Likewise Blog

I was reading a blog a couple of days ago about a company’s security manager being left out of the loop when the company reorganized its Active Directory architecture — and a couple of thoughts occurred to me that I thought I’d share. The post recounts how his company made some directory topology decisions without involving him, the Security Manager for the company.

Now, I don’t know  the writer and it’s possible that he’s a superb Security Manager and that his company made a serious oversight in not consulting him regarding these decisions. I think it’s also possible, however, that the company deliberately chose to exclude him from these deliberations. Why would they do this? Maybe he doesn’t understand the issues. Maybe he’s so security conscious that he’s obstructive. Maybe he’s too slow at making decisions.

At Likewise, we frequently have to deal with Security Managers or with CSO’s (Chief Security Officers) and we’ve run into both good and bad ones. Security is a difficult topic. Understanding it requires familiarity with high-level policy and regulatory issues (e.g. HIPAA, SOX, etc.) and with low-level details (ACLs, roles, etc.). It’s hard to find security personnel who have mastery over the entire gamut of issues. It’s also hard to find people who have the right balance of risk and reward. It’s easy to ensure security simply preventing everyone from doing anything risky. A good Security manager has to have both the right technical chops and the right balance of risk and reward.

As to the specific technical issues in the blog post, the Security Manager suggests that his company’s decision to go with a single-forest/single-domain Active Directory design sounds wrong to him that, perhaps, it would be better to go with single-forest/multiple-domains. He doesn’t explain why he thinks this is better. It’s possible that he’s right, but I would make the following observation: our largest customers tend to have the simplest AD topologies. Many ended up with simple topologies after suffering through more complex ones. Although child domains are simpler than inter-forest trusts, they still add complexity to the design and sometimes result in LDAP referral messages that can trip up applications. He’s certainly right about other issues however, for example, the dangers of centralized v. distributed domain controllers.

So, my advice to  the writer is that when your girlfriend tells you “it’s not about you, it’s about ME”, that it sometimes really is about you. But then, again, I don’t know him.

I’m often asked why Likewise invests in Likewise Open. Clearly the target market for Likewise is the enterprise market, yet we work hard to provide a set of core functionality under GPL/LGPL that allows any individual or organization to join machines to an Active Directory network for free. Moreover, that code would allow anyone to modify, extend, and ship the same functionality in a community project or commercial offering. How does that benefit Likewise?

The benefits of having an open source offering are not always immediately obvious. However, we’re in it for the long haul and see that the long-term benefits of being open source are good for Likewise, our customers, and the open source community at large.

Helping the Open Source Community

Some of the benefit that we provide to the community could also be derived from offering a proprietary but free-as-in-beer offering. But there are a few things that wouldn’t be possible if we only provided binaries.

First of all, providing source under an open license means that we can ship with Linux distributions like Ubuntu as part of the main distribution or in the regular open source repositories. This is a huge deciding factor for us, because we want to allow any and all Linux users to be able to interoperate with an Active Directory network regardless of whether their company is a Likewise customer. Many of our community members would be faced with using Windows laptops or workstations if they weren’t able to authenticate against AD, regardless of their personal preference. That’s not desirable at all.

We want to make sure that Linux, UNIX, and Mac OS X are first-class citizens in any network, and the reality is that many organizations depend on Microsoft Active Directory for authentication and user management.

We also want to enable the community to package and ship Likewise Open with any Linux distribution. We obviously can’t package Likewise Open for every distribution ourselves. But any distribution that wants to offer an RPM, Debian Package, etc, can do so without needing to ask permission from Likewise.

Another consideration is that an open source stack allows users and distributions to compile Likewise Open for other platforms if they choose. Most Linux users are running on x86 or x86_64 systems, but we’d be pleased to see Likewise Open running on PowerPC, ARM, you name it. These platforms may not be strategic to Likewise, but they’re important to many users. Being open means that the community can take Likewise Open to platforms we aren’t shipping on yet, and gives the community the ability to modify Likewise in ways we might not.

Benefits to the Customer

That’s all great, but how does that benefit Likewise’s customer base? For one thing, we learn a lot from our community about the core product in the form of bug reports, questions in the Likewise forums, and interacting with the larger community.

It also helps Likewise work with distribution vendors. Our partnerships with companies like Canonical and Novell are strengthened by the fact that they’re able to recommend Likewise Open to their communities, while offering Likewise Enterprise to their enterprise customers. Again, it’s very important that every user is able to join to their organization’s network, including users running community Linux distributions like Ubuntu, Fedora, openSUSE, Debian, and others.

And, of course, Likewise Open makes Active Directory authentication available to everyone. Whether it’s an Ubuntu-using developer in a mostly Microsoft shop, to a 50-seat art department using Apple machines inside a major corporation with a wholly heterogeneous network.

We also feel indebted to the open source community. The solutions that Likewise provides are largely in response to opportunities made possible by the Linux and open source community. We’re committed to sustaining that community and ensuring that every user that needs to operate in a heterogeneous network has the opportunity to do so. That’s why we’re open, and not just free.

Jay Lyman has hit the nail on the head on the 451 CAOS blog regarding the open core debate. The primary reason vendors are exploring open core as a model is because customers have asked for it.

With Likewise Open we provide the features needed by our entire community, from individual users to enterprise customers with thousands of seats. The primary functionality, connecting to and authenticating against Microsoft’s Active Directory, is fully open source and benefits everybody. We’re pleased to be able to offer Likewise Open under the LGPL/GPL, and to know that this is working for more than 50,000 customers around the world.

Our enterprise customers have the added value of Likewise Enterprise, which adds a number of features to Likewise Open, such as directory migration, reporting and auditing tools, and single sign-on for enterprise applications. The added functionality in Enterprise benefits a very specific segment of our community, and we work closely with our enterprise customers to ensure we provide value here. At the same time, we work hard at making Likewise Open a solution that is robust and updated simultaneously (if not ahead of) Likewise Enterprise.

Simon Phipps and other open source advocates are right to watch for companies that would use the term “open source” abusively or deceptively. But this does not include all open core strategies. Phipps does many of the vendors (and their customers) offering open core solutions an extreme disservice by painting open core as some kind of nefarious lock in scheme. The converse is true: Many open core vendors are providing functionality that benefits an enormous user base whether they do business with the vendor or not.

Open core, when done right, provides value to the open source community and consumers of the proprietary software simultaneously. It may not be the ultimate ideal for those like Phipps who spend their time criticizing open source businesses that don’t achieve their desired level of software licensing purity, but it’s a workable solution that addresses the needs of the customer, community, and vendor.

We released Likewise Open 6 this past week and have gotten some great press coverage on the launch. Likewise Open 6 includes some  great enhancements including a smart service manager and faster logons in complex environments. With these updates, the folks in the trenches who have been tasked with figuring out how to control a heterogeneous environment now have an even more powerful and free tool to start this process.

We are picking up speed on development thanks in part to the large OEM partnerships we have — the likes of HP, Cisco, and VMware to name a few. These OEM’s are building their products around our authentication engine, and contributing back to the Likewise Open project. This should provide some serious comfort to those evaluating our product, and should they recommend Likewise as the solution to their companies project, they are keeping good company.

We also get great feedback from communities dedicated to some of our large technology partners.  Fedora, SUSE, Ubuntu, and other distros’ communities provide great feedback, which all goes toward making Likewise Open 6 what it is today.  We’re grateful for the contributions of the community, and want to emphasize the part that our partners and community plays in delivering an excellent tool for cross-platform authentication and single sign-on.

Keep the feedback coming, guys!

Virtualization has taken the one-to-one relationship of the physical server to operating system and turned it into a one-to-many relationship between the physical server and multiple guest operating systems running on the hypervisor.  As the management frameworks for running these guest operating systems within the hypervisor mature, creating in essence the “virtualization layer,” we are seeing an increasing amount of choice as out-of-the-box virtual appliances and purpose-built virtual servers catch fire in the market.

What is key here is the shift to a focus on the workload running on the guest OS – not the underlying OS.  Despite some vendor prognostications / protests, I predict the shift to a focus on the workload, meaning the applications / services the business cares about will continue and the OS will become more commoditized.  The key to success in this shift is meeting expectations of customers that the appliance or virtual server should just work with their existing legacy systems and processes.  If I spin up a virtual appliance, it must support seamless migration from (or integration with) legacy systems.

What is Likewise doing to support this shift?  Today Likewise provides platform interoperability for improved authentication and access control in virtualized environments for more than 75% of the hypervisor market (if you combine market-share for VMware and Citrix). Here’s what we do for each:

VMware embeds Likewise Identity Services to allow Microsoft Active Directory users to log-in to ESX/ESXi hosts.  VMware notes in a recent announcement, “As customers continue on the journey to cloud computing, they need to leverage existing security infrastructure for their virtualized environments,”

Citrix embeds Likewise Identity Services in XenServer, noting in a recent announcement, “It’s critical to provision users, applications and computing resources so that our virtualization technology has the same high levels of security as actual physical hardware.”

Likewise Enterprise then goes a step further, allowing users to manage authentication, access control, group policy, and reporting for demonstrating compliance for audit purposes across the physical and virtual environment, including the hypervisor and guest OS.  That end-to-end control allows organizations to address security–one of the main impediments to virtualization adoption.

With our focus on platform interoperability, we’re helping those progressing down the virtualization path focus on the workloads they are running, and doing our part to make the choice of what operating system on which to run a workload ubiquitous.

Exciting news announced yesterday — Likewise has joined the NetApp Alliance Partner Program — providing NetApp customers with identity management and authentication software for secure access control of NetApp unified storage systems. This will give Likewise access to Netapp’s technical resources (forums, simulators, support) and NetApp customers access to Likewise’s technical resources — what does that mean? It means a single system to manage authentication with a centralized policy definition point to control access to an enterprise’s most important asset – information.

What NetApp said: “NetApp is committed to helping our customers drive their businesses by making storage simpler and cheaper to manage,” said Patrick Rogers, vice president of Solutions and Alliances at NetApp. “With Likewise joining the NetApp Alliance Partner Program, together we can simplify storage management while improving security.”

So welcome NetApp customers!

Today’s a big day for us here at Likewise — we got Likewise Open 6.0 out the door.

One of the struggles that all software development teams face is accurate and relevant testing of an upcoming release.  You could ask one hundred engineers if they believed that their software would experience some currently unimagined environment or use once in production and I believe that all one hundred would answer a resounding “Yes!” How can we “out-imagine” what productions networks throw at us?  Two words – Collective Experience.

Over the past two years, Likewise has been partnering with software and hardware companies to embed seamless Active Directory domain member integration into products.  Most  of our technology licensing and open source customers are familiar with the patch burden that comes from maintaining local changes to an upstream software project and have decided to re-submit changes back to Likewise for inclusion in future releases.  This expanding community of Likewise vendors benefits from the collective experiences of each shared through source code.

We strive to make Likewise a platform for application development.  Our engineering team has frequently discussed hosting a “Likewise Developer’s Summit” to bring engineers outside of Likewise together to discuss what they like, don’t like, and would like to improve in our platform.  I believe that by bringing good engineers together, we can create great software, and by bringing great engineers together we can revolutionize the Unix, Linux, and OS X software industry.

And that’s what I love about a technical community — it can leverage the collective experience of some of the smartest engineers on the planet to improve the contribution of everyone.

Likewise Open 6.0 is out the door, check it out here.  Join our community in the Likewise forums, mailing lists, or maybe even at a future LDS.