Storage Modes in Active Directory
AD Bridge Enterprise has three operating modes:
- Directory Integrated mode
- Unprovisioned mode (formerly Schemaless mode)
- ID Range
Directory Integrated mode is the preferred mode.
The modes provide a method for storing Unix and Linux information in Active Directory, including UIDs and GIDs, so that AD Bridge can map SIDs to UIDs and GIDs and vice versa.
The mapping lets AD Bridge use an Active Directory user account to grant a user access to a Unix or Linux resource that is governed by a UID-GID scheme. When an AD user logs on a Unix or Linux computer, the AD Bridge agent communicates with the Active Directory Domain Controller through standard LDAP protocols to obtain the following authorization data:
- Primary GID
- Secondary GIDs
- Home directory
- Login shell
AD Bridge uses this information to control the user's access to Unix and Linux resources.
Directory Integrated Mode
Directory Integrated mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to store Linux and Unix user and group information, namely the posixAccount and posixGroup object classes.
For example, the posixAccount and posixGroup object classes include attributes (uidNumber and gidNumber) that AD Bridge Enterprise uses for UID and GID mapping. In addition, AD Bridge uses serviceConnectionPoint objects to store the same information as in Unprovisioned mode by using the keywords attribute.
For example, when you create a cell in Directory Integrated mode, AD Bridge creates a container object, CN=$LikewiseIdentityCell, in the domain root, or in the OU where you created the cell. If the container is created in an OU, which is called a named or named cell, the Unix-specific data is stored in CN=Users and CN=Groups in the $LikewiseIdentityCell container object. The objects point to the Active Directory user or group information with a backlinked security identifier.
If the container is created at the level of the root domain, it is known as a default cell. In this case, the Unix-specific data is stored directly in the AD user or group account.
Unprovisioned mode is deprecated.
Unprovisioned mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the schema. Instead, Unprovisioned mode uses existing object classes and attributes to store its data.
- To store information about a cell, AD Bridge Enterprise creates a container object and stores data in its description attribute.
- To store information about a group or user, AD Bridge Enterprise creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values while still allowing AD searches for specific values.
In Unprovisioned mode, AD Bridge Enterprise uses RFC 2307 attribute names to store values in the keywords and description attributes in the form name=value, where name is the attribute name and value is its value.
ID Range Mode
ID Range mode improves conflict avoidance by expanding the number of available UIDs and GIDs in AD Bridge from 524,288 to 2,147,483,647. There are three places in which ID ranges may be configured:
- Active Directory Users and Computers
- Group Policy Management Editor
- The config tool
ID ranges are assigned by the following order of precedence:
- Forest root
- Group policy
- Config tools
ObjectSids are hashed by the agent to create user IDs and group IDs. ID Range introduces a mechanism to support the configuration of ID ranges for domains. Each domain is assigned a starting base ID and a maximum ID, where an ID refers to both user ID and group ID to be used by the AD Bridge agent.
The entire range can be defined for a single domain within a forest or split between domains. ID range overlaps are not allowed. There are no default settings for ID Ranges.
The ID is calculated by adding the object's RID to the ID Base. Careful planning is required when defining the range of each domain to make sure the range of RIDs matches the ID Range. If the calculated ID falls outside the ID range, the agent considers the object as not defined in the domain.
ID range is mutually exclusive from having cells defined. ID Range and either default cells or named cells may not be defined at the same time.
ID Range is designed for very large environments in specific use cases. If Directory Integrated mode does not meet your requirements, please contact BeyondTrust Technical Support to discuss whether ID Range is feasible for your environment.