Storage Modes in Active Directory
AD Bridge has three operating modes:
- Directory Integrated mode
- ID Range mode
- Unprovisioned mode
Directory Integrated mode is the preferred mode.
The storage mode provides a method for storing Unix/Linux attributes, including UIDs and GIDs, so that AD Bridge can map SIDs to UIDs and GIDs and vice versa.
This mapping lets AD Bridge identify the user or group and grants access to a Unix/Linux resource that is governed by a UID-GID scheme. When an AD user logs on to a Unix/Linux computer, the AD Bridge agent communicates with the Active Directory Domain to obtain the following information:
- Primary GID
- Secondary GIDs
- Home directory
- Login shell
AD Bridge uses this information to control the user's access to Unix and Linux resources by membership.
Directory Integrated Mode
Directory Integrated mode is designed to use the Linux/Unix specific attributes already in the Active Directory schema as part of RFC 2307. These were added in 2003 to store Linux/Unix specific information, namely:
This mode uses two types of cells to map users’ information:
- Default Cell: Located at the root of the domain, the Linux/Unix specific data is stored directly in the AD user or group account.
- Named Cell: Located in an OU, AD Bridge creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values, while still allowing AD searches for specific values.
Directory Integrated mode does require indexing and promoting those existing attributes to the global catalog. For more information, see Change to Directory Integrated Mode.
ID Range Mode
ID Range mode improves conflict avoidance by expanding the number of available UIDs and GIDs in AD Bridge from 524,288 to 2,147,483,647. There are three places in which ID ranges may be configured:
- Active Directory Users and Computers
- Group Policy Management Editor
- The config tool
ID ranges are assigned in the following order of precedence:
- Forest root
- Group policy
- Config tools
ObjectSids are hashed by the agent to create user IDs and group IDs. ID Range introduces a mechanism to support the configuration of ID ranges for domains. Each domain is assigned a starting base ID and a maximum ID, where an ID refers to both user ID and group ID to be used by the AD Bridge agent.
The entire range can be defined for a single domain within a forest or split between domains. ID range overlaps are not allowed. There are no default settings for ID Ranges.
The ID is calculated by adding the object's RID to the ID Base. Careful planning is required when defining the range of each domain to make sure the range of RIDs matches the ID range. If the calculated ID falls outside the ID range, the agent considers the object as not defined in the domain. There are two thing two consider when thinking of using ID Range mode:
ID Range mode is mutually exclusive from having cells defined. ID Range mode and either Default Cells or Named Cells may not be defined at the same time.
ID Range mode is designed for very large environments in specific use cases. If Directory Integrated mode does not meet your requirements, please contact BeyondTrust Technical Support to discuss whether ID Range mode is feasible for your environment.
The simplest AD Bridge deployment alternative is Unprovisioned mode. In this mode, no additional user data is stored in Active Directory. Because Unprovisioned mode requires no UNIX data to be stored in AD, it does not require any Windows tools to administer this data.
ID mapping in Unprovisioned mode is performed by mathematically hashing Active Directory SIDs into UNIX identifiers. When hashing SIDs into UIDs and GIDs, AD Bridge can supply uniqueness up to 524,288 AD objects, after which hash collision can start to occur.
The advantage of Unprovisioned mode for all computers and appliances using AD Bridge, is the hashing of AD users and groups into the same UID and GID numbers without requiring any repository of mapping information.
Disadvantages of using Unprovisioned mode:
- Administrators have no control over the ID mapping process; they cannot designate that specific users and groups be mapped to particular UNIX identifiers.
- All AD users and groups become visible to devices using AD Bridge (there is no way to indicate that an AD user or group not be mapped and available in UNIX).
Visibility does not necessarily imply authorization or access as AD Bridge can prevent an AD user from logging onto a machine via its RequireMembershipOf configuration setting.
Schemaless Mode (deprecated)
Schemaless mode is deprecated. The content below is for information only.
Schemaless mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the schema. Instead, Schemaless mode uses existing object classes and attributes to store its data.
- To store information about a cell, AD Bridge creates a container object and stores data in its description attribute.
- To store information about a group or user, AD Bridge creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values while still allowing AD searches for specific values.
In Schemaless mode, AD Bridge uses RFC 2307 attribute names to store values in the keywords and description attributes in the form name=value, where name is the attribute name and value is its value.