IT managers reacted with cautious approval to a new VMware Inc. agreement with Likewise Software, which is an authentication specialist. The recent agreement lays the groundwork for VMware ESX and ESXi servers to plug directly into Microsoft's ubiquitous Active Directory authentication framework.
As it stands, VMware administrators can use Active Directory through VMware vCenter Server and the vSphere Client, which both run on Windows. But authenticating individual ESX hosts with Active Director requires administrators to jump through myriad hoops -- and it flat-out doesn't work with hosts running ESXi.
Most logins to VMware servers occur indirectly through vCenter and the vSphere Client, and thus are not affected by the Likewise integration, said Eric Siebert,a system administrator at the Golden, Colo.-based restaurant chain Boston Market Corp. and a virtualization expert. But even if you have vCenter, "there are times when you want to go directly to the host," he said.
Integrating Likewise software with ESX means administrators won't have to configure Pluggable Authentication Modules (PAM) in the ESX service console to use Active Directory. Alternately, some VMware administrators install third-party products such as Likewise's own Open and Enterprise products, or DirectControl from Centrify Corp. in Sunnyvale, Calif.
VMware shops running ESXi -- which today's offerings don't support because they require a console -- will likely garner the greatest benefits from the agreement, Siebert said. But the vast majority of VMware shops still run the full-fledged ESX.
"It's mildly useful because it will be easier to use now," Siebert said. "But it's not one those VMware features that I'm really excited about, he added.Active Directory and non-Windows hosts
Another open question is whether organizations want to use Active Directory as a general-purpose authentication platform.
Thanks to the popularity of Microsoft Exchange and Windows desktops, Active Directory is nearly pervasive within enterprises, said Manny Vellon, Likewise's CTO. But Vellon conceded that it's not usually used to authenticate non-Windows hosts such as ESX and ESXi.
"Not everyone is aware that you can tie these Unix machines into Active Directory," Vellon said.
When it comes to authentication schemes for Unix, Linux and virtualization hosts, "more often than not, what we see is nothing," Vellon said. "They're all running local authentication using local/etc/passwd files." Beyond that, Vellon also said that some firms use the Network Information Service (NIS, but that because it does not pass government or PCI Industry audits, "anyone using NIS is trying to get rid of NIS."
But Vellon said that among large security-minded organizations, there's movement afoot to consolidate their various authentication mechanisms around Active Directory.
From that perspective, this is good news for big companies, said Rick Vanover, an IT infrastructure manager at Alliance Data in Columbus, Ohio. "It's definitely useful. Everyone uses Active Directory," he said.
At the same time, "How many people do I really want working directly on my hosts?" he asked. "The driver would have to be the idea that every user [logging into an ESX server] must be identified." That's just not possible if you use a local inventory of passwords, including 'root,'" he noted.
The agreement calls for VMware to bundle Likewise Identity Services into VMware ESX/ESXi 4.1, according to the Likewise website. The integration enables Active Directory authentication out of the box and adds user interface elements in defining Active Directory groups and privileges.