Resources for Solaris and Active Directory Integration

A while back I worked with a client to implement Active Directory (AD) integration for a number of Solaris containers that made up their SAS platform. The main benefit of this was to allow all of the SAS users to use their Windows (Active Directory) credentials, the same ones they use to log into their workstation in the morning, to get access to the SAS servers on the Solaris platform. This removed any requirement to manage local user accounts, across multiple Solaris containers, as they could all be managed in Active Directory by the people who usually manage accounts. It was not a trivial exercise – it required communication with several different groups, some changes to the AD server, population of UNIX attributes for users and groups in AD and configuration of the Solaris containers, however it was well worth the effort and I would definitely recommend it.

These were the main technical resources I found useful with implementation and troubleshooting:

I hope you find them useful too.

10 thoughts on “Resources for Solaris and Active Directory Integration”

  1. Thanks Paul! We are about to do the same thing with Novell Netware/LDAP and Solaris. I have put the project off a long time for the reasons you mentioned above. Thanks for the resources too!

  2. Hi Fred,

    Thanks for the feedback and I hope all goes well with your Novell LDAP and Solaris integration work. If you think it might help I can also post some of the main Solaris commands I found useful for verifying the LDAP side of the AD integration.

    Cheers
    Paul

  3. Hi Alex,

    Thanks for your comment and the documentation link. Although I didn’t mention it in the post this integration work did involve the use of PAM. One of the steps involved was to configure PAM to use the pam_krb5 module to provide Kerberos based authentication against AD – there is more info on this in the Sun document. On the SAS side of things, since it was SAS 9.1.3, I also had to download and install PAM enabled sasauth modules as described in the SAS Usage Note 21154: PAM-supported sasauth modules (http://support.sas.com/kb/21/154.html) – a step that is not required for SAS 9.2 I understand.

    Cheers
    Paul

  4. Hi Guys

    I have been hearing rumors about solaris integration with AD 2008, that the solaris user account info (uid, gid etc) can be automatically populated up to AD, rather than having to manually poplulate AD with the user account info, can anyone enlighten me on this??

    Kind Regards
    Peter

  5. Hi Peter,

    I haven’t heard those rumours myself but they sound interesting. Are you talking about new users created in AD having UNIX attributes automatically populated, or existing users in Solaris being automatically migrated into AD and keeping their existing UNIX attributes? I see there is a NIS Data Migration wizard available but have not used it myself.

    In the implementations I was involved in all the UNIX uid/primary-gid/gid/shell attributes were manually managed as they were new UNIX installations – thankfully one of the AD guys wrote an (ADSI?) script to mirror the AD Windows group memberships into the AD UNIX group memberships – when I first investigated Solaris and AD integration I was surprised that the group memberships were able to be different (that a user might be a member of an AD group in Windows but not a member of the same AD group in UNIX) – I guess there must be a reason for it but I never found out what it was. It makes sense to me that much of this could be automated – uids & gids could be automatically incremented for new users and groups created in AD (though I appreciate that people with existing UNIX infrastructure would also want the option to set them to specific existing values). It also makes sense to me that UNIX group memberships could by default match Windows group memberships for those users with uids and groups with gids.

    I’d be keen to hear from you if you find out any more about those rumours. Likewise if I hear anything I’ll let you know.

    Cheers
    Paul

  6. We just went through a Solaris AD integration project which utilized Centrify’s technology. We evaluated the tools that came with Solaris, Likewise and Centrify and chose to use Centrify’s standard product. We are entering the second phase which is to bring service accounts, such as oracle, into AD. Phase one was bringing all the UNIX users into AD. Centrify provides tools that made the migration fairly painless.

    Dave

  7. Hi Paul,

    This is a nice post, in my environment, we do have a LDAP server in Linux but the account are in the Linux server only.
    I would like to pull them directly from AD, can you share the main Solaris commands that you found useful
    for verifying the LDAP side of the AD integration.

    Thanks,

    Jonathan

  8. Hi Jonathan,

    I don’t have any LDAP/AD configured systems around at the moment to double check the commands, but you should be able to use something along these lines (and I’m sure there are many other ways too) …

    To verify the LDAP side of things is working, you can use commands like ldapsearch and ldaplist (ldaplist can be used on Solaris, ldapsearch can be used on both Linux and Solaris and needs a few other options).

    Here is a rough example of using ldaplist on Solaris to look for an AD group:

    ldaplist -l group sales
    dn: CN=sales,OU=groups,DC=example,DC=com
    objectClass: top
    objectClass: posixGroup
    ...
    cn: sales
    description: Sales group
    member: CN=Bob Baxter,OU=users,DC=example,DC=com
    member: CN=Jane Jones,OU=users,DC=example,DC=com
    member: CN=Sam Smith,OU=users,DC=example,DC=com
    memberUid: bob
    memberUid: jane
    memberUid: sam
    distinguishedName: CN=sales,OU=groups,DC=example,DC=com
    ...
    name: sales
    sAMAccountName: sales
    gidNumber: 401

    The command I tend to use more often on Solaris and Linux is the getent command. If the system is configured appropriately it will search users and groups locally (/etc/passwd, /etc/group) as well as users and groups from LDAP/AD.

    Here’s an example of checking the existence and attributes of a user account:

    getent passwd bob
    bob:x:1200:301:Bob Baxter:/home/bob:/bin/bash

    … and here’s an example of checking the existence and attributes of a group:

    getent group sales
    sales::401:bob,jane,sam

    I hope this helps.

    Cheers
    Paul

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.