Centralizing Non-Windows Access Control through Active Directory

Vintela Authentication Services: The Most Powerful Collection of Access Control Options

At its core, Vintela Authentication Services allows non-Windows systems to become “full citizens” in Active Directory for centralized authentication. The very fact that Unix, Linux, and Mac systems have joined the AD domain provides the immediate benefit of central control over which AD user is permitted to authenticate to which non-Windows system. In other words, Vintela Authentication Services extends the native access control capabilities of Active Directory to non-Windows systems.

This approach offers several significant benefits:

• Eliminates the need to configure access through system-by-system policies or manual processes
• Allows for delegating the granting of access to a specified security team
• Extends standard Active Directory access control mechanisms to non-Windows systems for policy consistency
• Provides extreme access control flexibility through the industry’s most robust collection of options
• Aligns with other access control solutions and identity frameworks

Vintela Authentication Services includes the industry’s largest collection of highly flexible access control options. This variety in options makes Vintela Authentication Services the best solution for a wide range of needs, environments, and for integration with existing technology. For more information on the wide range of access control options available through Vintela Authentication Services, please refer to the Quest Software Technical Brief titled Vintela Authentication Services – Centralizing Non-Windows Access Control through Active Directory

These options include:

Access Control Based on Group Membership - Only Vintela Authentication Services provides the ability to determine which users are allowed to access non-Windows systems based on Active Directory group memberships.

Authentication AND authorization from the same Active Directory Group - Vintela Authentication Services allows AD groups to be used to control a user’s elevated rights on a system based on policy in conjunction with popular open-source tools such as Sudo or through more robust commercial solutions such as Quest Privilege Manager for Unix. By placing a user in a particular AD group, you can give the end-user access to the system and control what elevated rights they have on that system. The same AD group being used for access control can also be used in the Sudo configuration file, or in the Privilege Manager policy.

Extended capabilities for granular control - In addition to the methods above, Vintela Authentication Services further extends the existing capabilities of Active Directory to provide even more granular control. The following Active Directory mechanisms can be used to allow or deny access to any non-windows systems:

• Membership in an Active Directory group (including nested group support)
• Membership in a particular Organizational Unit (OU)
• Membership in a particular Active Directory domain
• Individual Active Directory users allowed/denied to specific systems
• Individual services (SSH, FTP, Telnet, etc) can be specified

Existing Active Directory Group Policies - Vintela Authentication Services can extend the capabilities of existing access control Group Policies to non-Windows systems. For organizations that currently use these Group Policies for access control, Vintela Authentication Services easily extends this functionality to non-Windows systems. The same policies and procedures can be used to manage access control to both Windows and non-Windows systems.

The ‘Log On To’ functionality - On the Account tab of existing Active Directory user accounts, Active Directory provides a “Log On To” button. This button can be used to enter the names of Windows system that this user is permitted to access. When enabled, Vintela Authentication Services will extend this capability to non-Windows systems as well. The same tools and processes can now be extended to manage access control for both Windows and non-Windows systems.

Support for Netgroups - Network Information Services (NIS) provides a standard access control mechanism through netgroups. Vintela Authentication Services can both support and extend Netgroups from Active Directory to non-Windows systems. 

Client-Side Tools - Vintela Authentication Services provides client-side tools that display which methods are active on a particular system as well as detail of the specific allow/deny rules. These powerful tools are unique to the market and are critical to the successful use of centralized access control policies.

Access Control Based on Service - Vintela Authentication Services also provides extremely granular access control even down to the service being used. This level of access control allows organizations to not only control which systems users can authenticate to but even how they authenticate. It’s a capability that cannot be matched by other centralized Active Directory authentication solutions on the market.

Additional Tools - Quest also offers additional tools to address the specific access control needs of Unix systems and the “root” credential including.

• Commercially Supported Sudo
• Privilege Manager for Unix