Just the other day I was talking to Luis, a senior Unix administrator at an oil exploration company. He told me about an interesting IT project his company is undertaking. I thought his experience might be worthy of sharing with others who have similar challenges with authenticating and securing disparate platforms.

Like many other large companies, Luis’ employer has a mixed variety of Windows, Linux and Unix workstations. The Unix and Linux devices are necessary to support the vital scientific work the company’s geophysicists perform. These devices are located all around the world – some in main offices in places like Houston, London and Kuala Lumpur, and others in remote and inaccessible places like offshore platforms and vessels. What’s more, a single user could have as many as five or six login IDs to access various applications at different sites.

Luis readily admits this is an inefficient way to operate the total workstation environment. That’s one of the reasons they are now in the midst of rolling out a unified directory to provide better access control, single sign-on authentication, and group policy. The company is leveraging its investment in Microsoft Active Directory by bringing the Unix and Linux devices into the fold.

The product they’ve chosen to bring about the integration is Likewise Enterprise from Likewise Software. Luis says they preferred Likewise over other solutions because of the way Likewise allows them to do user identifier (UID) and group identifier (GID) masking across the different work centers. This enables them to authenticate users and groups by using UID/GID information from Activie Directory, and to centralize and simplify managing their Linux and Unix users.

The big benefit to the company is that they can now provision and de-provision users and be accountable for who has access to what system or application from one source. In addition, the end users get a single sign-on that works for every application they need to use.

Before implementing Likewise, Luis says the system administrators would send messages to their counterparts at other sites to let them know when someone has left the company and an account needed to be deactivated. Of course, the de-provisioning sometimes fell through the cracks, allowing for live accounts that posed a security threat.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.