Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
IDMU Support for idmap
1.2. Name of Document Author/Supplier:
Author: Jordan Brown
1.3 Date of This Document:
16 July, 2009
4. Technical Description
SUMMARY
Integrate Solaris Windows identity management with Microsoft's
Identity Management for UNIX (IDMU).
BACKGROUND - IDMU
Microsoft offers a feature (unbundled for Windows 2003 and before,
bundled for Windows 2003R2 and later) called "Identity Management
for Unix", or IDMU. (It's part of what was called "Services For
Unix" in its unbundled form.)
The primary goal of SFU and IDMU is to support Windows as a NIS/NFS
server - basically, the same role that we have with CIFS, only
reversed.
IDMU adds a "UNIX Attributes" panel to the Active Directory Users
and Computers user interface that lets the administrator specify a
number of UNIX-related parameters: UID, GID, login shell, home
directory, and similar for groups. These parameters are made
available through AD through a schema similar to (but not the same
as) RFC2307, and through NIS service.
BACKGROUND - Existing Solaris support for Directory-based identity mapping
There is an existing idmap feature "directory-based" or "ds-based"
mapping, where user-defined attributes are added to the Active
Directory or LDAP schema to provide the UNIX name associated with a
Windows identity, or the Windows name associated with a UNIX
identity. IDMU is similar to DS-based mapping in its "Active
Directory only" mode, but stores numeric UIDs and GIDs in the
directory, rather than storing UNIX user and group names.
PROBLEM
IDMU offers user interface and storage for Windows-UNIX identity
mapping information, integrated with Active Directory user/group
management. Customers have requested that Solaris identity mapping
take advantage of this mechanism.
PROPOSAL
Add a flag (as an SMF property, like other idmap configuration flags)
that enables use of IDMU data.
DETAILS
On the idmap FRMI, svc:/system/idmap:default, add the property
config/idmu_enabled. True enables IDMU support; false disables
it. The default if the property does not exist is that support is
disabled.
For implementation reasons and to reduce configuration complexity,
IDMU support is mutually exclusive with the existing DS-based
mapping support. If both are enabled, a warning message will be
logged and DS-based mapping will be disabled.
Like DS-based mapping, if IDMU data and local name-based mapping
rules are both available for a particular identity, the IDMU data
will be used.
Because IDMU data is maintained on a per-domain basis and Active
Directory does not ensure UID uniqueness between domains, this
phase of IDMU support will use IDMU data only from the domain to
which the Solaris system is joined.
COMMENTS
It may be possible to use this IDMU support along with the NIS maps
exported by the Windows Active Directory server to fully integrate
UNIX and Windows identity, managed entirely from the Active
Directory user interface. Although this project is a significant
component of such a potential integration, this configuration was
not a goal and has not been tested.
FUTURE
A future phase may add the ability for an administrator to allow
Solaris to use IDMU data from other domains, with the assumption
that the administrator is manually managing the UID space across
those domains.
ISSUES
The current plan is that if both IDMU and DS-based mapping are
enabled, a warning message is logged and DS-based mapping is not
used. In the future, if we were to enable coexistence of the two
features, a system in this state might unexpectedly change
behavior. An alternative proposal is to put the idmap service into
"maintenance" mode if this situation is encounted, to force the
administrator to resolve the conflict.
DELIVERY VEHICLE
Solaris
RELEASE
Patch
COMMITMENT LEVEL
IDMU support: Committed
The fact that IDMU and DS-based mapping are incompatible is not an
interface; they might be made compatible in the future.
REFERENCE DOCUMENTS
Identity Management for UNIX: Welcome (Microsoft Technet)
http://technet.microsoft.com/en-us/library/cc782782(WS.10).aspx
Integrated Identity Management in Active Directory Domain Services
http://technet.microsoft.com/en-us/library/cc780098(WS.10).aspx
Includes screen shot of the Active Directory user information
dialog box showing the UNIX Attributes panel.
MANUAL PAGE
Update idmap(1M), in the "Service Properties" section:
config/ds_name_mapping_enabled
Enable/disable directory-based name mapping. Note that if
this and config/idmu_enabled are both set to "true", this
value is ignored.
config/idmu_enabled
Enables support for Microsoft Identity Management for UNIX
(IDMU). This Windows component allows the administrator to
specify a UNIX user ID for each Windows user, mapping the
Windows identity to the corresponding UNIX identity.
Only IDMU data from the domain the Solaris system is a member
of is used.
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
