Frequently Asked Questions (FAQ)

What is PowerBroker Directory Integrator?
PowerBroker Directory Integrator is a tool that brings Active Directory functionality to Unix and Linux hosts. Specifically, PowerBroker Directory Integrator allows your users to authenticate (logon) to Unix and Linux hosts using their Active Directory username and password, which is the same username and password they use to logon to Windows. PowerBroker Directory Integrator also enables administrators to configure the user sessions, applications or the operating system on Unix and Linux computers using Active Directory's Group Policy functions and PowerBroker Directory Integrator's RSoP Applicators. The combination of Active Directory's native functionality for Windows hosts and PowerBroker Directory Integrator's functionality for Unix and Linux hosts provides a single point of control for the users and computers in your environment.

Is PowerBroker Directory Integrator an identity management tool?
Yes, PowerBroker Directory Integrator integrates with Active Directory to provide a single point of identity management for users in your organization. When a new person needs computer access, an administrator can set up their access across Windows, Unix and Linux machines in one operation. Should that person leave the organization, access across all the Windows, Unix and Linux hosts can be disabled or removed in one step. If your organization uses a global directory that synchronizes data with Active Directory, PowerBroker Directory Integrator can add value as well.

Once the global directory has created the Active Directory user accounts, the script adapter of the global directory can be used to create the Unix and Linux configuration for the user through PowerBroker Directory Integrator’s command-line interface. All user account configuration for PowerBroker Directory Integrator is stored in the Active Directory integrated with the Active Directory user accounts. PowerBroker Directory Integrator doesn’t require any local user configuration on the UNIX or Linux hosts, effectively removing the problem of unauthorized access through orphaned accounts.

Does PowerBroker Directory Integrator create an audit trail?
Yes, PowerBroker Directory Integrator can log all of the authentication operations it processes in both the Active Directory domain controller event logs and the local Unix or Linux hosts syslog. When logging on the domain controllers is enabled (using Group Policy), the authentication results for your Active Directory-based logons for Windows, Unix and Linux machines will all be recorded in the domain controller event logs. Based on how you configure the logging in Group Policy, both successful and failed logons can be logged.

PowerBroker Directory Integrator provides reporting for the entries in these event logs providing a clear audit trail of all the Windows, UNIX and Linux logon activity in your environment.

Does PowerBroker Directory Integrator provide entitlement reporting?
Yes. In addition to the event reporting mentioned above, PowerBroker Directory Integrator provides configuration and entitlement reports for the all the UNIX and Linux computers managed by PowerBroker Directory Integrator. This enables you to quickly see which users have access to each Unix and Linux computer in your environment. There is also configuration reporting for which groups are available on each computer, which groups are mapped to each user, and the login configuration context to which each computer is mapped.

Will PowerBroker Directory Integrator help with my audit requirements?
Several features of PowerBroker Directory Integrator will help secure your environment and provide the proof of control you will need to pass most any audit requirement. In addition to the comprehensive reporting of events, configuration and entitlement, PowerBroker Directory Integrator provides centralized identity management for effective control of your user accounts. With PowerBroker Directory Integrator, you can quickly demonstrate what users are able to access, rapidly enable and disable access as needed, and provide a complete audit trail of all the access that has occurred. Can PowerBroker Directory Integrator support UNIX or Linux environments where the user environment configuration (account name, UID, shell, etc.) is not consistent from host to host?

Yes, in a large environment one user typically has many accounts on UNIX or Linux systems that are not entirely uniform in their configuration. The account names or UIDs maybe be different, or the shell, home directory or groups are not consistent. Often this situation arises from hosts being incorporated from an acquired company, or by changes in configuration standards over time. PowerBroker Directory Integrator provides a powerful feature called Contexts to map to the various user environment configurations in your environment. Once a user has authenticated with their Active Directory username and password, PowerBroker Directory Integrator will determine which Context the host is in, and reconfigure the session accordingly. This maintains backward compatibility with the users account configuration, so they still own all their files, have the same access rights and all their applications should run the same way they always have. When implementing PowerBroker Directory Integrator, the only training you will need to provide to your users is that they will logon with their Active Directory username and password, instead of the old username and password. After logon, everything will work just as they expect.

Can I apply different sets of configuration to individual computers?
Yes, one of the great strengths of Active Directory Group Policy and the RSoP Applicators is the ability to provide different configuration to different users and hosts in your environment. A specific instance of policy, called a Group Policy object (GPO), can be applied at the domain level (applying to all users or computers in the domain), at the Organizational Unit (OU) level, which contain a subset of objects in the domain, or at the Site level, which is based on IP address ranges. Organizational Units can be embedded under other Organization Units in a domain to provide more granular control of Policy.

When PowerBroker Directory Integrator applies Group Policy objects, it will first gather all the GPOs that pertain to a user or computer and apply a process called Resultant Set of Policy (RSoP). RSoP will apply precedence to the items in the Group Policy objects and determine the coherent set of policy items that should be deployed to each user session or computer. The RSoP Applicator will then apply those settings to the item being configured. The RSoP Applicators also maintain a history of the original settings before Group Policy was applied, so that if you decide to no longer configure an item through Group Policy, the item will be reset to the value it had before being managed by Group Policy.

The combination of Group Policy objects and the RSoP Applicators enables effectively delivering configuration to all users and computers in the environment, just one user or computer, and any combination in between.

Can I use PowerBroker Directory Integrator to deliver configuration to an in-house developed application?
Yes, Both Group Policy and the RSoP Applicator scripts are designed to be easily extended. If you want to configure an in-house developed application that resides on a Unix or Linux host, you will need two basic parts: a Group Policy Administrative Template and an RSoP Applicator script. The Group Policy Administrative Template is written in a simple template code and contains the settings and help text for the items you want to configure.

The RSoP Applicator contains the logic of how to apply these settings on the UNIX and Linux environment. Samples of both Administrative Templates and RSoP Applicators are provided with PowerBroker Directory Integrator.

Does PowerBroker Directory Integrator require extending the Active Directory schema?
No. PowerBroker Directory Integrator stores data in the Active Directory using existing Active Directory data structures. When PowerBroker Directory Integrator is installed on a UNIX or Linux host, a standard Computer object, just like a Windows hosts Computer object, is created in the domain. The user and group context data is stored in Active Directory's Program Data area using standard Containers and Classes. All PowerBroker Directory Integrator data could be completely removed, leaving no traces. The benefit of this is no negative impact to the operations of your Active Directory, or to its stability down the road.

What software do I need to install on my Active Directory domain controllers?
None. Nada. Zilch. PowerBroker Directory Integrator communicates with your Active Directory domain controllers using exactly the same protocols as a Windows host. There are no agents, protocols or device drivers to install or maintain. There is no impact on the maintainability of your domain controllers. PowerBroker Directory Integrator does include Windows utilities that integrate with the standard Active Directory utilities (such as the Active Directory Users and Computers Console) that enable you to maintain PowerBroker Directory Integrator from a Windows machine.

These components don't need to be installed on a domain controller unless you also want to maintain PowerBroker Directory Integrator from the domain controllers console (typically, this is recommended only in test environments). The PowerBroker Directory Integrator Windows utilities can be installed on any Windows host attached to the domain. The PowerBroker Directory Integrator Windows utilities can even be distributed to administrators hosts using Active Directory Software Distribution.

How difficult is it to set up PowerBroker Directory Integrator?
Installing PowerBroker Directory Integrator is a straightforward process that takes very little time and requires no professional services. An install script is run on your UNIX and Linux hosts that installs the PowerBroker Directory Integrator agent and supporting software. The installer script also joins the Unix or Linux host to the Active Directory domain, and integrates PowerBroker Directory Integrator into the name service configuration on the Unix or Linux hosts (via PAM, LAM or nsswitch). The Windows installer will install the Windows utilities on Windows hosts, and integrate them with the Active Directory and the Active Directory Consoles.

The final step is to import your existing UNIX and Linux users into PowerBroker Directory Integrator using the Import Tool. The Import Tool will connect to an existing UNIX or Linux host or NIS server and bring back the user and group definitions. The Import Tool will then automated the process of mapping UNIX or Linux user and groups to their corresponding Active Directory users and groups. Once the Import tool has imported the user and group data, your users can begin logging on using PowerBroker Directory Integrator. Its just that easy.

Do I have to reboot while installing PowerBroker Directory Integrator?
Nope. Like all BeyondTrust products, installing PowerBroker Directory Integrator is very non-intrusive and requires no reboots during install, or uninstall for that matter. PowerBroker Directory Integrator can be installed, and user and groups imported without any reboots or disruption to your production schedule.

Once PowerBroker Directory Integrator is installed, do all logons need to be through PowerBroker Directory Integrator?
No. PowerBroker Directory Integrator is configured as an additional authentication provider on your UNIX and Linux hosts. Other authentication providers, such as local files, NIS or LDAP can be active as well. This enables you to have an organized process of moving users over to PowerBroker Directory Integrator according to your business needs.

Can I still login using PowerBroker Directory Integrator if the network is down and my domain controllers are unavailable?
Yes, like a Windows host attached to Active Directory, PowerBroker Directory Integrator will securely cache Active Directory credentials on the UNIX or Linux host. If the network or Active Directory domain controllers are unreachable for any reason, PowerBroker Directory Integrator will allow any user who has previously logged in and whose credentials have not expired to log back into the host. PowerBroker Directory Integrator also provides the root account the ability to unlock a locally cached account should a user lock themselves out during a network outage. Of course, if you would prefer PowerBroker Directory Integrator not to cache credentials, this can easily be configured through Group Policy.

How is PowerBroker Directory Integrator licensed?
PowerBroker Directory Integrator is licensed per UNIX or Linux host managed by PowerBroker Directory Integrator. There is no charge for the Windows utilities or per number of domain controllers. On the UNIX and Linux machines, there are two license types: a server license and a lower-cost workstation license. The server license provides for unlimited users to be authenticated through PowerBroker Directory Integrator. The workstation license allows for two simultaneous users to be authenticated through PowerBroker Directory Integrator. Each user can have as many sessions as they need.

The PowerBroker Directory Integrator license is implemented as a license key stored in the Active Directory that contains the number of servers and workstations the customer is licensed for. The customer can add or delete computers and reassign them between server and workstation, up to the limits of the license, without changing the license key or getting assistance from their vendor. Unix Security - Unix Software - Unix System Security