TOM KEMP'S CENTRIFY BLOG

What's New in DirectControl 4, Part 1: Interface of Your Choice

Thursday, November 8, 2007

On Nov. 6, Centrify shipped DirectControl 4, a major update to our flagship solution that delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac, web and database platforms with Microsoft Active Directory. We are having a webinar on November 13 for people to learn more about the new features we have added - click here to register.

In the next few blog posts I am going to highlight some of the major features of DirectControl 4. In this post I am going to discuss the enhancements in the area of enhanced cross-platform manageability, specifically DirectControl 4's new web-based administrative console, its expanded command-line interfaces (CLI), and improvements to its Windows-based administrative tools. Collectively these enhancements give IT staff even more flexibility to administer accounts and work with UNIX data held inside Active Directory. The end result of these new features is that only DirectControl delivers a robust Windows-, Web- and UNIX CLI-based user interfaces to enable IT staff to use the interface of their choice to better manage their heterogeneous environment leveraging Active Directory.

But let me first step back and put these enhancements in context. As you probably know, DirectControl effectively turns a non-Microsoft system (e.g. a UNIX server) into an Active Directory client, which means, for example, that users with the appropriate rights can now access a UNIX system using their Active Directory credentials. Given that the underlying UNIX operating system still requires that the Active Directory user has an underlying UNIX profile, DirectControl stores all of your users' associated UNIX identity information centrally within Active Directory. Which means that when a user successfully logs on to a UNIX system, the DirectControl Agent will not only validate that it is a correct username and password and deliver a Kerberos ticket, but will also pass along the user's correct UNIX identity information that DirectControl stores in Active Directory to satisfy the underlying operating system's requirements that each user have a UNIX profile.

As this FAQ on our web site explains, DirectControl gives you several options to store UNIX identity information within Active Directory, including not extending the schema or storing data leveraging the RFC 2307 schema extension provided by Microsoft. DirectControl's patent-pending Zone technology even handles the scenario when a user is required to have different UNIX profiles (that is, unique UID, group ID, home directory, shell, etc.) on different sets of systems.

Irrespective of how you store the underlying data, administrators need to be able to "UNIX-enable" the appropriate Active Directory users, migrate existing UNIX identity information into Active Directory, control which users can access which systems, run reports showing who can access what systems, etc. Centrify has built a rich ecosystem of management tools around DirectControl, including extensions to the native Windows administration tools such as Active Directory Users and Computers (ADUC), a Microsoft Management Console (MMC)-based Administrator Console for Windows-centric IT staff, and command-line interfaces for UNIX administrators.

Figure 1.  Screenshot showing our extensions to ADUC (Click to see an enlarged version.)

Figure 2.  Our Windows-based Administrator Console (Click to see an enlarged version.)

In Version 4, DirectControl provides administrators with their tool of choice with the addition of a web-based Administrator Console as well as an extended set of command line tools designed at the request of UNIX administrators. Additional improvements to our Windows-based administrator tools and new deployment features mean DirectControl by far delivers the most extensive and easy-to-use array of management tools for both Windows and UNIX IT staff.

One key item that I want to point out is that the DirectControl management tools are designed to leverage the native Active Directory access control policies to enable secure administration from any of these interfaces by authorized administrators. The actual access control policy is enforced by Active Directory directly instead of by the tools themselves. Additionally, only DirectControl can provide segregation of duties between the Active Directory and UNIX administrators as well as between the various UNIX administrators regardless of which of these management tools are used. This security and management model fits well in the typical IT environment, where administrators will have their own preferences for how they want to manage their systems, whether that be on a Windows machine, a web browser or a UNIX system at the command line.

Introducing the DirectControl Web Administrator Console

Let me now talk about our new DirectControl Web Administrator Console in more detail. The DirectControl Web Administrator Console enables secure administration of cross-platform environments from any browser on the network. While we modeled this console to look and feel the same as the Windows-based Administrator Console, this Web Administrator Console has been more narrowly focused to specifically enable authorized IT staff to perform such day-to-day activities as managing:

• Active Directory user UNIX properties
• Active Directory user basic account properties, such as account policies
• Group properties and memberships
• UNIX computer accounts

Figure 3.  Our Web Administrator Console (Click to see an enlarged version.)

Note that IT staff who need to perform initial environment setup and configuration, as well as to run reports, should continue to use the Windows-based Administrator Console.

As I mentioned above, while it is important to enable UNIX administrators to do their job efficiently, the environment must support the segregation of duties mandated by regulatory compliance regimens. The Web Administrator Console provides a delegated administration interface with no additional setup or configuration required since all security is strictly enforced by the Active Directory infrastructure alone, not in the web console itself.

Seamless access is also provided to administrators logging in from any Active Directory-integrated system in order to leverage their Active Directory-enforced access control rights for the administrative tasks they perform within the console. Additionally, the Web Administrator Console supports the standard user ID- and password-based login for those situations where the administrator may be working from home on a system that is not trusted by Active Directory or from a remote laptop where the user does not have currently valid Active Directory credentials.

Expanded Command-Line Interfaces

Now let me talk about the enhancements we added to our command-line interface (CLI). DirectControl has always had a robust UNIX-based CLI, which we have further enhanced with DirectControl 4. These command-line tools have always been carefully crafted to support different output options so that they can be integrated with in-house automation or provisioning scripts.

DirectControl now has two primary commands that enable Active Directory object management:

• adquery is used to get user or group information from Active Directory for both the object's Active Directory attributes as well as UNIX attributes.
• adupdate is used to change, add or delete user or group information in Active Directory; again, both Active Directory attributes and UNIX attributes can be changed.

The interface to these commands is designed to abstract the data management from the administrator so that the task can be performed regardless of the type of Zone you have chosen to use. A few example uses of these command-line tools include:

• Provisioning a UNIX user from an existing Active Directory user
• De-provisioning a UNIX user from a Zone
• Changing a UNIX user's account properties
• Creating an Active Directory group
• UNIX-enabling a group and changing its membership
• Getting a list of Active Directory users authorized to access the local computer

Figure 4.  The command-line interface being used (Click to see an enlarged version.)

A new command has also been introduced to enable users to change their effective group membership set, which is required in environments where a user may actually be a member of many more groups than the particular UNIX operating system is capable of handling. For example, on a Solaris system with the default kernel parameters, a user can be a member of up to 16 groups. However, a user may need to be a member of a total of more than 50 groups to support the various applications that he needs to run; this new adsetgrp command will enable the user to set the appropriate groups that he needs to be a member of prior to launching a particular application.

Improvements to Windows-Based Administration Tools

Finally, we have not been sitting still on our Windows-based console either with DirectControl 4. DirectControl 4 has extended the Active Directory Users and Computers (ADUC) interface to include support for managing Zones. This includes creating and deleting Zones as well as managing their properties. For example, an administrator can now create Zones in either ADUC or the DirectControl Administrator Console.

Zone management is now significantly easier and more flexible in both the ADUC and the Windows-based DirectControl console. Here are some examples of enhancements we have added:

• Zones can now be created as an organizational unit (OU) or a container (CN) depending on the choice of the administrator. While containers are more generic and can be located anywhere within the Directory, many customers want to create a Zone as an OU in order to apply Group Policies to its objects, since they plan to store both Zone data and UNIX computers accounts in the OU.
• A master domain can be defined for a Zone to support centralized UNIX profile administration. For those environments that want to establish a consistent UNIX namespace going forward, this feature enables a Zone to be defined with an associated Master Zone so that users who are added to this Zone will automatically be assigned their UNIX profile from the Master Zone to ensure consistency.
• The Zone Delegation wizard now supports managing the delegation of NIS maps in addition to the delegation of other Zone objects in order to support fine-grained segregation of duties within a Zone.
• The Windows-based Administrator Console has also been improved to support drag-n-drop, enabling Active Directory objects to be manipulated by typical mouse movements so that an administrator can, for example, select one or more users in ADUC and drop them into a Zone within the Administrator Console.

We also improved with DirectControl 4 the import process for existing UNIX namespaces to support the ability to modify data during import, which is important if you are making some changes to the environment as you migrate users' UNIX accounts into Active Directory. Additionally, the import process has been extended to support either multi-operator processing of the import data (where the pending UNIX data is stored in Active Directory) or single-operator processing (where the data is stored in an XML file on the operator's workstation).

Bottom Line: Use the Interface You Want

Hopefully this gives you a good overview of the user interface improvements we have added in DirectControl 4. As you can see, DirectControl can deliver "the UI you want" - i.e. either a Windows-, web- and/or UNIX CLI-based user interface - to manage your environment leveraging Active Directory, something that no other vendor can offer as part of their solution. In my next Centrify blog posting I will talk about the improvements we made to DirectControl in the areas of Group Policy and Reporting.

< Previous Article: Centrify Customer Forums Now Live
> Next Article: What's New in DirectControl 4, Part 2: Enhanced Cross-Platform Group Policy and Compliance Reporting