Hi John/Andrew,
Just a quick response, but this is probably not really OpenSolaris
specific-- if you're looking for details on this I think you want to
look at the software forums on Sun.com.
John Martinez wrote:
On Jan 19, 2006, at 2:23 PM, Andrew Watkins wrote:
I have just read the "UNIX Interoperability in Windows Server 2003
R2" and after looking at the online demo it looks like we can now
import all our NIS stuff into AD.
This is the bundled Service for UNIX product.
It seems that Active Directory can act as a NIS server and can give
us a single
password for all us Solaris / Windows environments sites. I am not
sure what needs to installed on the Solaris side.
If it is truly a NIS server, then nothing on the Solaris side,
apparently.
Questions 1) Microsoft & Sun have been talking for about a year and
MS have come up with a simple (a few button pushes) solution which
may work, but Sun have still not got anything worth talking about
and the "System Identity Synchronization for Windows" works if the
wind is in the right direction....
I agree. This is a wide open field which Sun has completely ignored,
IMO.
I have to completely disagree. Sun has done a substantial amount of
work with Microsoft on both SSO (which is different than what you
describe-- you're referring to same username/password) and work on
integrating standard directory schemas with Microsoft Active Directory.
All of this work is in the Identity Management Suite-- specifically in
the Access Manager and in Directory Server Enterprise Edition.
The former can handle kerberos and SPENGO SSO between AD and Sun's
standards based SSO product. The latter can automatically synchronize
password and other attributes between Sun Directory and Microsoft AD.
More below...
Question 2) I don't see any choice for Solaris Administrators in a
mixed environments to ditch there NIS/LDAP unix servers and let AD do
all the work. Any Tom, Dick and Harry can now setup a windows box to
take control of Solaris information systems....
I would tend to agree with you if it is only providing NIS. LDAP and
Kerberos are much more interesting these days. This and other reasons
make me wonder in amazement why Sun hasn't taken the lead role in
going beyond NIS and making a better AD server than Microsoft.
Any time you chase a closed, proprietary implementation you will always
be behind. As soon as you implement what is there now, it'll change--
and not through a standards process that generates a specification.
This is, in part, why WABI and OS/2 ultimately failed.
Why do I call it closed and proprietary?
While Microsoft AD meets the LDAP protocol, it completely throws out any
of the IETF RFC standard schema, and it's not even necessarily easy to
get there (though they've made it easier). It's further questionable
whether or not you'll be able to get support from Microsoft if you do
work it all out. That assumes you can touch your AD, which many unix
admins can't. An example of why the schema is important: obviously a
unix uid is foreign to MS AD, but it's sure needed if you're to login on
Solaris or any other unix. :)
Why is this more than just a schema issue?
Any naming service does far more than just authentication. If that's
all you need (pam auth) then you can configure the Solaris (and I
believe OpenSolaris) PAM kerberos module to work with MS AD.
The reality though, is that far more is needed. Hosts, printers,
groups, etc. a PAM module doesn't do that. That's what nsswitch is all
about. That's what you need in your directory. MS AD doesn't do it out
of the box. Sun directory does.
The other problem is that in many large organizations, the people that
run the AD won't _let you_ modify their schema. And they may not even
let you have any rights whatsoever in it. Much less work with you to
let your unix boxes use it.
So, in Directory Server Enterprise Edition, you can synchronize all of
the needed attributes and the password without even needing special
rights in AD. Then all of your unix systems (not just Solaris) can use
regular IETF RFC attributes for unix nameservices. All of your users
can have common usernames and passwords between the two environments.
I've helped customers implement this, so I know it can be done. I keep
meaning to put together a blog on it-- I'll do that one of these days. :)
The other good news here is with the Solaris Enterprise System all of
the software is free. It may not be Open Source yet, but parts of it
are (see the OpenSSO project).
Hope that clarifies,
- Matt
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
