Toolkit project for managing Active Directory, Samba DC and FreeIPA directories. Part 1: Problem Statement
***
Relevance of the task for large holdings
Large corporations and holdings may include subsidiaries that are self-sufficient in the field of information technology. In a number of existing holding structures, they have the right to independently determine which directory service they use. Currently, most of these companies still use Microsoft Active Directory as a mature and feature-rich directory service.
At the same time, in practice, subsidiaries and dependent companies (SDCs) can use different operating systems and, accordingly, heterogeneous directory services – be it Microsoft Active Directory (MS AD), or directory services based on Samba DC or FreeIPA. All these solutions, despite the similarity of the problems being solved, have a number of significant features, use different approaches to management and, in general, are not fully compatible solutions.
In connection with the import substitution processes actively taking place in our country, an increasing number of organizations are switching to open source software or domestic software solutions. An example of such solutions is Alt Linux with Samba DC or Astra Linux with FreeIPA, as well as the Alt Catalog and ALDPro management systems actively developed on their basis.
For a number of reasons, such a transition can take a long time. In the case of large organizations, the process can drag on for years and during this entire transition period, administrators have to simultaneously support both the existing and the solution being implemented.
For holdings, the situation is further complicated by the fact that the organizations included in it, firstly, could historically choose different target solutions, and secondly, are at different stages of migration to the selected import substitution solutions. This is where parent IT teams face a major challenge: how to provide centralized management, security policy enforcement, and user migration between domains with different directory services systems.
New challenges are also emerging for the information security service due to growing threats in this area and a corresponding increase in the requirements placed on it. The corporate security service needs an automated tool for rapid response to threats, which will help quickly transmit the necessary instructions to the desired domain (organization/ies), in particular, distribute group policies to all subordinate structures.
State-owned enterprises and large holdings everywhere are faced with the task of migrating from Microsoft Active Directory to one of the domain management systems in the Linux environment.
With a high probability, in the near future, all domestic public sector enterprises and organizations serving them will migrate from Microsoft Active Directory to one of the domain management systems in the Linux environment (Samba DC, ALDPro or FreeIPA). Accordingly, if a holding company has heterogeneous catalog management systems, tools for their centralized administration will undoubtedly be in demand.
A possible scenario is worthy of special mention when a target solution will eventually be chosen for the entire holding or even recommended at the state level. This will require additional migration efforts in those organizations that have previously chosen other solutions.
Foreign experience will not help
For Western companies, developing tools for centralized management of heterogeneous directory services in heterogeneous operating systems has never seemed like an urgent task. Most foreign enterprises that need a domain infrastructure use Microsoft Active Directory.
Accordingly, for centralized management of accounts in the domains of Western companies, a forest of Microsoft Active Directory domains and/or structures of trust relationships between domains are used. Active Directory is the de facto standard in the field of corporate IT resource management abroad.
Microsoft Active Directory is a universal solution for building a unified directory service that allows you to integrate both computers running Windows and Linux-based systems as servers into a domain. If necessary, it is possible to connect workstations running Linux to a domain created in Active Directory, but they are completely subject to the control of this directory service.
In the Russian Federation, the need for such a tool is due to the situation in large business structures, which must function in a single vector of development of IT systems and regardless of geopolitical factors and decisions of foreign software vendors in our market.
Solving the problem of migration from Microsoft AD
One of the key tasks that, along with administration, is supposed to be solved is the process of migrating users from Microsoft Active Directory to Linux directory services. If an organization, for example, chooses to target Astra Linux Directory or Samba DC, it will need to be able to migrate user accounts from Windows to the alternative directory service of choice.
Currently, migration from MS AD is carried out using so-called connection and trust wizards, but this process is complex and often causes many errors and problems. A centralized solution for managing heterogeneous domain services can greatly simplify the migration process.
The main task is not just migration from MS AD to Linux directory services, but ensuring efficient automatic migration of a large number of objects.
I repeat, the main task is not just migration from MS AD to Linux directory services, but ensuring effective automatic migration of a large number of objects. For example, if there are about 1000 users in an existing Microsoft Active Directory domain and all of them need to be transferred, taking into account the preservation of the structure of departments and groups, to a new domain based on Samba DC or another alternative directory service, then the number of transferred objects relative to “users” will increase multiple times.
Carrying out the task of migrating a large number of users manually by creating new accounts for each user, departments and groups is an extremely labor-intensive and time-consuming process for administrators.
And after migration, an additional complexity arises – the need to adapt to the new domain management environment. But we wanted to discuss this issue in the following articles.
More about the technical side of the problem
We see managing heterogeneous domain services, including Microsoft Active Directory and Linux-based domains, as a major challenge for enterprise administrators. Here are some of the key challenges that professionals face when attempting to centrally manage directory services:
1. Authentication and authorization mechanisms:
Active Directory uses Kerberos along with NTLM to authenticate users and computers. And most Linux domains rely on standard mechanisms such as PAM, LDAP, and Kerberos. Negotiating authentication and authorization is difficult even for experienced administrators. Of particular note are the difficulties associated with mapping Active Directory domain users and groups to POSIX-compliant Linux system users.
2. Managing security policies, group policies and access:
Active Directory has an advanced system for managing security policies and group policies. In Linux domains, such capabilities are limited and require the use of additional tools. Managing user accounts and their privileges across different systems is a complex task.
3. Monitoring and audit:
All of these issues combine to add complexity to management, resulting in administration costs and security risks in a heterogeneous environment.
4. Domain services management tools:
The functioning of the domain infrastructure is impossible without some services when migrating from MS AD to a Linux environment. Typically, configurations for these services tend to be stored in the directory itself, thereby ensuring their integrity across the entire domain through built-in directory replication.
The greatest integration of services into the directory has been achieved in Active Directory; many familiar services from DNS to email store their data directly in the directory and can be edited using common management tools. In alternative Linux solutions, as a rule, there is no such integration and many services are essentially external and are managed separately from the directory or are integrated with the directory through special connectors, such as, for example, the DLZ module for the well-known DNS Bind9 system. This adds complexity to management.
The variety of tasks to be solved, their complexity and differences in implementation in different systems create increased requirements for the level of expertise of administrators of such heterogeneous environments. It is possible that organizations will need to allocate a separate staff of specialists to support each domain ecosystem.
That is why there is a need for a tool that will allow you to manage domains of different natures in an understandable and uniform way.
Summary: The problem of migration from MS AD and the application of general policies on domains exists and needs to be solved
Today, our goal is to create tools with a single web interface for managing any directory services, regardless of the type of operating system used and the chosen solution (Microsoft Active Directory, Samba DC, FreeIPA or others).
This will provide convenience to administrators, greatly simplifying their work on routine operations in a heterogeneous environment when moving from one platform to another and working in parallel on them if necessary. The unified interface is planned to be adapted for the future development of domestic domain management systems.
It seems to us that the use of a single platform for managing heterogeneous domain services will ensure the application of group policies in the domains of holding structures, increase the level of information security and organize the collection of statistical data on the operation of directories for subsequent analysis and optimization.
Thank you for your time reading and we welcome your constructive comments!
