By: Phil Helsel-Instructor
There is little doubt that Solaris 10 from Sun Microsystems, an Oracle Inc. company, is the most advanced, secure commercial operating system on the market today. The inclusion of Solaris containers, ZFS, and its rating from the NIST, National Vulnerability Database, make for compelling reasons to use Solaris in your Enterprise infrastructure. The only issue I continue to hear about is the lack of integration with Microsoft’s Active Directory (AD).
A bit of a historic perspective on this issue. Sun, led by then founder and Chairman, Scott McNealy, fought hard to prevent Microsoft Technology from being adopted as an “enterprise” standard. This included opposition to what was called by Sun, the lock in directory, i.e. “Captive Directory” (Active Directory)”. Sun, and others believed, that Microsoft was using its monopoly power to force adoption of it’s directory technology. “This would eventually let Microsoft control “the point of entry for all the Net-based business” and eventually turn Microsoft into “a direct competitor” to companies with Web businesses.”. This was best illustrated in the dust up of the proposed internet directory services by Microsoft, called Passport (now called Windows Live) and the competing Liberty Alliance Project — a coalition of corporations, led by Sun.
Well, the dust has settled and Active Directory has become the directory standard for most organizations. Given this reality, I was surprised to see that Solaris has still not created an easy way to integrate with Active Directory. It continues to support Network Information Services (NIS), which very few shops still use. It also supports NIS+, but this will be dropped from the next release of Solaris 10. DNS is a given, but is not for users and group resolution. That leaves local users and LDAP, however, a direct LDAP connection to active directory is not an official supported option to authenticate Solaris users.
The official supported method would be to use Sun’s Java System Directory Server Enterprise Edition.This solution consists of using LDAP on the Solaris side with Active Directory Synchronization to AD Domains. In other words, it keeps the passwords in synchronization with AD, and replicates the users to Sun’s directory server. This is the same process that has been used by Sun since the iPlanet days. As a Solaris customer, it sure would be a nice option to replace the NIS+ configuration with a supported AD option.
Notice, I was careful to list the above option as the supported option. There are a number of unsupported, “use at your own risk” options. These include Kerberos, Samba, scripts, and code bundles from the Open Solaris Projects. The process I have used in a “Lab” environment as an instructor, is detailed in a article titled, “HOWTO Use Active Directory as a Solaris Authentication Source” . The limitation is the need to use Active Directory on Windows 2003 R2. Since Windows 2008 Server R2 has been released by Microsoft, this limitation is definitely getting “old”.
If this integration is an issue in your shop, you need to make it known to your Oracle/Sun support that this is a high priority Request for Enhancement.
See you in class.
No related posts.
