos of identity.
In my next blog post I will talk about how a customer is not only leveraging our solution for single sign-on, but to also enforce consistent configuration across 1000+ systems.
< Previous Article: Not As Ironic As You May Think: Active Directory-Based Solution for Linux Identity Management Wins SearchEnterpriseLinux.com's 'Security Product of the Year'
> Next Article: Case Study: Mac Windows Integration
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- Superuser Privilege Management
- We've Moved!
- Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory
- Strong Authentication for the Mac
- How DirectAuthorize Compares to sudo for Root Access Control
- How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux
Categories
- Centrify (56)
- Centrify Suite (4)
- Customers and Press (38)
- DirectAudit (13)
- DirectAuthorize (5)
- DirectControl for Databases (27)
- DirectControl for Systems (48)
- DirectControl for Web Apps (25)
- Group Policy (38)
- Regulatory Compliance (36)
- Mac OS X (19)
- Partners (9)
- Open Source Tools (7)
- All (73)
Other Blogs
Subscribe
RSS Feed
