Using Password Synchronization

Previous page
Table of content
Next page

One of the more laborious tasks of a network administrator or, in larger environments, the help desk, is assigning and changing passwords. This becomes especially challenging when multiple disparate platforms are involved.

To automate password synchronization the multiple platforms must be able to communicate such events as password expiration, resets, and lockouts. This process is usually best accomplished through scripting or automation programs.

Synchronizing Passwords in Unix and NIS

You can use password synchronization to make it easier on users by only having to remember one username and password for both Windows and Unix systems. One way to accomplish this is to synchronize the passwords when one of them changes. Synchronization can either be one-way or two-way, depending on how the systems are configured.

Microsoft SFU 3.0 password synchronization runs as an extension of the Local Security Authority (LSA) service on Windows Server 2003. On the Unix platform a daemon called the single-sign-on (ssod) daemon and the pluggable authentication module (PAM) perform the synchronization processing. The Windows and Unix password information is encrypted when transported over the network.

Microsoft SFU 3.0 supports password synchronization between the Windows Server and the following flavors of Unix running NIS:

  • Sun Microsystems Inc. Solaris version 7

  • Hewlett-Packard HP-UX version 11

  • IBM Corp. AIX version 4.3.3

  • Red Hat Inc. Linux version 6.2 and later

To perform a test password synchronization you must ensure that SFU password synchronization is installed (not installed in default installation).

Prior to testing, you should configure DNS and test connectivity between the two systems. TCP port 6677 must be allowed by the firewall. The following steps can be taken to confirm that password synchronization is configured correctly:

  1. Create a couple of test users on the Windows server with the following settings:

    1. Username "bsmith", password "bgrvfe"

    2. Username "rjones", password "mjunhy"

  2. Open up the Services for Unix Administration mmc console and select Password Synchronization.

  3. In the right pane, configure the Password Synchronization Default settings as shown in Figure 16.8.

    Figure 16.8. Password Synchronization default settings page.

    graphics/16fig08.jpg

  4. Click on the Advanced tab and configure the Password Synchronization Advanced settings (inserting the name of the desired Unix server) as shown in Figure 16.9.

    Figure 16.9. Password Synchronization Advanced settings page.

    graphics/16fig09.gif

  5. Click on the Configure button at the bottom of the Password Synchronization Advanced page and configure the settings as shown in Figure 16.10 and click Apply.

    Figure 16.10. Configure Advanced Password Synchronization.

    graphics/16fig10.jpg

On the Unix system (Red Hat Linux 7.3 in this test), you need to perform the following steps:

  1. Log in as root.

  2. In a console run the following commands:

    1. useradd bsmith

    2. useradd rjones

    3. password bsmith (set bgtvfr as password)

    4. password rjones (set mjunhy as password)

  3. Copy the following files from the Microsoft SFU CD (located in the \unix\bin folder) to the Unix system: pam_sso.l52, sso.cfg, and ssod.l52.

  4. In a console, change to the directory where the files in the previous step were downloaded and run the following commands:

    1. cp ssod.l52 / user /bin/ssod

    2. chmod +x /user/bin/ssod

    3. cp sso.cfg /etc/sso.conf

  5. Edit the sso.conf file to specify the following:

    1. ENCRYPT_KEY=ABCDZ#efgh$12345 (This is the same value as entered in the Default page in the SFU Password Synchronization on the Windows computer).

    2. PORT_NUMBER=6677

    3. SYNC_HOSTS=(windows-dc, 6677, ABCDZ#efgh$12345) (Replace windows-dc with the name of the Windows host performing password synchronization).

    4. USE_NIS=0

    5. USE_SHADOW=1 (if applicable )

  6. Copy pam_sso.l52 to the /lib/security directory with the file name of pam_sso.so.1.

  7. Edit the /etc/pam.d/system-auth file to specify the following:

    1. password required /lib/security/pam_cracklib.so retry =3

    2. password required /lib/security/pam_sso.so.1

    3. Delete the line containing: password required /lib/security/pam_deny.co

  8. Copy /etc/pam.d/password to the /etc/pam.d/ssod directory.

  9. Run the /user/bin/ssod command.

The users will now be able to change their passwords on either Unix or Windows server and be able to log on to either platform with the same username and password.

Synchronizing Passwords in LDAP

Password management involves quite a set of complexities. Different platforms employ methods for encrypted storage and transmission of passwords. This usually involves installing management agents on the host system to ensure that a common set of technologies are employed. There are several commercially available LDAP Gateway and Synchronization products available. Cost and complexity are often key factors to consider prior to deploying such a system.

Microsoft Identity Integration Server (MIIS) 2003 (formerly known as Microsoft Metadirectory Services) provides password management for the following platforms:

  • Novell eDirectory 8.6.2 and 8.7

  • Sun and Netscape Directory Servers (formerly iPlanet Directory Server)

  • Lotus Notes Releases 4.6 and 5.0

  • Active Directory

  • Active Directory Application Mode

  • Windows NT 4.0

Installing Microsoft Identity Integration Server 2003 requires some advanced planning and should first be deployed in a lab environment. MIIS Password Management requires installation and configuration of the following products:

  • Microsoft Windows Server 2003, Enterprise Edition

  • Microsoft SQL Server 2000, Enterprise Edition, Service Pack 3 (SP3) or later

  • Microsoft Visual Studio .NET 2003

  • Microsoft Identity Integration Server 2003, Enterprise Edition

MIIS Password Management uses the .NET framework to generate Web-based forms that administrators and help desk personnel and end users can use to set and change passwords. This requires the installation of IIS 6.0, Active Server Pages. If development debugging is desired FrontPage 2002 Server Extensions must also be installed.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
MySQL Clustering
Cisco IOS Cookbook (Cookbooks (OReilly))
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy