UNIX Side Components for Identity Management for UNIX are a set of UNIX side utilities that enable password synchronization between Windows and UNIX machines.
Identity Management for UNIX -> Password Synchronization for Windows Server codenamed Longhorn Server Beta 2 / Windows Server codenamed Longhorn Server IDS_C helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. Users are freed of the difficulty of maintaining separate passwords for their Windows and UNIX accounts or having to remember to change the password wherever it is used. With Password Synchronization, whenever a user's password is changed on a Windows-based computer or domain, the password can also be automatically changed on every UNIX host for which the user has an account. Password Synchronization can also be configured to change the user's Windows password when the user's UNIX password is changed.
When Password Synchronization is configured for Windows-to-UNIX synchronization and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user's password is to be synchronized on UNIX computers. If it is, the service encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The ssod daemon then decrypts the password and changes the password on the UNIX host. If the UNIX host is an NIS master server and it is configured to do so, the daemon also runs make to propagate the password change throughout the NIS domain.
When Password Synchronization is configured for UNIX-to-WINDOWS synchronization, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization PAM module makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.
1. Copy this source binary file from the website to /usr/bin or /usr/local/bin on the UNIX computer, and change its name to ssod. The name of the source binary file depends on the version of UNIX you are using.
o If the computer is running Hewlett-Packard HP-UX version 11i, the source binary file name is ssod.h11
o If the computer is running Red Hat® Enterprise Linux® 4 server, the source binary file name is ssod.rhel4
o If the computer is running Red Hat Linux version 8.0, the source binary file name is ssod.rhl8
o If the computer is running Red Hat Linux version 9.0, the source binary file name is ssod.rhl9
o If the computer is running Novell® SUSE® Linux Enterprise Server 10, the source binary file name is ssod.suse
o If the computer is running Sun Microsystems Solaris version 8 or 9 or 10, the source binary file name is ssod.so8
o If the computer is running IBM AIX version 5L 5.2, the source binary file name is ssod.a52
o If the computer is running IBM AIX version 5L 5.3, the source binary file name is ssod.a53
2. Using a binary file-copy method such as File Transfer Protocol (FTP) to avoid corrupting CR/LF (carriage-return/line-feed) pairs, copy Sso.cfg from the tar file to /etc on the UNIX computer, and change its name to sso.conf.
3. Open sso.conf with a text editor.
4. If you have changed the default encryption key, edit the following line to specify the new default key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords: ENCRYPT_KEY=encryptionKey
5. If you have changed the default port, edit the following line to specify the new port. This value must match the port number specified on all domain controllers with which this computer will synchronize passwords.
6. Edit the following line to specify one domain controller in each Windows domain with which the computer is to synchronize passwords. If you have specified a nondefault port number or encryption key for the UNIX computer when configuring Password Synchronization on the Windows domain controllers, specify that value where indicated; otherwise, leave the value blank:
SYNC_HOSTS=(domainController[, portNumber [, encryptionKey]]) ...
Each entry in the list must be enclosed by parentheses (the "(" and ")" characters) and separated from the next entry by a blank space.
7. If the computer is a Network Information Service (NIS) master server, and if you want passwords to be synchronized throughout the NIS domain, edit the following line as shown to enable NIS synchronization:
Also, if required, edit the following line to specify the location of the NIS makefile:
8. Set the file permissions of sso.conf to read/write for the root user only, and deny access to all other users.
9. If the computer is running Linux, copy /etc/pam.d/system-auth to /etc/pam.d/ssod.
• The sso.conf file contains encryption keys and other sensitive information. For this reason, it must be accessible only by system administrators.
Supported Operating Systems: HP-UX; IBM AIX; Linux; Solaris; Windows Server 2008 R2