How to Extend Active Directory® Identities to Linux

By Vince Lujan Posted August 30, 2017

extend active directory linux management

The IT world is all about having the right tools to get the job done. The trouble is the right tools often change. Managing servers is a great example. A couple of decades ago, Microsoft Windows ruled the data center and server infrastructure. When it came to managing these systems, Microsoft Active Directory® (AD) was the right tool for the job.

Fast forward to today, and suddenly Linux is the most dominant server platform. It has been a dramatic change in a relatively short amount of time. Yet, while this and many other things have changed, AD’s Windows-centric approach has remained the same. The question then becomes, how to extend Active Directory Identities to Linux?

AD and Linux: Identifying the Problem

Active Directory fails in the cloud

The first step to solving a problem is identifying what’s causing it (e.g. “Why is Linux difficult to manage with AD?”). The simple answer is that AD wasn’t designed for managing Linux systems.

AD was developed at a time when Windows was the dominant platform and everything was on-prem. Admins needed a solution for managing Windows infrastructure, so a tool optimized for Windows-based networks (i.e. Active Directory) made a great deal of sense.

As the IT landscape started to shift to Linux servers, Mac laptops, cloud infrastructure (AWS, GCP), and web applications, legacy on-prem management tools began to struggle. Most of these have been easy to replace, but AD has played such a critical and foundational role in the infrastructure, that it has persisted in organizations in spite of its limitations.

AD and Linux: Addressing the Problem

true sso single sign on

IT admins and DevOps engineers have a few different options when it comes to managing user access on Linux machines in an AD environment.

Option 1 is to manually manage user access. This is great for a small infrastructure. As things grow, this is hard to maintain and manage.

Option 2 is to leverage configuration management tools such as Chef, Puppet, Salt, Ansible, and others. This too works well in relatively small or single purpose environments. As complexity increases, there is so much code for IT admins and DevOps engineers to write that longer hours or additional staff become necessary.

Option 3 is to setup an LDAP server or manually connect these Linux devices back to an AD instance. This is time consuming and likely starts to open up networking and security issues.

None of these approaches are all that great at solving the problem, but this should really come as no surprise. After all, using AD to manage Linux systems is like trying to use a Phillips screwdriver when what you really need is a flathead. Yet, when AD is the only management tool available, what else can be done but to try and make it fit?

AD and Linux: Solving the Problem

Linux System Authentication

Fortunately, a new option has emerged – leverage a cloud identity bridge. This option takes AD identities and federates them to Linux machines regardless of where they are. There is no infrastructure to add on your end and you have the flexibility to use what you need.

JumpCloud’s AD Integration works by installing a lightweight agent, called AD Import, on your Active Directory domain controllers and any systems you wish to manage. Once installed, AD Import synchronizes your existing Active Directory instance, then simply federates AD identities to our cloud directory service. Admins can then leverage these federated identities to bind them to resources just like they would with AD. The result is that admins can now manage Linux system access, macOS devices, and other non-Windows IT resources.

Additionally, AD Integration’s second half, AD Sync, writes passwords from Linux, macOS, and other non-Windows endpoints back to AD through JumpCloud. This premium feature creates complete bi-directional sync between AD and JumpCloud.

To learn more about how to extend Active Directory identities to Linux, read the datasheet or drop us a note. You can also sign up and see AD Integration in action. You’re first ten users are free forever.

Vince Lujan

Vince is a writer and videographer at JumpCloud. Originally from a small village just outside of Albuquerque, he now calls Boulder home. When Vince is not developing content for JumpCloud, he can usually be found doing creek stuff.

Recent Posts