IDMU Support for idmap [PSARC/2009/398 FastTrack timeout 07/23/2009]

Jordan Brown jb25718 at sac.sfbay.sun.com
Thu Jul 16 15:30:31 PDT 2009 

Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
    1.1. Project/Component Working Name:
	 IDMU Support for idmap
    1.2. Name of Document Author/Supplier:
	 Author:  Jordan Brown
    1.3  Date of This Document:
	16 July, 2009
4. Technical Description
SUMMARY

    Integrate Solaris Windows identity management with Microsoft's
    Identity Management for UNIX (IDMU).

BACKGROUND - IDMU

    Microsoft offers a feature (unbundled for Windows 2003 and before,
    bundled for Windows 2003R2 and later) called "Identity Management
    for Unix", or IDMU.  (It's part of what was called "Services For
    Unix" in its unbundled form.)

    The primary goal of SFU and IDMU is to support Windows as a NIS/NFS
    server - basically, the same role that we have with CIFS, only
    reversed.

    IDMU adds a "UNIX Attributes" panel to the Active Directory Users
    and Computers user interface that lets the administrator specify a
    number of UNIX-related parameters:  UID, GID, login shell, home
    directory, and similar for groups.  These parameters are made
    available through AD through a schema similar to (but not the same
    as) RFC2307, and through NIS service.

BACKGROUND - Existing Solaris support for Directory-based identity mapping

    There is an existing idmap feature "directory-based" or "ds-based"
    mapping, where user-defined attributes are added to the Active
    Directory or LDAP schema to provide the UNIX name associated with a
    Windows identity, or the Windows name associated with a UNIX
    identity.  IDMU is similar to DS-based mapping in its "Active
    Directory only" mode, but stores numeric UIDs and GIDs in the
    directory, rather than storing UNIX user and group names.

PROBLEM

    IDMU offers user interface and storage for Windows-UNIX identity
    mapping information, integrated with Active Directory user/group
    management.  Customers have requested that Solaris identity mapping
    take advantage of this mechanism.

PROPOSAL

    Add a flag (as an SMF property, like other idmap configuration flags)
    that enables use of IDMU data.

DETAILS

    On the idmap FRMI, svc:/system/idmap:default, add the property
    config/idmu_enabled.  True enables IDMU support; false disables
    it.  The default if the property does not exist is that support is
    disabled.

    For implementation reasons and to reduce configuration complexity,
    IDMU support is mutually exclusive with the existing DS-based
    mapping support.  If both are enabled, a warning message will be
    logged and DS-based mapping will be disabled.

    Like DS-based mapping, if IDMU data and local name-based mapping
    rules are both available for a particular identity, the IDMU data
    will be used.

    Because IDMU data is maintained on a per-domain basis and Active
    Directory does not ensure UID uniqueness between domains, this
    phase of IDMU support will use IDMU data only from the domain to
    which the Solaris system is joined.

COMMENTS

    It may be possible to use this IDMU support along with the NIS maps
    exported by the Windows Active Directory server to fully integrate
    UNIX and Windows identity, managed entirely from the Active
    Directory user interface.  Although this project is a significant
    component of such a potential integration, this configuration was
    not a goal and has not been tested.

FUTURE

    A future phase may add the ability for an administrator to allow
    Solaris to use IDMU data from other domains, with the assumption
    that the administrator is manually managing the UID space across
    those domains.

ISSUES

    The current plan is that if both IDMU and DS-based mapping are
    enabled, a warning message is logged and DS-based mapping is not
    used.  In the future, if we were to enable coexistence of the two
    features, a system in this state might unexpectedly change
    behavior.  An alternative proposal is to put the idmap service into
    "maintenance" mode if this situation is encounted, to force the
    administrator to resolve the conflict.

DELIVERY VEHICLE

    Solaris

RELEASE

    Patch

COMMITMENT LEVEL

    IDMU support:  Committed

    The fact that IDMU and DS-based mapping are incompatible is not an
    interface; they might be made compatible in the future.

REFERENCE DOCUMENTS

    Identity Management for UNIX:  Welcome (Microsoft Technet)
    http://technet.microsoft.com/en-us/library/cc782782(WS.10).aspx

    Integrated Identity Management in Active Directory Domain Services
    http://technet.microsoft.com/en-us/library/cc780098(WS.10).aspx
    Includes screen shot of the Active Directory user information
    dialog box showing the UNIX Attributes panel.

MANUAL PAGE

    Update idmap(1M), in the "Service Properties" section:

    config/ds_name_mapping_enabled

	 Enable/disable directory-based name mapping.  Note that if
	 this and config/idmu_enabled are both set to "true", this
	 value is ignored.

    config/idmu_enabled

	Enables support for Microsoft Identity Management for UNIX
	(IDMU).  This Windows component allows the administrator to
	specify a UNIX user ID for each Windows user, mapping the
	Windows identity to the corresponding UNIX identity.
	Only IDMU data from the domain the Solaris system is a member
	of is used.

6. Resources and Schedule
    6.4. Steering Committee requested information
   	6.4.1. Consolidation C-team Name:
		ON
    6.5. ARC review type: FastTrack
    6.6. ARC Exposure: open

More information about the opensolaris-arc mailing list