Storage Modes in Active Directory
AD Bridge Enterprise has three operating modes:
- Directory Integrated mode
- Schemaless mode
- ID Range
- Unprovisioned mode
Directory Integrated mode is the preferred mode.
The modes provide a method for storing Unix and Linux information in Active Directory, including UIDs and GIDs, so that AD Bridge can map SIDs to UIDs and GIDs and vice versa.
The mapping lets AD Bridge use an Active Directory user account to grant a user access to a Unix or Linux resource that is governed by a UID-GID scheme. When an AD user logs on a Unix or Linux computer, the AD Bridge agent communicates with the Active Directory Domain Controller through standard LDAP protocols to obtain the following authorization data:
- Primary GID
- Secondary GIDs
- Home directory
- Login shell
AD Bridge uses this information to control the user's access to Unix and Linux resources.
Directory Integrated Mode
Directory Integrated mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to store Linux and Unix user and group information, namely the posixAccount and posixGroup object classes.
For example, the posixAccount and posixGroup object classes include attributes (uidNumber and gidNumber) that AD Bridge Enterprise uses for UID and GID mapping. In addition, AD Bridge uses serviceConnectionPoint objects to store the same information as in Schemaless mode by using the keywords attribute.
For example, when you create a cell in Directory Integrated mode, AD Bridge creates a container object, CN=$LikewiseIdentityCell, in the domain root, or in the OU where you created the cell. If the container is created in an OU, which is called a named or named cell, the Unix-specific data is stored in CN=Users and CN=Groups in the $LikewiseIdentityCell container object. The objects point to the Active Directory user or group information with a backlinked security identifier.
If the container is created at the level of the root domain, it is known as a default cell. In this case, the Unix-specific data is stored directly in the AD user or group account.
Schemaless mode is deprecated.
Schemaless mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the schema. Instead, Schemaless mode uses existing object classes and attributes to store its data.
- To store information about a cell, AD Bridge Enterprise creates a container object and stores data in its description attribute.
- To store information about a group or user, AD Bridge Enterprise creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values while still allowing AD searches for specific values.
In Schemaless mode, AD Bridge Enterprise uses RFC 2307 attribute names to store values in the keywords and description attributes in the form name=value, where name is the attribute name and value is its value.
ID Range Mode
ID Range mode improves conflict avoidance by expanding the number of available UIDs and GIDs in AD Bridge from 524,288 to 2,147,483,647. There are three places in which ID ranges may be configured:
- Active Directory Users and Computers
- Group Policy Management Editor
- The config tool
ID ranges are assigned by the following order of precedence:
- Forest root
- Group policy
- Config tools
ObjectSids are hashed by the agent to create user IDs and group IDs. ID Range introduces a mechanism to support the configuration of ID ranges for domains. Each domain is assigned a starting base ID and a maximum ID, where an ID refers to both user ID and group ID to be used by the AD Bridge agent.
The entire range can be defined for a single domain within a forest or split between domains. ID range overlaps are not allowed. There are no default settings for ID Ranges.
The ID is calculated by adding the object's RID to the ID Base. Careful planning is required when defining the range of each domain to make sure the range of RIDs matches the ID Range. If the calculated ID falls outside the ID range, the agent considers the object as not defined in the domain.
ID range is mutually exclusive from having cells defined. ID Range and either default cells or named cells may not be defined at the same time.
ID Range is designed for very large environments in specific use cases. If Directory Integrated mode does not meet your requirements, please contact BeyondTrust Technical Support to discuss whether ID Range is feasible for your environment.
The simplest AD Bridge deployment alternative is Unprovisioned mode. In this mode, no additional user data is stored in Active Directory. Unprovisioned mode is used by AD Bridge Open. Because Unprovisioned mode requires no UNIX data to be stored in AD, it does not require any Windows tools to administer this data.
ID mapping in Unprovisioned mode is performed by mathematically hashing Active Directory SIDs into UNIX identifiers. When hashing SIDs into UIDs and GIDs, AD Bridge can supply uniqueness up to 524,288 AD objects, after which hash collision can start to occur.
The advantage of unprovisioned mode is that all devices (computers and appliances) using AD Bridge will hash AD users and groups into the same UID and GID numbers without requiring any repository of mapping information.
The disadvantage of this mode is that administrators have no control over the ID mapping process; they cannot designate that specific users and groups be mapped to particular UNIX identifiers. An additional disadvantage is that all AD users and groups become visible to devices using AD Bridge (there is no way to indicate that an AD user or group not be mapped and available in UNIX).
Visibility does not necessarily imply authorization or access as AD Bridge can prevent an AD user from logging onto a machine via its require-membership-of configuration setting.
Unprovisioned mode does not work with one-way trusts.