Skip Navigation Links | |
Exit Print View | |
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide |
2. Case Study: Deploying in a Multimaster Replication Environment
3. Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL
A. Pluggable Authentication Modules
Configuring PAM and Identity Synchronization for Windows
Step 1: Configure an LDAP Repository for PAM
Step 2: Configuring Identity Synchronization for Windows
Step 3: Populating the LDAP Repository
Step 4: Configuring a Solaris Host to Use PAM
Installing and Configuring a Solaris Test System
Configuring the Client Machine
Specifying Rules for Authentication and Password Management
Step 5: Verifying that PAM is Interoperating with the LDAP Store
Step 6: Demonstrating that User Changes are Flowing to the Reciprocal Environment
Introducing Windows NT into the configuration
B. Identity Manager and Identity Synchronization for Windows Cohabitation
This appendix does not include the procedure for configuring systems so that communication between systems is always conducted securely to prevent eavesdropping.
Some of the required configuration changes are addressed when you configure Identity Synchronization for Windows. For example, on Windows (for Windows 2000 or later), the Windows's password policies require that all password changes must be made using secured methods. Consequently, simply configuring the system partially addresses the security requirement.
However, it is still possible for eavesdroppers to see the bind attempts when Identity Synchronization for Windows components replay bind credentials. To address this issue, you must configure Identity Synchronization for Windows to communicate securely with its Windows data source by configuring the Identity Synchronization for Windows Connectors to trust certificates offered by the Windows’ Active Directory system.
In addition, you must ensure that all clients authenticating to the LDAP store do so over TLS. For PAM clients, you must configure them to trust the LDAP store and ensure that idsconfig specifies TLS:pam_ldap:simple as the only authentication method for the LDAP store.
The root accounts cannot use the passwd command arbitrarily to change an user’s password on PAM client hosts. You might consider this restriction to be a limitation, it depends on whether you trust the PAM client administrators or not.