Introduction

This chapter provides an introduction to IBM Security Verify Privilege Server Suite Free for Linux and UNIX, including a brief overview of how IBM Security can help you take advantage of your investment in Active Directory.

Key Components

IBM Security bundles products and features in different editions to address different customer requirements. The IBM Security Verify Privilege Server Suite Free family of products provides the most basic set of functionality and is available for free from the IBM Security website.

The main IBM Security components that enable cross-platform authentication and authorization services using Active Directory are platform-specific agents. Agents are packaged in compressed platform-specific files that you can download and extract to enable non-Windows computers to join an Active Directory domain. After you install an agent and join a domain, Active Directory users are authenticated on the UNIX or Linux computer without any further configuration.

The IBM Security Verify Privilege Server Suite Free family of products also includes Kerberos-enabled versions of OpenSSH and PuTTY packages.

Features Not Supported by IBM Security Verify Privilege Server Suite Free

Taken together, IBM Security Verify Privilege Server Suite Free products provide a solid foundation of functionality that is suitable for many organizations without upgrading to Verify Privilege Server Suite. However, IBM Security Verify Privilege Server Suite Free does not provide central management of policies, delegated administration, identity control, role-based access rights, or auditing services.

If your organization outgrows the basic functionality of IBM Security Verify Privilege Server Suite Free, you can upgrade to Verify Privilege Server Suite to take advantage of these additional features.

The following table describes features that are limited or not enabled in IBM Security Verify Privilege Server Suite Free.

Feature	Limitation in IBM Security Verify Privilege Server Suite Free
Centralized identify and access management	You cannot centrally manage user and group profiles, control access privileges on specific computers, or delegate administrative activities.
Group policies	You cannot centrally manage configuration settings for non-Windows computers and users.
Auditing	You cannot audit user session activity.
Role-based authorization and access rights	You cannot define rights, roles, and role assignments to enforce role-based access to privileged commands and other operations.
Unlimited IBM Security managed computers	The number of IBM Security-managed computers that can be connected to the Active Directory domain at the same time is limited. The limit is described in the End User License Agreement (EULA) that is specific to IBM Security Verify Privilege Server Suite Free.
User login controls	You can only use a limited set of parameters to control which users or groups are granted or denied access.
Active Directory lookup filtering	You cannot use the NSS override parameters to filter Active Directory lookups requests.
The adcert command	You cannot use the adcert command, which enables certificate operations to be performed directly on agent-managed UNIX computers.
Data isolation and encryption	You cannot dynamically isolate and encrypt data in motion.

You must upgrade to a license version of Verify Privilege Server Suite to use any of these features.

Managed Computers are Active Directory Clients

The agent enables non-Windows servers and workstations to participate in an Active Directory domain as Active Directory clients. You install the agent on each computer that you want to make part of an Active Directory domain. After you install the agent and join a domain on a computer, the computer is considered a IBM Security managed computer. The agent then manages the connection to Active Directory domain controllers when users log on or connect to the computer remotely.

What the Agent Does

The agent makes a computer look and behave like a Windows client computer to Active Directory. The agent performs the following key tasks:

Joins the computer to an Active Directory domain.
Communicates with Active Directory to authenticate users when they log on.
Caches users credentials for offline access.
Enforces Active Directory authentication and password policies.
Provides a Kerberos environment so that existing Kerberos applications work transparently with Active Directory.

Agents Consist of Multiple Components

Agents provide an integrated set of services that enable programs and applications to use Active Directory. The core agent service is the adclient process. The adclient process handles all of the direct communication with Active Directory and coordinates with other services to process requests for authentication, authorization, directory assistance, or policy updates.

Other services handle specific types of operations. For example, the pam_centrifydc module enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory. A custom NSS module modifies the nsswitch.conf configuration file so that system look-up requests use the information in Active Directory. A configurable local cache stores user credentials and other information for offline access and network efficiency.

In addition to the core agent services, agents can include IBM Security compiled versions of other programs, such as OpenSSH and OpenLDAP, to work with Active Directory.

Provisioning is Automatic

When you deploy an agent on a computer, the agent adds the computer account to Active Directory and automatically creates consistent UIDs across the joined domain for Active Directory users with access to the computer. The agent authenticates all valid Active Directory users without any configuration or account management. Because there is only one zone for the forest, you can deploy without creating any zones of your own. Because profiles are generated automatically, you do not need to configure any zone properties or manage who has access to which subsets of UNIX and Linux computers.

Deciding Whether to Use Zones

The primary reason to use IBM Security Verify Privilege Server Suite Free is that it enables Active Directory authentication without any planning, manual configuration, or account management. A primary limitation to using IBM Security Verify Privilege Server Suite Free is that all computers are placed in a single, automatically defined zone.

Zones provide a powerful and flexible structure for managing user identities, role-based access controls, and delegated administrative authority. However, deciding on the best strategy for using zones requires some planning and preparation. If your organization does not require more than one zone, you can begin deploying agents immediately.

Working With a Single zone

IBM Security Verify Privilege Server Suite Free is designed for organizations that do not want to centrally manage user profiles, role assignments, or administrative activities. After the agent is installed, all valid Active Directory users and groups in the entire Active Directory forest are automatically assigned a unique UNIX profile that allows them to log on. Because the IBM Security Verify Privilege Server Suite Free agent requires no configuration or central management, it is most suitable for organizations that:

Want to add computers to a domain quickly without configuring any zones.
Do not need to maintain or manage existing UIDs and GIDs.
Have a limited number of users and domains.
Have a relatively flat organizational structure.

If a single zone suits the needs of your organization, IBM Security Verify Privilege Server Suite Free provides a no-cost, cross-platform solution for authentication services. If your organization grows in size and complexity or if you want more granular access controls, you can upgrade to a licensed version of IBM Security software at a later time. For more information about IBM Security service offerings and Verify Privilege Server Suite, see "Comparing IBM Security Verify Privilege Server Suite Free to other services" on page 30.

All Active Directory Users Have Access

After you install an agent and join an Active Directory domain, all of the users and groups in the Active Directory forest automatically become valid users and groups for the joined computer. In addition, all Active Directory users defined in any forest with a two-way trust relationship with the forest of the joined domain are valid users for the joined computer.

If a computer joins a domain and the domain has a one-way trust relationship with another domain, users and groups in the trusted domain do not become valid users and groups on the computer.

By default, all valid users can perform the following tasks:

Log on interactively to the shell or a desktop program and use standard programs such as telnet, ssh, and ftp.
Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously.
Manage their Active Directory passwords directly from the command line, provided they can connect to Active Directory.

How the Agent Generates Profile Attributes

Computers with a IBM Security Verify Privilege Server Suite Free agent always connect to the domain through the Auto Zone. In the Auto Zone, user profile attributes, such as the UID, default shell, and home directory are automatically derived from user attributes in Active Directory or from configuration parameters. No local account information is used or migrated into Active Directory.

When an Active Directory user logs on to a UNIX or Linux computer for the first time, the agent automatically creates a 31-bit UID for the user and a 31-bit GID for any groups to which the user belongs. To create unique GIDs and UIDs, the agent creates a prefix from the last 9 bits of the user or group Security Identifier and combines it with the lower 22 bits of the user or group relative identifier (RID).

Although the agent caches these UID and GID values, they are not stored in Active Directory. You cannot edit or change them in any way with Active Directory Users and Computers (ADUC). If the cache expires, the agent uses the same algorithm to create the same UID and GID the next time the user logs on so you are guaranteed consistent ownership for files and resources. In addition, users who log on to more than one computer will have the same generated UID on each managed computer.

All profile attributes—including the UID and GID values—are stored in Active Directory. If you upgrade to a licensed version of IBM Security software, you can migrate and manipulate UID and GID properties for individual computers. You can also map multiple UIDs to a single Active Directory account to allow different UIDs settings on different computers for the same user account. This type of manipulation is not possible when using Auto Zone and IBM Security Verify Privilege Server Suite Free agents.

In addition to the UID and GID, the agent automatically creates a home directory for the user with all the associated profile and configuration files. The location for the home directory is:

UNIX or Linux: /home/username
Mac OS X: /Users/username

Deploying an agent does not affect local users. User accounts that are defined in the local /etc/passwd directory can still log on. If you want to control access through Active Directory, however, you should create Active Directory accounts for each user. After you verify user access for the Active Directory user, you can then either delete the local account, or map the local users on each computer to an Active Directory account to preserve access to current home directories and files. For more information about mapping accounts, see "Mapping local accounts to Active Directory" on page 56.

Using IBM Security Verify Privilege Server Suite Free to Deploy Agents

With IBM Security Verify Privilege Server Suite Free, you can discover and analyze computers on your network or in the cloud, then download and install or update the correct agent for each discovered computer. You can also use IBM Security Verify Privilege Server Suite Free to manage account information for remote UNIX users and groups, and run programs on the computers discovered.

Like other IBM Security products, you can download IBM Security Verify Privilege Server Suite Free agents from the IBM Security website.

Comparing IBM Security Verify Privilege Server Suite Free to other services

IBM Security Verify Privilege Server Suite Free provides a subset of the features available in authentication and privilege elevation services. Over time, this basic set of functionality may be insufficient. Depending on the needs of your organization, you may want to upgrade the Verify Privilege Server Suite you use to take advantage of additional feature sets. The following table provides a brief description of the services available.

Product offering	Description
IBM Security Verify Privilege Server Suite Free	Free software that provides basic integration with Active Directory for authenticating users.
Verify Privilege Server Suite	Commercial offering that provides a full complement of services to ensure the security of your infrastructure and prevent the breaches that can result when privileged accounts are compromised. With Verify Privilege Server Suite, you can protect your organization in a variety of ways. For example, you can:: Require users to log in as themselves. Enforce least-privilege access for administrators and end-users. Control shared access to privileged accounts. Audit and monitor user activity and what takes place during privileged sessions. Isolate and encrypt sensitive information transmitted over the network.

Product offering

Description

IBM Security Verify Privilege Server Suite Free

Free software that provides basic integration with Active Directory for authenticating users.

Verify Privilege Server Suite

Commercial offering that provides a full complement of services to ensure the security of your infrastructure and prevent the breaches that can result when privileged accounts are compromised. With Verify Privilege Server Suite, you can protect your organization in a variety of ways. For example, you can:: Require users to log in as themselves. Enforce least-privilege access for administrators and end-users. Control shared access to privileged accounts. Audit and monitor user activity and what takes place during privileged sessions. Isolate and encrypt sensitive information transmitted over the network.