Sunday, August 19, 2007

Quest VAS Test (Vintela Authentication Services)

I've done a quick test Quest VAS (Vintela Authentication Services) as an implementation for Unix/Linux Authentication with Active Directory.

First impression is that this is a very nice tool that will make your life easier if you wish to implement authentication from different *nix like OS's with AD.

The installation is very easy. All we need to do is install the server side (2min) and than the client side (1 RPM for Authentication and 1 for Group Policy (if needed)).

What we have done is:
  • Install the server side on your domain controller
    • Create users and groups for use in *nix machines
  • On the Linux/Solaris machine:
    • Install the rpm/pkg
    • Check if the server can find the domain controller LDAP service by running:
      dig SRV _ldap._tcp.
      For example, if my domain name is uxdc.corp then run:
      dig SRV _ldap._tcp.uxdc.corp
    • Synchronize the server time from the domain controller:
      /opt/quest/bin/vastool timesync -d
    • Restart VAS daemon:
      /etc/init.d/vasd restart
    • Restart Group Policy daemon:
      /etc/init.d/vasgpd restart
    • Join the server to the domain:
      /opt/quest/bin/vastool -u administrator join -f
For my opinion the advantages of VAS over the configuration of nss, ldap and pam are:
  • Easy to install and configure
  • Encrypted ldap using Kerberos
  • Same installation and configuration process for all *nix like OS's
  • Automatically generates the server keytab after joining the server to the domain
  • Allow users password change from Unix
  • Timesync solution included without the need to use ntp
  • Manipulating AD objects from the Unix command line
  • Server based user access control
  • Personality Management, the ability of users to impersonate to different personality
  • Central place for configuring sudo/profile (Management from AD)
  • Supports better encryption type - arcfour-hmac-md5
  • File distribution and file permissions capability from AD
  • The ability to create services keytabs from the Unix CLI
Quest VAS site

No comments: