Cached Credentials
Cell Technology
Compliance - HIPAA
Compliance - PCI
Compliance - Reporting
Cross-Forest Trusts
Group Policy
Gnome Group Policy
Kerberos Authentication
Likewise Administrative Console
Likewise Identity Service
Likewise Enterprise Screenshots
Linux Active Directory Integration
Single Sign-On for Apache Web Server
Single Sign-On for Databases
Single Sign-On with PuTTY
Single Sign-On for Web Applications
Single Sign-On for ERP & Storage Applications
Workgroup Manager Overview
Workgroup Manager Policies
The Likewise Identity Service: Industrial-Strength Authentication for UNIX, Linux and Mac
The Likewise Identity Service, or LWIS, is a next-generation authentication engine for Linux, Unix, and Mac OS X. A highly reliable and industrial-strength application, LWIS gives non-Windows computers advanced capabilities for both local authentication and Active Directory-based authentication. As the authentication engine in Likewise Open, LWIS is free and its code base is open
Active Directory and Local Authentication
LWIS is a single-process, multi-threaded application that can host multiple server-side authentication providers. In the fall 2008 version of Likewise Open, LWIS includes two distinct authentication providers:
- The local authentication provider is a full local authentication database. With functionality similar to the local SAM authentication database on every Windows computer, the local authentication provider lets you create and manipulate local users and groups.
- The Active Directory authentication provider interfaces with a Microsoft Active Directory forest to authenticate AD users and groups and to manage AD account information.
- The Active Directory authentication provider gives you the option of storing ID (UID) and group ID (GID) information either by using RFC 2307 attributes or, if the schema is not RFC 2307-compliant, by using existing object classes and attributes in AD. Changes to your AD schema are not required.
Password Management
Password and Kerberos Keytab Manager. When a machine is joined to Active Directory, the machine’s name, site information, forest name, and domain are stored securely. In addition, the machine’s password is securely stored. Associated with the password, machine’s host keytab is derived from the machine’s password. Likewise provides an interface and library of calls to update this information. In addition, APIs are provided to determine whether the machine is joined and to retrieve the machine’s forest, domain, and site information.
Machine Password Refresh Manager. Active Directory requires that the machine’s password be periodically refreshed. A machine password refresh thread runs periodically within the AD provider to update the machine’s password at a time set by a policy.
Cached credentials support. LWIS supports cached credentials in case your domain controllers are unreachable.
Integrated Change Password Support. With LWIS, you can change AD passwords from Linux and Unix. LWIS honors all AD security policies, such as requiring users to change passwords at logon.
Kerberos
Kerberos Ticket Management. The LWIS Active Directory authentication provider refreshes Kerberos tickets, including the ticket-granting ticket (TGT) of a logged-on user to give the user single sign-on to other Kerberos-enabled applications.
Kerberos and NTLM Password Authentication. LWIS supports both NTLM-based authentication and Kerberos-based authentication.
Site Management
Time Synchronization Subsystem. The time synchronization subsystem serves as a backup mechanism for misconfigured or absent NTP support on the joined machine. This subsystem ensures that machine’s system time is synchronized to that of the domain controller.
Site Management and Site Affinity. LWIS includes a full implementation of Active Directory site management and site affinity. When LWIS joins a computer to a domain, it automatically detects and uses the closest domain controller (DC) within its site. If the closest DC goes down, the site affinity system switches to the next available DC.
In addition, site affinity is handled by a separate daemon -- netlogond -- which can be programmatically queried by all the applications on the system to ensure that they communicate with the affinitized DC.
LWIS supports multiple forests, including the following scenarios:
- Single domain, single domain tree, single forest
- Multiple domains, single domain tree, single forest
- Multiple domains, multiple domain trees, single forest
- Multiple forests, two-way transitive trusts
- Multiple forests, one-way transitive trusts
Samba Integration
LWIS is a fully compliant WBL (Winbind Bridge Library) service provider, giving you out-of-the-box integration with the Samba smbd file server and allowing LWIS to serve as a clean winbind replacement.
Full-Featured DCE/RPC Framework
DCE/RPC Framework A full MSRPC-compatible DCE/RPC implementation ships with LWIS, empowering OEMs and others to build their own Windows-compatible RPC clients and servers. The DCE/RPC framework comes with a full IDL compiler, the DCE/RPC runtime, a platform-neutral threading library, and full support for Windows authentication libraries.
Native NetAPI Implementation for Linux and Unix. A full native implementation of the Windows NetAPIs is available. The LWIS daemon uses many of the NetAPI calls for authenticating users, authentication, support multiple forests, and changing passwords.
OpenLDAP with GSS-SPNEGO. The OpenLDAP libraries do not include built-in support for GSS-SPNEGO, making it nearly impossible to correctly access Active Directory's infrastructure. LWIS includes an enhanced OpenLDAP client library that fully supports the LDAP_AUTH_NEGOTIATE option. It also fully supports the signing and sealing of LDAP traffic.
Native GSS-NTLM support. LWIS includes libraries that provide native GSS-NTLM authentication for both local (peer-to-peer) authentication and pass-through authentication to an NT4 or greater domain controller.
Domain Join System Configuration Library. LWIS also ships with libraries that automatically configure Linux and Unix machines by provisioning and de-provisioning PAM, nsswitch, /etc/hosts, and Kerberos configuration files for seamless, error-free domain-join behavior.
Likewise Event Log Subsystem
The Likewise Event Log Subsystem is a logging daemon that runs on a target Linux, Unix, or Mac OS X computer. While similar to the Windows eventlog subsystem, the Likewise subsystem comes with significant enhancements, including an embedded SQLite database that allows rich queries to be executed on the server. The Event Log Subsystem’s interface is built on top of our DCE/RPC subsystem so authenticated RPC queries can run from remote clients as well as local clients. All the Likewise subsystems -- including the authentication subsystem and the group policy subsystem - have their security event log stored in this event log database.
Command-Line Tools
LWIS comes with a set of command-line tools, located in the /opt/likewise/bin directory on Linux, Unix, and Mac OS X platforms. The tools include utilities for finding users and groups in Active Directory, managing Kerberos tickets, troubleshooting connections to domain controllers, obtaining status and metrics, and diagnosing problems.
Next > > Likewise Administrative Console
