Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Previous: Chapter 3 Case Study: Deploying in a High-Availability Environment Over a WAN Using SSL
Next: Configuring PAM and Identity Synchronization for Windows

Advantages of Combining PAM and Identity Synchronization for Windows

If your enterprise contains both Solaris and Windows systems, you can simplify the administration of the user community if you use Identity Synchronization for Windows to manage the two sets of users as a single set.

Combining PAM and Identity Synchronization for Windows can accomplish the following goals:

Enable an LDAP store to provide synchronization capabilities between Solaris and Windows

For example, you can enable user information (including passwords) created or modified on one system (Solaris or Windows) to replicate to its counterpart so either system can act on the information.
Authenticate to the Solaris OS and manage passwords against an LDAP store
Enable users to change their own passwords, if doing so does not contradict security policy

Configure your systems to ensure that passwords are never sent over a medium that permits eavesdropping

Note –

The Solaris OS implementation of PAM has long-offered the ability to use an LDAP store. However, starting with the Solaris 9 OS, PAM modules are included by default, which makes it possible to use a product such as Identity Synchronization for Windows.

You can update the Solaris 8 OS to support this functionality by using Patch Number 108993 for SPARC® based systems or Patch Number 108994 for x86 based systems.

While some Solaris software PAM modules are LDAP-aware, other modules do not use LDAP in a way that triggers Identity Synchronization for Windows interception actions.

For example, when you configure the PAM_UNIX module to use LDAP (using a directive specified in the /etc/nsswitch.conf file), the module never binds (as the user in question) to the LDAP store when authenticating. Instead, the PAM_UNIX module reads the user's LDAP entry, internally compares the password found on the LDAP entry to the password provided, and makes its authentication decision accordingly.

Because the PAM_UNIX module authentication is done outside the purview of the LDAP store, so none of the hooks put into place by Identity Synchronization for Windows will be used. Consequently, passwords will fail to replicate from the LDAP store to Windows.

To initiate the synchronization process discussed in this appendix, Identity Synchronization for Windows requires that all authentication systems bind to the LDAP store. Furthermore, the binding mechanism must present the user's password in a clear manner, such as a simple bind, which rules out the use of the Simple Authentication and Security Layer (SASL) and Digest mechanisms. Using Transport Layer Security (TLS) for the connection between PAM and the LDAP store makes the use of simple binds acceptable for security.

The PAM_UNIX module’s authentication methods should suffice in environments where passwords never change or where password changes always flow from the LDAP store to Windows. However, you must not use the PAM_UNIX module in environments where passwords change on Windows.

In contrast to the PAM_UNIX module, the PAM_LDAP module binds to the LDAP store using a preformed, “user-centric” distinguished name (DN) and a user-provided password when authenticating. This binding action allows Identity Synchronization for Windows to maintain the synchronization of an entry. Thus, you will use the PAM_LDAP module in conjunction with Identity Synchronization for Windows and existing PAM modules.

The following section explains how to configure PAM and Identity Synchronization for Windows.