Storage modes | AD Bridge

🛑

DRAFT CONTENT: INTERNAL ONLY. DO NOT SHARE.

This page is for review only and content is not verified. Do not share externally; this is proprietary information.

The storage mode provides a method for storing Unix/Linux attributes, including UIDs and GIDs, so that AD Bridge can map SIDs to UIDs and GIDs and vice versa.

This mapping lets AD Bridge identify the user or group and grants access to a Unix/Linux resource that is governed by a UID-GID scheme. When an AD user logs on to a Unix/Linux computer, the AD Bridge agent communicates with the Active Directory domain to obtain the following information:

• UID
• Primary GID
• Secondary GIDs
• Home directory
• Login shell

AD Bridge uses this information to control the user's access to Unix and Linux resources by membership.

Active Directory

Three operating modes supported when using Active Directory:

• Directory Integrated mode
• ID Range mode
• Unprovisioned mode

ℹ️

Directory Integrated mode is the preferred mode.

Directory Integrated mode

Directory Integrated mode is designed to use the Linux/Unix specific attributes already in the Active Directory schema as part of RFC 2307. These were added in 2003 to store Linux/Unix specific information, namely:

• displayName
• gidNumber
• uid
• uidNumber
• gecos
• loginShell
• UnixHomeDirectory

This mode uses two types of cells to map users’ information:

• Default Cell: Located at the root of the domain, the Linux/Unix specific data is stored directly in the AD user or group account.
• Named Cell: Located in an OU, AD Bridge creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values, while still allowing AD searches for specific values.

ℹ️

For more information on cells, see What are AD Bridge Cells?. Directory Integrated mode does require indexing and promoting those existing attributes to the global catalog. For more information, see Install the Management Console.

ID Range mode

ID Range mode improves conflict avoidance by expanding the number of available UIDs and GIDs in AD Bridge from 524,288 to 2,147,483,647. There are three places in which ID ranges may be configured:

• Active Directory Users and Computers
• Group Policy Management Editor
• The config tool

ID ranges are assigned in the following order of precedence:

1. Forest root
2. Group policy
3. Config tools

ObjectSids are hashed by the agent to create user IDs and group IDs. ID Range introduces a mechanism to support the configuration of ID ranges for domains. Each domain is assigned a starting base ID and a maximum ID, where an ID refers to both user ID and group ID to be used by the AD Bridge agent.

The entire range can be defined for a single domain within a forest or split between domains. ID range overlaps are not allowed. There are no default settings for ID Ranges.

The ID is calculated by adding the object's RID to the ID Base. Careful planning is required when defining the range of each domain to make sure the range of RIDs matches the ID range. If the calculated ID falls outside the ID range, the agent considers the object as not defined in the domain. There are two thing two consider when thinking of using ID Range mode:

• ID Range mode is mutually exclusive from having cells defined. ID Range mode and either Default Cells or Named Cells may not be defined at the same time.
• ID Range mode is designed for very large environments in specific use cases. If Directory Integrated mode does not meet your requirements, please contact BeyondTrust Technical Support to discuss whether ID Range mode is feasible for your environment.

Unprovisioned mode

The simplest AD Bridge deployment alternative is Unprovisioned mode. In this mode, no additional user data is stored in Active Directory. Because Unprovisioned mode requires no UNIX data to be stored in AD, it does not require any Windows tools to administer this data.

ID mapping in Unprovisioned mode is performed by mathematically hashing Active Directory SIDs into UNIX identifiers. When hashing SIDs into UIDs and GIDs, AD Bridge can supply uniqueness up to 524,288 AD objects, after which hash collision can start to occur.

The advantage of Unprovisioned mode for all computers and appliances using AD Bridge, is the hashing of AD users and groups into the same UID and GID numbers without requiring any repository of mapping information.

Disadvantages of using Unprovisioned mode:

• Administrators have no control over the ID mapping process; they cannot designate that specific users and groups be mapped to particular UNIX identifiers.
• All AD users and groups become visible to devices using AD Bridge (there is no way to indicate that an AD user or group not be mapped and available in UNIX).

ℹ️

Visibility does not necessarily imply authorization or access as AD Bridge can prevent an AD user from logging onto a machine via its RequireMembershipOf configuration setting.

Schemaless mode (deprecated)

🚧

Important information

Schemaless mode is deprecated. The content below is for information only.

Schemaless mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the schema. Instead, Schemaless mode uses existing object classes and attributes to store its data.

• To store information about a cell, AD Bridge creates a container object and stores data in its description attribute.
• To store information about a group or user, AD Bridge creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values while still allowing AD searches for specific values.

In Schemaless mode, AD Bridge uses RFC 2307 attribute names to store values in the keywords and description attributes in the form name=value, where name is the attribute name and value is its value.

Microsoft Entra ID

AD Bridge supports two primary storage modes for managing Linux identity attributes: Unprovisioned and Provisioned.

Unprovisioned mode

Unprovisioned mode is the simplest deployment option for AD Bridge. It does not require any additional user or group data to be stored in Entra ID. Instead, it uses a mathematical hashing algorithm to derive UNIX UIDs and GIDs from the Entra ID object ID of users and groups.

• No schema extension required.
• UID/GID mapping is automatic and based on object ID hashing.
• Collisions can occur with as low as 10,000 unique Entra ID objects.
• All Entra ID users and groups are visible to Linux systems using AD Bridge.
• No control over specific UID/GID assignments.

Limitations

• Administrators cannot assign specific UID/GID values.
• All Entra ID users and groups are exposed to Linux systems, regardless of relevance.
• No filtering or selective mapping is available.

Provisioned mode (preferred)

Provisioned mode is the recommended and preferred method for integrating AD Bridge with Entra ID. It enables explicit management of Linux identity attributes by extending the Entra ID schema and using a dedicated application registration.

Requirements

• Entra ID App Registration named BeyondTrust – Identity Bridge.
• Schema extension to user and group objects in Entra ID.
• Adds the following Linux identity attributes:
  • uid
  • gid
  • homeDirectory
  • loginShell
  • alias
  • comment

These attributes are used by Linux systems to retrieve identity information directly from Entra ID, ensuring consistent and manageable identity mapping.

These permissions allow the app to read and write identity data necessary for Linux integration.

Benefits

• Full control over UID/GID assignments.
• Selective visibility and mapping of users and groups.
• Centralized identity management across Windows and Linux systems.
• Improved scalability and security.

ℹ️

As of BeyondTrust AD Bridge version 25.1.0, Linux endpoints are configured by default for Provisioned mode and will look for the schema extensions in the registered BeyondTrust – Identity Bridge app.

Summary comparison