Installation Instructions for Password Synchronization, UNIX Side Components for Identity Management for UNIX
Download
|
Overview
Password Synchronization helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. Instead of maintaining separate passwords for Windows and UNIX accounts or having to remember to change passwords, whenever a user's password is changed on a Windows-based computer or domain that has Password Synchronization, the password is automatically changed on every UNIX host for which the user has an account. Password Synchronization can also be configured to change the user's Windows password when the user's UNIX password is changed.
When Password Synchronization is configured for Windows-to-UNIX synchronization and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user's password is to be synchronized on UNIX computers. If it is, the service encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The ssod daemon then decrypts the password and changes the password on the UNIX host. If the UNIX host is an NIS master server and it is configured to do so, the daemon also runs make to propagate the password change throughout the NIS domain.
When Password Synchronization is configured for UNIX-to-WINDOWS synchronization, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization PAM module makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.
For more information, refer to the Help file (UIM.chm) for Identity Management for UNIX component.
Installation steps
1. | Copy one of the following list of source binary files in the in the ssod.tgz file to /usr/bin or /usr/local/bin on the UNIX computer and change the file name to ssod. The name of the source binary file depends on the version of UNIX you are using.
| ||||||||
2. | Using a binary file-copy method such as File Transfer Protocol (FTP) to avoid corrupting CR/LF (carriage-return/line-feed) pairs, copy Sso.cfg from the tar file for UNIX CD to /etc on the UNIX computer and change the file name to sso.conf. | ||||||||
3. | Open sso.conf with a text editor. | ||||||||
4. | If you have changed the default encryption key, edit the following line to specify the new default key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords: ENCRYPT_KEY=encryptionKey | ||||||||
5. | If you have changed the default port, edit the following line to specify the new port. This value must match the port number specified on all domain controllers with which this computer will synchronize passwords: PORT_NUMBER=portNumber | ||||||||
6. | Edit the following line to specify one domain controller in each Windows domain with which the computer is to synchronize passwords. If you have specified a nondefault port number or encryption key for the UNIX computer when configuring Password Synchronization on the Windows domain controllers, specify that value where indicated; otherwise leave the value blank: SYNC_HOSTS=(domainController[, portNumber [, encryptionKey]]) Each entry in the list must be enclosed by parentheses (the "(" and ")" characters) and separated from the next entry by a blank space. | ||||||||
7. | If the computer is a Network Information Service (NIS) master server, and if you want passwords to be synchronized throughout the NIS domain, edit the following line as shown to enable NIS synchronization: USE_NIS=1 If required, edit the following line to specify the location of the NIS makefile: NIS_UPDATE_PATH=makefilePath | ||||||||
8. | Set the file permissions of sso.conf to read/write for the root user only, and deny access to all other users. | ||||||||
9. | If the computer is running Linux, copy /etc/pam.d/system-auth to /etc/pam.d/ssod. |
Important: The sso.conf file contains encryption keys and other sensitive information. For this reason, it must be accessible only by system administrators.
Notes
| • | Password Synchronization supports synchronization with UNIX computers running any of the following operating systems:
| ||||||||
| • | This daemon program must be installed on the computer running UNIX to enable Password Synchronization to change users' passwords on that computer. |
