If your enterprise environment contains both Solaris and Windows hosts, you can simplify the administration of the user community if you use Identity Synchronization for Windows to manage the two environments as a single set of users.
Combining PAM and Identity Synchronization for Windows can accomplish the following goals:
Enable an LDAP store to provide synchronization capabilities between Solaris and Windows
For example, enable user information (including passwords) created or modified on one system (Solaris or Windows) to replicate to its counterpart so either system can act on the information.
Use PAM to authenticate Solaris and to manage passwords against an LDAP store
Enable users to change their own passwords (if doing so does not contradict security policy)
Configure your environment to ensure that passwords are never sent over a medium that permits eavesdropping
Solaris implementation of PAM has long-offered the ability to use an LDAP store. However, the inclusion of PAM modules in Solaris 9 has made it possible to use a product such as Identity Synchronization for Windows.
You can patch Solaris 8 to support this functionality using Patch number 108993 for Sparc® or Patch number 108994 for Solaris x86.
PAM comes by default with Solaris 9 and later.
While some Solaris PAM modules are LDAP-aware, other modules do not use LDAP in a way that triggers Identity Synchronization for Windows’ interception actions.
For example, when you configure the PAM_UNIX module to use LDAP (using a directive specified in the /etc/nsswitch.conf file), the module never binds (as the user in question) against the LDAP store when authenticating. Instead, the PAM_UNIX module reads the user's LDAP entry, internally compares the password found on the LDAP entry to the password provided, and then PAM_UNIX makes its authentication decision accordingly.
The PAM_UNIX module authentication is done outside the purview of the LDAP store so none of the hooks put into place by Identity Synchronization for Windows will be used. Consequently, passwords will fail to replicate from the LDAP store to Windows.
Specifically, to initiate the synchronization process, Identity Synchronization for Windows requires all authentication systems to bind to the LDAP store. Furthermore, the binding mechanism must present the user's password in a clear manner, such as a simple bind, which rules out the use of SASL and Digest mechanisms. Using Transport Layer Security (TLS) for the connection between PAM and the LDAP store makes the use of simple binds acceptable for security.
The PAM_UNIX module’s authentication methods should suffice in environments where passwords never change or where password changes always flow from the LDAP store to Windows. However, you must not use the PAM_UNIX module in environments where passwords change on Windows.
In contrast to the PAM_UNIX module, the PAM_LDAP module binds to the LDAP store using a preformed, “user-centric” DN and a user-provided password when authenticating. This action in particular allows Identity Synchronization for Windows to maintain the synchronization of an entry. As a result, you will use this PAM_LDAP module in conjunction with Identity Synchronization for Windows and existing PAM modules.
The following section explains how to configure PAM and Identity Synchronization for Windows.