Quest Software Inc.
Cart | How to Buy | Login | White Papers | Downloads | Search

Vintela Authentication Services Home > Products > Vintela Authentication Services > Vintela Authentication Services FAQ

Print Page

 Request a Quote Email Page
Overview
Features and Benefits
Document Library
Webcasts and Events
Download

Frequently Asked Questions

Vintela Authentication Services

What is Vintela Authentication Services?

Vintela Authentication Services allows you to seamlessly extend the security and compliance of your Microsoft Active Directory infrastructure to Unix, Linux, and Mac platforms and applications. It addresses the compliance need for cross-platform access control, the operational need for centralized authentication and single sign-on, and enables simplified, heterogeneous identity management. It is a secure, easy-to-use solution for managing a single user identity across a heterogeneous Unix, Linux, Mac, and Windows environment. Vintela Authentication Services uses Kerberos encryption to protect sensitive user credentials, delivering rock-solid network and user security. Vintela Authentication Services provides central Unix, Linux, Mac, and Windows user identity administration from the Microsoft Management Console (MMC); eliminates the need for NIS and custom-built password synchronization scripts; and reduces time spent on password problems.

Return to Top

How long has Vintela Authentication Services been on the market?

Vintela Authentication Services–currently shipping version 3.2–has been commercially available since August 2002, with the first large-scale implementations occurring in early 2003. Vintela operated as an independent company until July 2005, when Quest Software acquired Vintela, which enabled the company to extend the reach of its powerful Active Directory management tools to a cross-platform identity management offering.

Return to Top

What are some of the benefits of Vintela Authentication Services?

  • Enhance compliance and security by extending the native capabilities of Active Directory to Unix, Linux, and Mac systems (including Enterprise Group Policy)
  • Create a centralized authentication infrastructure for Unix, Linux, and Mac systems and single sign-on for a large number of non-Windows applications
  • Facilitate migration from legacy Unix authentication mechanisms such as NIS and etc/passwd with automated tools and flexible options
  • Leverage existing infrastructure for enterprise-wide identity management (simplifying identity management)
  • Comply with internal policies or with external regulations such as Sarbanes-Oxley or HIPAA across all systems
  • Ensures that only appropriate users can access critical and/or sensitive resources
  • Simplifies help desk operations, speeds change requests, and streamlines employee terminations and resignations thus reducing security exposure
  • Reduces administrative complexity
  • Provides a higher degree of system integrity and convergence, with minimized opportunity for error
  • Delivers faster times to user productivity since access requests can be fulfilled promptly
  • Manages users from a central location, even across multiple cities, states or countries

Return to Top

How does Vintela Authentication Services help simplify identity management?

Vintela Authentication Services provides the enabling technology to allow organizations to simplify identity management based on an existing investment in Active Directory. Through the product, AD-based identity management solutions—such as those for provisioning, password management, and auditing and reporting—from Quest and other vendors, can naturally extend to non-Windows systems as well. In addition, Vintela Authentication Services can dramatically simplify an existing meta-directory or synchronization solution by reducing the number of systems that require synchronization methods and custom integration to each synchronized system to achieve identity integration.

Return to Top

Does Vintela Authentication Services require additional software implemented on the Domain Controller?

Vintela Authentication Services has been architected to avoid adding additional layers to your existing Active Directory deployment. No additional software components are required on Domain Controllers. Vintela Authentication Services provides a simple MMC Snapin that can be used to manage Unix account information for users and groups from any Windows workstation. In order to maximize interoperability with third-party applications, Vintela Authentication Services does require use of the standard RFC 2307 schema definition for storing Unix account information with Active Directory users and groups. For Windows Server System Active Directory R2, the RFC 2307 schema has been adopted by Microsoft—that means that for users on R2 no modification to the schema is required.

Return to Top

How does Vintela Authentication Services relate to single sign-on?

"Single sign-on" can have a range of meanings from the basic idea that a user has the same username and password across different applications and systems, to the ideal of moving between applications and systems without having to authenticate again. Vintela Authentication Services enables organizations to efficiently and securely manage a single login/password for Unix, Linux, Mac, and Windows systems and applications. Anytime a password is changed from within a PAM-enabled application, or through a local OS password changing utility, the password is changed for all applications. Applications that have been made Kerberos-aware, (such as versions of SSH or SPNEGO-enabled Apache for Web applications) can provide single sign-on. With Vintela Authentication Services, Unix, Linux, and Mac servers become full citizens in the Windows identity management and authentication infrastructure. By doing this, many existing Microsoft management/reporting/etc. tools become automatically applicable to non-Windows users. In addition, there is no client-side software to be installed and managed as with traditional single sign-on solutions, lowering the cost of installation and management.

Return to Top

What applications does Vintela Authentication Services support for single sign-on?

Vintela Authentication Services provides single sign-on support for the following Unix/Linux applications.

  • SAP SNC through the SAPgui for more details on this solution please refer to the prescriptive guidance section of the website
  • DB2
  • Any application that relies on Unix/Linux OS authentication
  • Any GSSAPI-aware application (easily integrated through the Vintela Authentication Services API)
  • Any "Kerberized" application
  • Any application with "hooks" into LDAP
  • Samba
  • OpenSSH
  • PuTTY
  • Apache

Return to Top

Does Vintela Authentication Services provide single sign-on for Java applications?

Yes, each core user license of Vintela Authentication Services includes the corresponding full Java application single sign-on license of the Vintela Single Sign-on for Java product. This provides a native Java implementation of Kerberos that allows powerful, seamless integration between Java applications and Active Directory.

Return to Top

How does Vintela Authentication Services compare with meta-directory or password synchronization solutions?

Vintela Authentication Services is not a password synchronization solution. Instead, Vintela Authentication Services integrates Unix/Linux/Mac directly into the Windows infrastructure so that authentication and password change events occur in real time. When a user changes his or her password on one platform, subsequent logins on any other platform will immediately enforce the new password. This is because all authentication is handled by the Windows domain controller directly. Vintela Authentication Services complements meta-directory solutions by dramatically reducing the number of unique connections that must be programmed and maintained. All Unix, Linux, and Mac systems actually become “full citizens” in AD, allowing the metadirectory to continue to provide synchronization for legacy systems and other resources that cannot join the AD domain through Vintela Authentication Services.

Return to Top

I already have MIIS (Microsoft Identity Integration Server). Do I still need Vintela Authentication Services?

MIIS and Vintela Authentication Services are highly complementary. While MIIS does provide metadirectory capabilities, it does not currently integrate well with Unix accounts. By using Vintela Authentication Services to move Unix accounts right into Active Directory, the MIIS Management Agent for Active Directory can be used to easily provision and de-provision Unix accounts right in Active Directory, greatly enhancing the value of your investment in MIIS.

Return to Top

How does Vintela Authentication Services and Active Directory compare with other directories, eDirectory, and Sun ONE Directory?

Vintela Authentication Services and Active Directory together provide an identity management solution that surpasses what is available from solutions that are based solely on LDAP. Active Directory integrates the security and authentication benefits of Kerberos with the identity attribute and authorization storage flexibility of LDAP. By centralizing both Unix and Windows authentication and authorization, you are able to reduce the need for redundant directory infrastructure while integrating seamlessly with your existing Active Directory infrastructure, and at the same time provide secure, real-time authentication based on Kerberos, which LDAP only solutions cannot provide.

Return to Top

What is the difference between LDAP and Vintela Authentication Services?

LDAP (Lightweight Directory Access Protocol) is the protocol on which many directories are built, including Microsoft Active Directory. Vintela Authentication Services extends the ability of Active Directory to allow existing Windows users to access Unix/Linux/Mac workstation and servers using their Active Directory identity, in a secure manner. LDAP is simply a protocol for accessing data stored on a directory server. Vintela Authentication Services is a solution for centralizing Unix/Linux/Mac identity management and authentication in Active Directory. LDAP alone does not provide secure authentication, which is why Active Directory—unlike other directory servers—integrates Kerberos into its authentication mechanism.

Return to Top

How does Vintela Authentication Services compare with NIS?

Vintela Authentication Services provides an extremely attractive alternative to NIS (including all the functionality required to migrate from NIS to an entirely AD-based authentication infrastructure). NIS is notably insecure, non-compliant, cumbersome to maintain, and tailored to small, flat, and centralized organizations. Most of all, it continues to perpetuate a logical and administrative division between Unix and Windows. Vintela Authentication Services is a unifying technology that makes it possible to manage Unix and Linux identities and authentication from Microsoft Windows Active Directory, creating a single authentication scheme for Unix and Windows. NIS invariably does not comply with Sarbanes-Oxley or other regulatory compliance audit requirements.

Return to Top

How does Vintela Authentication Services compare with Microsoft Services for Unix (SFU)?

SFU includes a number of features, one of which, is its ability to act as an NIS server. SFU is another approach to achieve limited integration between Unix and Active Directory It does not provide the true integration with Active Directory that Vintela Authentication Services provides and perpetuates some of the security problems of NIS.

Return to Top

Who is interested in this product?

Organizations interested in Vintela Authentication Services share some or all of the following characteristics:

  • Have increasing security/compliance concerns and seek to pass stringent security audits that cross Windows and Unix platforms
  • Have a desire to migrate from NIS to a more secure and complaint authentication mechanism
  • Already use Microsoft Active Directory for Windows user account management
  • Manage a mixed Unix/Linux/Mac and Windows environment
  • Are seeking to take advantage of single sign-on beyond that offered by AD for Windows resources
  • Are finding the cost and management burden of cross-platform identity management prohibitive
  • Are interested in reducing the cost of password management
  • Currently use unreliable custom password synchronization scripts that require maintenance and are insecure
  • Would like to leverage existing (or planned) investment in Active Directory
  • Have user populations of 50 or greater with significant employee turnover

Return to Top

Does Vintela Authentication Services enable control of password expiration, complexity, history, etc? How is this achieved?

All authentication and password changes for Active Directory users are done directly against Active Directory domain controllers using standard Kerberos protocols. The domain controllers enforce account lockout, password complexity and history, and password expiration. The Vintela Authentication Services Unix client simply passes this information back to the users. As an added benefit, any standards-based password management solution—such as Quest Password Manager—will automatically extend from AD to Unix, Linux, and Mac systems that have been integrated through Vintela Authentication Services.

Return to Top

Am I able to leverage Active Directory's Group Policy for my Unix, Linux, or Mac systems?

Vintela Authentication Services includes comprehensive Enterprise Group Policy functionality, which leverages the integration with Active Directory that Vintela Authentication Services provides and allows you to leverage Active Directory's Group Policy framework to manage Unix/Linux configuration settings and Mac desktop configurations.

Return to Top

Are users still able to log on if they are not able to access the Microsoft Active Directory server?

Yes, Vintela Authentication Services allows Unix/Linux/Mac workstations and servers to continue to logon users even if the network connection to the Microsoft Active Directory server is down.

Return to Top

What tools are needed on the Windows side? The Unix side? Do Unix administrators have to manage Unix users via Windows?

Vintela Authentication Services has been architected to avoid being "locked-in" to any vendor-specific administration tool. With our standards-based approach, any existing Active Directory administration tool can easily be extended to manage Unix account information. Vintela Authentication Services includes an MMC Snapin that provides an extension to the standard Microsoft Active Directory Users and Computers Snapin that allows you manage Unix/Linux/Mac account information for users and groups. Vintela Authentication Services provides a Unix client that provides integration with the Active Directory domain. Vintela Authentication Services also provides a powerful command line tool that have been designed for use (and scripting) by Unix administrators for managing Active Directory user and group information. These command line tools can be used from scripting environments or from Web backends. With Active Directory's advanced access control mechanisms, it is easy to allow Unix administrators to continue to manage just the Unix account information for users and groups. In addition, the functionality available from the command line is also available through an MMC-based graphical user interface.

Return to Top

Who are some of the companies using Vintela Authentication Services?

Vintela Authentication Services is in use at hundreds of companies worldwide, with many more joining each month. Today there are more than one million installed seats of Vintela Authentication Services worldwide. Some of the most prominent include:

  • Abbott Labs
  • Adaptec
  • Advanta Bank Corp.
  • Allvac
  • Altera
  • American Medical Security
  • Ask Jeeves
  • Atlantis Plastics
  • Baker Hughes
  • Brown & Williamson Tobacco
  • Brown University
  • The Center for Disease Control
  • Cisco
  • Columbia House Company
  • Conax
  • Continental Casualty Company
  • Cox Enterprises
  • Cross Country Healthcare
  • Del-Jen, Inc.
  • EEFCU
  • Equient
  • Federman & Phelan
  • FEI Company
  • Ferguson
  • Fidelity
  • Hansabank AS
  • Honda
  • Internet Security Systems
  • Isituto Trentino di Cultura
  • Johns Hopkins University
  • Kansas State University
  • Limited
  • Lockheed Martin
  • Merrill Lynch
  • Michigan State University
  • Paymentech
  • PDX
  • Raytheon
  • Reinsurance Group of America
  • RotaDyne
  • Southern Company
  • Symbium Corp.
  • USDA
  • Vertex Pharmaceuticals

Return to Top

I have conflicting UIDs in different account domains. Will I have to re-permission everything?

No. The Unix Personality Management feature in Vintela Authentication Services allows you to maintain alternate "personalities" for accounts on different systems or different groups of systems. "Personality objects" are created in separate "personality OU's” (organizational units). When a machine is joined to the Active Directory domain, you may optionally specify an organizational unit, which contains the personality definitions that are to be used for that system. All "personalities" are linked to the same Windows account, so a single username / password and a single set of password policies are used for each individual user, despite the fact that they may have different "personalities' on different machines.

Return to Top

What is a Personality Object?

A personality object is a new schema object which instantiates the posixAccount (or posixGroup) class definition as found in the RFC 2307 standard or as an auxiliary class in the Microsoft Windows Server 2003 R2 default schema. It is used to store the attributes associated with a Unix user account, such as User ID, default group, home directory and default shell. In addition to instantiating the R2 posixAccount auxiliary class, it also contains a back link attribute which associates the personality information with the Windows account. Personalities themselves are not security principals and have no passwords of their own; they are always linked to a Windows account, which is always the security principal associated with the Unix login session. (see Microsoft's listing of the auxiliary classes in the R2 release.)

Return to Top

Does Vintela Authentication Services require schema modifications?

Vintela Authentication Services has always used the RFC 2307 schema definitions as the preferred storage model for Unix attribute information. The Microsoft Windows Server 2003 R2 default schema now includes these same definitions, and existing users can easily upgrade to R2 with no loss of data by applying a simple schema modification. Whether you deploy R2 now or in the future, the schema definitions for the basic Vintela Authentication Services functionality are identical to those in the R2 default, and can be deployed independently of an R2 upgrade, with full confidence. If you wish to use the Unix Personality Management feature, a minor Vintela schema definition is also required simply to instantiate the posixGroup and posixAccount auxiliary classes included in the R2 default schema. The optional NIS server daemon, which allows you to store NIS map information in Active Directory, can be configured to use either a Vintela format or the NIS map objects defined in RFC 2307 standard and included in R2.

Return to Top

Why do you use the RFC 2307 schema objects, anyway?

Storing your Unix account information in Active Directory brings together two worlds that have historically been far apart—Windows and Unix. The common denominator between them is standards. The Vintela Authentication Services design center has always been centered on accepted industry standards and best practices. The Unix account identity information being stored in Active Directory is a valuable corporate data asset, and should be stored using conventional LDAP data representations, which dictate that each data element (in this case, an individual Unix attribute such as UID or default shell) be stored and searchable as a single name/value pair—that is, with a purpose-specific attribute.While it is certainly possible to store this same information in generic "catch-all" objects, and avoid the whole question of schemas, both Active Directory and Unix administrators will, on close examination of alternatives to the schema-based approach, realize that the benefits of the schema-based approach outweigh the apparent convenience of so-called "touchless" designs. What is really "touchless" about these designs is the difficulty in managing and provisioning these proprietary data structures using off-the-shelf industry standard tools. These tools expect to manage data stored in an LDAP directory using simple and conventional LDAP searches in order to achieve interoperability—not interpret complex data structures encoded in faceless objects. This is the way that every other element defined by Microsoft in Active Directory is accessed, and for this, schema definitions are needed. Complex data representations in Active Directory lead to costly searches. While alternative solutions may claim to "conform" to Microsoft standards, this is only in the vaguest and most general sense, in that they use a general-purpose object to store data that is structured in an arbitrary, proprietary format. They certainly do not conform to the spirit of the Active Directory design, nor to the direction indicated by the fact that Microsoft has included the RFC 2307 schema as part of the R2 default.The Unix Personality Management design allows you to use the RFC 2307 attributes in any Personality OU, and to have a single model for representation of attribute data that is consistent across all account domains. Other solutions may claim RFC 2307 support but in fact restrict this support to a single account domain.

Return to Top

Can I develop applications that use Vintela Authentication Services?

Vintela Authentication Services provides complete interfaces to the Kerberos, LDAP, and GSS-API interfaces. In addition, it provides "helper API's" which allow the Vintela Authentication Services subsystem to do most of the "heavy lifting" required in developing Kerberos and LDAP-aware applications, and to leverage the information stored in the Vintela Authentication Services cache and its knowledge of Active Directory sites and data structures.   Wrapper code is also available to allow you to leverage these apis using PERL and PHP.

Return to Top

I have an application that only uses LDAP. How can Vintela Authentication Services help integrate it with Active Directory?

Usually when administrators try to integrate existing LDAP-aware applications with Active Directory—in theory possible using direct LDAP calls to Active Directory—they encounter unacceptable security problems. Active Directory security must be compromised by allowing anonymous binds, for example, and network traffic must be secured using TLS/SSL to encrypt in-the-clear password transmissions. The Vintela Authentication Services authentication proxy for LDAP allows LDAP-aware applications to reference an LDAP server installed as part of Vintela Authentication Services and accessed securely through the localhost loopback. It also allows binds to be "proxied" to secure Kerberos authentication requests, transparently to the application. Active Directory can be proxy bound to in a virtualized anonymous bind security level on a per-application basis, rather than globally. And Vintela Authentication Services access control filters can be applied, further enhancing the security of LDAP aware applications.Further, the users Unix identity and Windows Identity are based on the same underlying Windows user account.  Likewise, groups can be harmonized between Windows and Unix.  This, there is a single security model controlling access to Active Directory data. This greatly simplifies operations, audit, and security analysis.  The Unix hosts are “joined” to the Windows Domains – restricting access to LDAP data to trusted systems.  This prevents spoofing (impersonating) the Domain Controllers.

Return to Top

Does Vintela Authentication Services require "shadow" accounts on Unix or on AD?

No. Because Unix systems are actually joined to the Active Directory Domain at the native level, Vintela Authentication Services does not require shadow accounts. The user's Unix account information is associated with the user objects in Active Directory, and is accessible by both Vintela Authentication Services and third party applications. The Vintela Authentication Services Name Service Switch module, nss_vas, returns the necessary shadow information through the standard Unix API's. Unix shadow information is typically used for password expiration and account lockout, which is directly controlled by Active Directory and the Vintela Authentication Services authentication components.

Return to Top

Does Vintela Authentication Services support Microsoft Windows 2003?

Support for Microsoft Windows 2003 has been available since version 2.1 of Vintela Authentication Services.

Return to Top

What platforms does Vintela Authentication Services currently support?

View the complete list of supported platforms for Vintela Authentication Services. Note: Vintela Authentication Services supports more non-Windows platforms than any other solution.

Return to Top

Does Vintela Authentication Services have any tools to help me join my Unix, Linux, or Mac systems to the AD domain?

The vastool utility allows joining of your Unix, Linux, and Mac systems to the Windows domain from the Unix command line.  This allows you to leverage existing provisioning and management systems and processes.  Joining the domain is as simple as executing the following command—either manually or as part of an existing process:Vastool –u <username> join <your domain name> Vintela Authentication Services includes the vasjoin.sh script, which automates this process. This script does not support unattended operation.  Vintela Authentication Services supports scripting interfaces, including PERL, and Web service interfaces, such as Python, that allow integration with existing processes and infrastructure.Note: Some customers pre-create the computer accounts in Active Directory for integration with existing provisioning and management solution.  Vastool includes support for this scenario.

Return to Top

What is Unix Personality Management, and why would I use it?

Unix Personality Management (UPM) is an extremely flexible and powerful way of centrally managing disparate Unix identities across multiple systems.  It allows multiple Unix identities to map to a single, underlying Windows principal of like type. A principal is a user, computer, or group. UPM uses the Windows Unix Interoperability schema supplied by Microsoft, and Vintela Authentication Services’ Unix Personality Object schema. The schema used to represent user, computer, and group attributes is well documented, and accessible to other processes. This transparency facilitates consolidating multiple, conflicting Unix namespaces into a single consistent identity store.  Advantages include:

  • Both authentication and identity management are centrally managed from Active Directory
  • Well suited for consolidating several, conflicting NIS domains
  • Suitable for scenarios with multiple, inconsistent, local file-based identity stores (etc/passwd, etc/group)
  • Allows rapid transition to a completely Active Directory- and Kerberos-based identity management solution
  • Provides GUI tools both for the import and the ongoing management of Unix identity information stored in Active Directory
  • Version 3.1 supports and fully integrated into Quest ActiveRoles Server console and Web interfaces
  • Local Unix users and groups stored centrally in Active Directory
  • Easy to audit Unix user and group identity information ( all information stored in the directory)

Return to Top

What is Mapped User Mode and when would I use it?

Mapped User Mode allows a single identity to have multiple personalities on a per-system basis.  This mechanism has the following advantages:

  • Allows rapid transition to centralized authentication and credential management
  • Quickly upgrade network security by transitioning to Kerberos-based user authentication
  • Quickly address audit issues related to timely deactivation of accounts and enforcement of AD password policies
  • Does not store intermediate state information in Active Directory
  • Low risk of impact to Unix systems and applications
  • Intuitive for Unix staff
  • Simple deployment and maintenance via the Identity Migration Wizard for Unix
  • Can be used in conjunction with NIS and non-Active Directory LDAP stores

Mapped User Mode leverages configuration files on the local Unix system to manage multiple, conflicting Unix identities. Mapped User Mode associates NIS, LDAP, or local file-based user definitions with the corresponding Active Directory entries. By linking Unix userids and Active Directory user accounts, the authentication process can be “Kerberized” without affecting the local Unix view of the user. This means that no UID/GUI reconciliation or application refitting is required. The existing identity information: username, UID, GID, gecos, home directory, login and login shell, are derived exactly as before. The user’s configuration is not stored in Active Directory. This allows rapid deployment of Vintela Authentication Services as a centralized authentication service while not disrupting ongoing operations.

Return to Top

What is Account Override and when would I use it?

Account Override provides a mechanism to modify user and group information on a per-system basis.  Vintela Authentication Services’ Enterprise Group Policy capabilities can provide centrally controlled, Active Directory-based management for local overrides.  Vintela Authentication Service simplifies account override management by providing policies to manage the use-override and group override files.  Account Override is a simple mechanism for handling exceptions and is not typically used alone for large-scale migrations.  The benefits of local overrides include:

  • Well supported by Vintela Authentication Service’s Enterprise Group Policy functionality
  • Provides a simple mechanism for handling one-off exceptions of Unix identity data stored in Active Directory
  • Can be used on a per-host basis
  • Can be centrally managed, as Account Override is fully supported by Vintela Authentication Services
  • Local users and groups do not exist on the local Unix system
  • Allows rapid transition to centralized authentication and credential management
  • Quickly upgrade network security by transitioning to Kerberos-based user authentication
  • Quickly address audit issues related to timely deactivation of accounts
  • Does not store intermediate state information in Active Directory
  • Low risk of impact to Unix systems and applications
  • Intuitive for Unix staff
  • Simple deployment and maintenance via the Unix Identity Migration Wizard
  • The Unix Identity Migration Wizard utilizes the override functionality to simplify the deployment and maintenance of a large-scale migration

Return to Top

What is the difference between Mapped User Mode and Account Overrides?

Mapped User Mode differs from Account Override in that with Mapped User, the user account ‘stays local (or in NIS or in LDAP, etc) while with Account Override, the local (or NIS or LDAP) account gets migrated to AD and removed from the system. Overrides require mapping the existing local Unix account to an AD account. The override file simply modifies any attribute stored in Active Directory for the specific system based on the specific override files stored on that system. Mapped User is typically part of a phased migration.  Usually, the end result involves  the removal of the local account and a consolidated UID/GID/username/groupname (and therefore no need for Mapped User in the long-run, given that  there is no longer a  local account)  Overrides are generally used as a simple mechanism for handling the occasional exception rather than systematic inconsistencies throughout the enterprise.As a result, a “Mapped User account” is typically not overridden, as the Unix account info is already stored on the local system with the appropriate settings.  However, once migrated into Active Directory, a local account’s settings could be modified via Account Overrides.—that is, after a migration via Mapped User, local overrides might be employed to manage exceptions on a small number of systems. 

Return to Top

What is the Ownership Alignment Tool, and when would I use it?

The Ownership Alignment Tool (OAT) provides an automated solution to changing resource ownership to accommodate changes in users’ uids/gids, and changes to group memberships.  The Ownership Alignment Tool also supports matching users’ Unix Identities to their Windows account.  Another aspect of consolidating identity stores is managing resource ownership. When a single UID exists for multiple users or multiple UIDs exist for a single user, new UIDs will be assigned as part of the migration. A group’s GIDs and memberships may also change. Accommodating conflicting GIDs, consolidating roles, and combining redundant groups all influence ownership changes. Further, Unix limits the maximum number of supplementary groups that can be assigned to a user. Resources, such as files, are marked with the UID and GID of the owner. The resources must have the ownership updated to reflect the newly assigned UIDs and GIDs.The Ownership Alignment Tool (OAT) is a general-purpose tool that combines an automated solution with adequate control, reporting, error recovery, the ability to stop and restart bulk updates, and rollback capability. OAT provides the necessary flexibility to accomplish updating resource ownership in a production environment. In particular, the combination of OAT and Mapped User Mode supports changing ownerships in environments with complex application and system interdependencies.

Return to Top

What is the RFC-2307 NIS Import Wizard and when would I use it?

The NIS Import Wizard and Unix Account Import Wizard automate importing NIS data into Active Directory. Using the RFC 2307 NIS Import Wizard you can import your NIS servers’ maps directly into Active Directory. The NIS Import Wizard can directly import NIS users and their attributes into Active Directory. In addition to NIS-based information, importing users and groups from local system files is also supported. This is all done using the Active Directory Users and Computers snap-in Graphical User Interface.The NIS Import Wizard simplifies importing NIS data into Active Directory. Windows administrators are guided through the NIS import process in a step-by-step fashion. When importing NIS maps, the Wizard prompts for the name of a NIS domain, and optionally the specific server to be queried. Once the source NIS domain has been identified, the Wizard will enumerate the available maps, allowing selected maps to be imported with the click of a button. Likewise, users and groups can be imported, from NIS, local files, or a remote host, in similar fashion. Windows administrators use familiar interfaces and methods. The data import process is completely automated.

*This product includes software developed by SAP AG


Next Steps
Next Steps
View a product demo
Review the datasheet
Download white papers
Read a tech brief
Read case studies
Attend events
Listen to a podcast
Download

        © Quest Software, Inc. All rights