3.4. Third-Party Solutions

For the vast majority of environments, the functionality provided through Apple's native Active Directory plug-in will provide all that is needed for successful integration. However, there are numerous scenarios where functionality is needed outside of that provided through Apple's solution. Apple considers these edge cases for the most part, but if you need a feature such as multiple-Forest support (rather than simply multiple-Domain support, which is part of the Active Directory plug-in), or DFS, Microsoft's Distributed File System, then you may need to turn to a third-party solution.

3.4.1. Centrify's DirectControl

Centrify is a third party directory solution which includes server-side software to augment Active Directory, and for OS X clients includes a custom Directory Service plug-in. From an OS X perspective, Centrify is a rather elegant solution, as the software directly utilizes the Directory Services API. As such, the Centrify client plug-in is a first class citizen next to Apple's native LDAP and Active Directory plug-ins. From an Active Directory perspective, Centrify allows for extended functionality without the need for schema extensions. This extended functionality is then used to distribute policies to clients through what Centrify identifies as Zones.

3.4.1.1. DirectControl Installation

To get started with DirectControl, first download the installation iso file from Centrify, mounting the iso on a valid Windows Domain Controller, preferably one in a test or lab environment for your initial installation and testing. For many environments, you may choose to have Centrify perform an on-site jump-start for your organization. But for the purposes of this chapter we're going to have you perform a basic initial installation and testing, assuming that you are doing so in a laboratory environment. Before you get started though, make sure the server you are installing the Suite on is part of the Active Directory environment and that it is running IIS.

Let's go ahead and start the installation. To begin, run the installation msi file that is included in the iso file on a Domain Controller. You will first see the Suite Type screen, where you select the Suite of applications that will be installed, based to some degree on the licensing that you paid for. Since we're testing, use the Enterprise Administrator Suite so you have the full complement of applications and then click on Next. Optionally select the components of the Enterprise Administrator Suite to install. When you are satisfied with your selections, click on Next, as you can see in Figure 3-13.

You will now get a chance to check out the settings for the installers and then the actual installation will begin. At the Confirm Installation Settings screen, review the settings you will be using and then click on the Next button. If you are installing the Web Console, .Net will install first, and here you are likely best using the default options. DirectControl will then install. Click Next to run the installation steps.

Licensing is always fun. Writing about licensing sometimes seems silly, but it's better than skipping over it. At the Review License Agreement screen, read the license agreement and if you accept it, click on the I agree to these terms radio button. Then, click on the Next button to continue. The User Registration screen needs a username and an organization name, so type those in and then click Next, as shown in Figure 3-14.

Next, choose a location for DirectControl to be installed. At the Choose Destination Folder screen, customize the target directory or allow the installation to occur in the default directory. If you would like for the Centrify folder to be created in C:Program Files then click on Next. Otherwise, click on the Browse button, browse to the required folder, and then click on the Next button.

Earlier you selected which applications in the suite to install. Now we're going to select the specific parts of DirectControl to install. At the Select Components screen, you will define which portions of DirectControl to be installed. Earlier we selected the Centrify applications, but now you are going to configure the components of each to be installed. Because this is a testing environment we're going to look to get our full complement of options except for the Extension for NIS maps, since for most environments there will not be any NIS clients. Having said this, the NIS option isn't just for administrators stuck in the 1990s. It can be practical when DirectControl is being used so that Unix and Mac clients can authenticate through NIS into Active Directory. Either way, click Next to continue.

The web console uses .Net, which has the ability to use Publisher Evidence Verification, useful in high security environments. If installing the web console then you will be prompted to Disable Publisher evidence verification. Click Next to see the screen that is used to confirm the components of Centrify DirectControl to be installed. If the Confirm Installations Settings screen matches the options you wish to have installed then click on the Next button, or use Back to go back to previous screens and alter the options. Clicking Next will install the DirectControl components. When it is done, click Finish and then you can start the setup. Once you are done, reboot the host in order to move on to configuring DirectControl.

3.4.1.2. Configuring DirectControl

When the installation is complete you will need to set up DirectControl to connect to the Active Directory forest that the computer objects will be connecting to. The process starts with the Connect to Forest dialog. Before you do anything, double-check that your DNS is set appropriately and that you know the address for a system that is a domain controller for the forest. Once you have the appropriate information, enter the address of the appropriate domain controller and the appropriate credentials and click on OK to begin the Setup Wizard, as shown in Figure 3-15.

The first few screens of the setup are innocuous. You will see the Welcome screen where you will click on Next. At the User Credentials screen, enter a valid username and password for an Administrative account and then click on Next.

Licensing is a necessary evil. At the subsequent Install Licenses screen, select a location for your License Keys. The default location is likely best, unless you have a good reason to change this location. At the Install License Keys screen, configure the keys that are populated into the default location from the Install Licenses screen. Enter the licensing key provided by Centrify and then click on the Next button.

To Centrify a Zone is similar to an Organizational Unit. A Zone has member objects, but also allows for delegated access over the objects within the Zone. Next, provide a location for your Zones within Active Directory. You do not need to customize this information, so you can go ahead and click on Next unless you need to do so.

In a standard Active Directory environment, when you bind to the directory your system is stored in cn=Computers. Similarly, all objects have a default Zone membership. At the Create Default Zone screen you will supply the default Zone, although most will simply leave the default setting and click on the Next button, as shown in Figure 3-16.

While zones are similar to an OU, they are not an OU. In fact, a zone can be linked to an OU or a container. The Default Zone then will require you to enter a domain controller that has the OU or container accessible. If you did not customize the previous screen then chances are you will not need to customize this screen either. For more on Zones, Centrify has provided a write-up at http://www.centrify.com/directcontrol/zones.asp.

When you are importing data into Open Directory one of the fields available is the first UID to use. This is similar in Centrify. At the next screen you will enter a starting UID number that will be assigned to objects. User IDs by default start at 10,000, but feel free to customize this setting. Unique identification isn't just required for users, groups need unique IDs as well. Next, provide a starting GID (GroupID) space for groups to occupy (for the most part, the same rules apply as for users).

It is generally recommended that you choose a range outside that provided by Apple's native solutions to easily differentiate the source of a record.

Next, set the Default home directory that will be used for accounts in your Zone as it would appear in the local system. The Default home directory is set to /home/${user} as can be seen in Figure 3-17. For the Mac OS X clients, you're going to change this to /Users/${user}, so when a user logs in the local folder /Users/USERNAME will be created on each computer, where USERNAME is the user logging in. The next screen (Default Shells) allows you to configure the default shell by using the full path to the shell. For example, if you wanted the default shell to be bash you would use /bin/bash. When you are Satisfied with your shell setting, click on Next.

In Mac OS X, each user needs a default group assigned to it. At the Select and Set the Default Normal Group dialog, you will be setting the Active Directory group that will be used for a UNIX GID for that group. Here you can use the Browse button to find an existing group. You can also use the Create... button to create a new group. You will need to use the UNIX GID: field if you wish to use a unique identifying number for the AD group provided. While the unique number can be fairly arbitrary, do use your standard numbering scheme and organizational standards. Click Next to commit your changes, and if there are any issues with them Centrify will bring up a screen telling you to fix the issue.

If you are using NIS, then Centrify will act as the NIS server. The Agentless Client Support screen is where you will configure the NIS Server settings, which is the essence of what Agentless Client means to Centrify. Next, provide a password hash type and a NIS domain that NIS clients will use when connecting to the server. Once set, use the NIS domain listed in this field as the domain in Directory Utility. When you complete your NIS settings, click on Next.

You will now see the Delegate Permissions screen, where you can set the server to be able to control settings on the workstation. By checking the field seen in Figure 3-18, to Grant computer accounts in the Computers container permission to update their own account information you allow Centrify to alter settings of the local computer once it has been joined to Active Directory.

Next you will configure how informational data is exchanged with Active Directory. The Register the AD Administrative Notification Handler verifies the Active Directory information from the Centrify database. It is recommended to check the Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in field and then click on the Next button. At the Setup Property Pages screen, configure whether property pages are used when opening Active Directory Users and Computers are updated by Centrify. Unless you have other tools that hook into Active Directory to ease administration, check this box and then click on the Next button.

When the Setup Wizard is complete you will see the Setup Wizard Summary page, where you will review the settings and then select Next or Cancel, if the setup does not match your vision of what is being installed. Finally, at the Centrify DirectControl Setup Wizard screen, click on the Finish button to complete the setup wizard.

3.4.1.3. Using DirectControl

Once installed, it's time to get comfortable with the DirectControl interface. To do so, open Active Directory Users and Computers from Administrative Tools and then open an account. Then click on the newly added Centrify tab. The Domain: field contains the Active Directory domain that an account belongs to, which should be populated by default with the domain name that you are using. The field for User has a UNIX profile in these zones and is where you configure an account's Zone so that it will be managed (by default all accounts will be placed in the default Zone that was specified during installation). The UID:, Login name:, Shell:, Home directory:, and Primary group: fields all provide settings that are then expanded and applied by the Centrify Active Directory plug-in. If you click on the Add button and select the default zone created earlier then you will populate the remainder of the fields based on the settings previously used.

Next, look at how you can add accounts into zones from within DirectControl. To do so, open Centrify DirectControl from Start Programs Centrify, as shown in Figure 3-19. When Centrify DirectControl window opens, click on the disclosure dialog for Centrify, then Zones and Users to bring up a screen showing the account just added to the default zone. From this screen, you will not typically manage memberships—these are usually managed by Active Directory Users and Computers. Instead, you will more than likely use the DirectControl application itself to run reports.

You are now ready to set up policies. To get started, select an Organizational Unit and open the Group Policy Object Editor (GPOE). Then click on the Action menu, selecting Add/Remove Templates... You can then right-click on an object and then click on Add/Remove Templates... At the resulting screen, click on centrify_mac_settings.xml and then click on the Open button. You will now see Mac OS X Settings for Users and Computers. You can then browse policies and configure policies for users and computers, just as you would configure group policy objects for Windows.

Let's look at setting up a specific policy: the Dock position preference that we've been using throughout this chapter. To do so, browse to the centrify_mac_settings.xml from within GPOE and click on User Configuration, Centrify Settings, and then Mac OS X Settings. From here, click on Dock Settings, then double-click on the Adjust the Dock's position on the screen Policy to open a dialog box that allows you to set the Dock's position. Set it to the right side (or the left if you are in the mood to not follow along) of the screen and then click on the OK button.

Once you have finished setting up the server, install the client and bind it to the server. The Centrify client allows you to bind to the server and log in as the user, verifying that the dock appears at the correct location. You can now configure other policies in the same manner that you configure policies for Windows users. Correlate those that you use with your organization's security policy.

3.4.2. Likewise

Likewise has two products to assist with the integration of Mac OS X within Active Directory. The first is Likewise Open, which is open source software and acts as a replacement for the Active Directory plug-in. Likewise Open provides support for multiple forest environments, credential caching and integrates SSH on Mac OS X with Active Directory. The second is Likewise Enterprise, which is a server-side solution rather than a client-side solution. Neither product requires changes to the Active Directory schema.

To integrate Likewise Open on a Mac, first download and open the package installer. At the Introduction screen, click on the Continue button. At the Read Me screen, read the information provided and then click on Continue. Next, at the License screen, read the license information and provided you accept the licensing agreement, click on the Continue button. When prompted to Agree, click on the Agree button. At the Installation Type screen, click on the Install button in order to install the files into the default location.

The installer will complete installing the plug-in, and provided the installer is successful you will be greeted with the Install Succeeded screen. Here, click Close and you will be ready to bind to Active Directory using the Likewise plug-in.

To bind to Active Directory using the plug-in, open Directory Utility from /Applications/Utilities. Next, if you click on the Services icon in the Directory Utility toolbar, you will notice the new Likewise-Active Directory entry. Click here and then click on the pencil icon to begin the GUI aspect of the Active Directory binding process.

You will now see the Join Active Directory wizard. Here, the Computer name: field will automatically be populated with the hostname of your computer. You can customize the name or enter the name of the Active Directory domain in the Domain to join: field. If you would like to leave the system in the default Computers Organizational Unit (OU) then you can now click on the Join button. Otherwise, you can click on the OU Path and enter the path of the OU you would like the system to join.

You will now be prompted for the username and password of a user with rights to join the Active Directory domain. Provide the appropriate information as seen here and click on the OK button. When the wizard is complete you should see a screen as follows indicating a successful bind to Active Directory.

If you click on Likewise-Active Directory in Directory Utility you will now see a screen indicating that you have joined the appropriate domain as follows. Finally, you can also use the command line to join Active Directory by leveraging the /opt/likewise/bin/domainjoin-clicommand. There are other commands located in the /opt/likewise/bin directory as well, which can be used to perform other operations as required by Active Directory, including of course, mass deployment.

3.4.3. Likewise Enterprise

To integrate Likewise Enterprise into your heterogeneous environment, Likewise, similar to Centrify, first requires you to install the Likewise Console on a domain controller. Once done, you will be able to join Mac OS X computers into your Active Directory environment and obtain additional options than what is allowed with the standard Active Directory plug-in, included with Mac OS X and Mac OS X Server.

What's the difference between the two? There are many, but they are likely to change in releases that will follow shortly after the publication of this book. Therefore, if you are in need of a solution to bridge the gaps left by the built-in Active Directory plug-in for Mac OS X, I recommend that you bring in both vendors and let them explain their value proposition. Compile a list of requirements beforehand and then test each solution to see which most closely conforms to the needs and mentality of your organization.

3.4.4. Thursby ADmitMac

ADmitMac provides features that aren't available with the default Active Directory plug-in, such as Distributed File System (DFS) support, support for home directories on DFS based volumes, Active Directory based cross-realm trusts, and more caching options. There is also an ADmitMac deployment tool, which reduces your reliance on manually scripting Active Directory binding and offers more options that can be used to protect your Active Directory administrative password.

Before you look at trying to mass deploy ADmitMac, you obviously need to figure out what it can do for you and which options you will use. Then you will programmatically figure out how to deploy it. To get started with your testing, you will first want to download the installer from Thursby and then run the ADmitMac installation package. Clicking Continue at the Introductions screen, Read Me screen, and after reading the developer's notes.

The next step in the installer package is to deal with licensing. At the Software License Agreement screen, read the agreement and click on Continue. If you accept the agreement, click on the Agree button at the dialog. At the License Code Entry screen, enter your username, the organization name, and the license code you were supplied with by Thursby. Then, click on the Continue button.

At the Installation Type screen, click on Change Install Location to select a different location to install ADmitMac or click on the Install button to complete the installation process. When the installation process is complete the ADmitMacSetup Assistant will automatically start. Here, click on Continue to start the wizard.

Next, you will be prompted to setup WINS on the client computer. Most Active Directory environments no longer rely heavily on WINS support. Additionally, WINS is available using the Apple Active Directory plug-in. However, if you would like to enable WINS support you can do so by choosing to do so through DHCP or Manually. When you are satisfied with your settings, click on the Continue button.

Next, configure the Security Policy Settings, similar to the PacketSign option in dsconfigad. Here, select whether digital signing is required and select the bullet that most applies to your environment in terms of hashing and then click on the Continue button.

You will now be prompted to enter the name of the domain for your Active Directory environment. Enter the domain in the Domain: field and click on the Continue button as seen here.

Next enter the name that the computer record should be generated with into the Computer Name: field and the Organizational Unit (OU) that the computer should reside in using the Computer OU: field. Also enter the username and password of a user who has permission to create an object in Active Directory and click on the OK button.

The computer will now bind to Active Directory. When it is finished you will have the option to use the assistant to move local accounts into Active Directory accounts. This is only for systems with existing users that need to be migrated to Active Directory users. However, if you would like to invoke the application later you can do so using the Home Mover program that is located in /Library/Application Support/ADmitMac.

Now that your client is bound into Active Directory, you can use the Directory Utility application from /Applications/Utilities to alter any of the settings that have been previously configured and to configure shared folders on the local client using Active Directory credentials. The Directory Utility plug-in can also be used in dual directory environments to specify exactly where to look for managed preferences.

3.4.5. Quest

Quest, as with Centrify and Likewise, is used to leverage an existing Active Directory infrastructure for providing policies for Mac OS X. Quest is based on the VintelaAuthentication Services (VAS). Quest will give you a new mmc snap-in for Windows Server's Group Policy Object Editor (GPOE) that will allow you to configure preference manifests and custom properly list (.plist) files similar to how you would do so from with Workgroup Manager. The screens look almost identical to Workgroup Manager except that policy items are formatted to fit within a GPOE screen.

Quest adheres to the RFC 2307 standards. In Windows Server 2003 R2 and Windows Server 2008 domains, LDAP attributes are already part of the 2307 standard, so there is no extension of the Active Directory schema required. However, data from 2307 will need to be translated so the client is required, which leverages the Microsoft CSE (Client Side Extensions). More information on CSE can be found using TechNet: http://technet.microsoft.com/en-us/library/cc736967.aspx.

To configure the VAS plug-in on a Microsoft Windows Domain Controller, set up a client to connect to Active Directory so that policies configured within the VAS GPOE snap-in will be applied to the client computer.

To configure VAS for Mac OS X, you will start off by logging into an Active Directory Domain Controller, unzip the VAS installer by double-clicking on the VAS-3.x.x.x.msi pack, then clicking Next at the Welcome screen. At the subsequent License Agreement screen, read the licensing agreement and then click on the I accept the terms in the license agreement option, assuming the terms are palpable to you. At the Destination Folder screen, click on the Next button. Alternatively, you could click on the Change button to install Quest VAS into a folder other than C:Program FilesQuest SoftwareVintela Authentication Services directory. At the Setup Type screen, click on Complete. At the Ready to Install the Program screen, click on the Install button. When the installer has finished its tasks click on the Finish button.

Once the VAS installation is complete open a GPOE screen to create your first domain policy. To do so open the Windows Start Menu, click Run, enter mmc into the Open: field, and click on the OK button. At the Console screen click on the File menu and select Add/Remove Snap-In and then at the Add Standalone Snap-in screen, highlight Group Policy Object Editor and click on the Add button.

At the Welcome to the Group Policy Wizard screen, click on Browse and then select Default Domain Policy. Once you see the Finish button then all is complete and you can move on to the next step: editing policies for Mac OS X. Use Default Domain Policy to browse to Mac OS X Settings and select Workgroup Manager. If you have built policies for Open Directory using Workgroup Manager then the items in the resulting list will seem familiar to you. This is because the developers of VAS have gone through and copied the policies available in Workgroup Manager.

A common managed preference is to limit removable media options for clients. The terminology that Quest uses to do so is a Media Access policy object. From the Domain Policy screen, double-click on any feature (in this case Media Access) to bring up the Properties screen. Here, you can elect to enforce the policy using Never, Once, and Always, mirroring the options available in Mac OS X Server's Workgroup Manager yet again. The Never option disables the policy, which is the configured preference by default. The Once option enforces it for the first logon event once it has been enabled, but then leaves the option to allow the end user to alter a setting. The Always option enforces the policy at each logon and while a session is active. For the purpose of this example, click on Always to enforce the policy and then uncheck the Allow button, clicking on the Apply button when you are done.

Once you have saved the option, verify that it has been enforced by navigating to the GPOE Console again and checking that the policies are set to Yes under the column for Configured preferences. Custom policies are available in Quest, just as they are an option in Workgroup Manager on Mac OS X Server. Policies for software that is not included by default does rely on the software developer (including Apple) to create preference manifests to make their application's preference keys available for management through managed preferences. If a developer has not done so, you can also use standard property list files (.plist) to configure policies for many applications, but it is less granular in nature. Quest provides a few common plistfiles into their Preference Manifests section, including a manifest for Microsoft Office that you can use with other solutions as well. A common example of a manifest often used but not included by default is the ManagedClient options for Dashboard and iWork.

Once the policies on the server match your organizations policies, you'll more than likely want to install the VAS for Mac OS X client software and start testing the configuration. To do so, open the installation tools folder, the client folder, and then the osx folder where you will find the dmgcalled installation. Copy this to a client and open the VAS.mpkg file to begin the client-side installation, clicking on Continue at the Welcome screen.

At the following screen read the License Agreement, (we realize these are kinda' dull, but they do occasionally contain really good information to know) and click on the Continue button. Assuming that you accept the licensing agreement, go ahead and click on the Agree button to continue. The Installation Type screen is next, where you can change the location that Quest will be installed to by using the Change Install Location... button or the Customize... button to choose which components to install (as you can probably guess there is little purpose to doing). Go ahead and click on the Install button to have the software complete the installation.

You can also simply use the installer command to deploy the package in a more silent manner (using ARD). Here, you will use the following installer command, specifying the vasclnt package, to complete the installation:

/usr/sbin/installer -pkg Packages/vasclnt.pkg  -target /

Next open the Directory Utility to join the client computer to Active Directory. Click on the Services icon in the toolbar to bring up the available plug-ins. Make sure that there are no other Active Directory plug-ins enabled for this machine and then double-click on the Active Directory (Quest VAS) entry.

Next, you will be asked to enter a Domain Name for your Active Directory environment (see Figure 3-20). Type the pertinent domain name, clicking the Join Domain button (or the Enter key if you will) when you are complete.

When you are requested to type in a valid username and password with the appropriate permissions to join the Active Directory domain type in the appropriate information, clicking on OK when you are satisfied with your entry. You can also click on the disclosure triangle to enter other pertinent information, such as a preferred domain controller, like with the Mac OS X Active Directory plug-in. Assuming the binding occurs successfully the domain binding process is then complete. Your client will now be able to authenticate against Active Directory using the Quest VAS plug-in and policies applied to computer and user objects through GPOE will be applied as intended. Make sure that the Active Directory plug-in supplied by Apple is not also enabled.

Quest also provides a command-line interface for automating binding once you have deployed the installation package. In order to use the command-line interface, cd into the /opt/quest/bin directory, where you will find the klist, ldapmodify, preflight, vastool, vgptool, ktutil, ldapsearch, uptool and vgpmod tools, each custom tools for searching, checking bindng, and managing settings for the Quest client.

The /opt/quest/libexec/vas/scripts/vasjoin.sh script can be used as follows, (assuming your working directory to be /opt/quest/libexec/vas/scripts):

./vasjoin.sh -u Administrator join -f mydomain.com