JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide
search filter icon
search icon

Document Information


1.  Introduction

2.  Case Study: Deploying in a Multimaster Replication Environment

3.  Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL

A.  Pluggable Authentication Modules


Configuring PAM and Identity Synchronization for Windows

Step 1: Configure an LDAP Repository for PAM

Step 2: Configuring Identity Synchronization for Windows

Step 3: Populating the LDAP Repository

Step 4: Configuring a Solaris Host to Use PAM

Installing and Configuring a Solaris Test System

Configuring the Client Machine

Specifying Rules for Authentication and Password Management


Password Management

Step 5: Verifying that PAM is Interoperating with the LDAP Store

Step 6: Demonstrating that User Changes are Flowing to the Reciprocal Environment

Case 1

Case 2

Case 3

Case 4

Configuring Systems to Prevent Eavesdropping

Introducing Windows NT into the configuration

Example /etc/pam.conf File

B.  Identity Manager and Identity Synchronization for Windows Cohabitation

C.  Logging and Debugging



Configuring Systems to Prevent Eavesdropping

This appendix does not include the procedure for configuring systems so that communication between systems is always conducted securely to prevent eavesdropping.

Some of the required configuration changes are addressed when you configure Identity Synchronization for Windows. For example, on Windows (for Windows 2000 or later), the Windows's password policies require that all password changes must be made using secured methods. Consequently, simply configuring the system partially addresses the security requirement.

However, it is still possible for eavesdroppers to see the bind attempts when Identity Synchronization for Windows components replay bind credentials. To address this issue, you must configure Identity Synchronization for Windows to communicate securely with its Windows data source by configuring the Identity Synchronization for Windows Connectors to trust certificates offered by the Windows’ Active Directory system.

In addition, you must ensure that all clients authenticating to the LDAP store do so over TLS. For PAM clients, you must configure them to trust the LDAP store and ensure that idsconfig specifies TLS:pam_ldap:simple as the only authentication method for the LDAP store.

The root accounts cannot use the passwd command arbitrarily to change an user’s password on PAM client hosts. You might consider this restriction to be a limitation, it depends on whether you trust the PAM client administrators or not.