From: Steven Faulconer (geek@cfl.rr.com)
Date: Wed Jul 16 2003 - 22:51:41 EDT
Hello everyone,
I've spent the last couple hours searching through the archives for a
solution to an issue we are having. I found a few similar questions,
though, not quite the same, and they were a little old. Here is my
situation. I have a segregated LAN with 30 Solaris systems (Solaris 8
mainly, one Solaris 2.6 (to be upgraded), and one Solaris 9 ('server'
system)) and 5 Windows-based systems (4 Windows 2000 and 1 NT 4.0 (to be
upgraded)). I realize this is a fairly small environment, and my budget
is commensurate the size of the environment (meaning, very limited).
We have some partly strict security requirements for the solution. I
need to be able to enforce the following items:
Password Length (8 characters or more)
Password Aging (Every 365 days)
Password Reuse (Can't reuse the last 3 passwords)
Password Composition (Upper/Lower case, numbers symbols)
Server/Client authentication communications should be encrypted
The Sun and Windows systems are going to require additional security
features, implemented currently though BSM/Solaris native and Local
Security Polices (Windows).
I've examined a few possible options, though I'm not 100% certain what
the best method would be, or if the methods will allow everything I need.
Solution One:
Sun One Directory Server 5.2 as the Authentication Database, using
Solaris native libraries for Unix authentication, and pGina using LDAP
plug-in on the Windows side. I've tried to find information on whether
DS 5.2 will allow the security requirements, but haven't been successful
(I've posted to a few lists, but haven't gotten a response yet). I like
this option, since I feel LDAP would be useful for other things in our
environment, not just authentication.
Solution Two:
Similar to the first, using DS 5.2 as the primary database back-end,
with native Solaris libraries for Unix authentication, and adding Samba
as a PDC for the Windows systems. On this solution, I believe I'll be
able to enforce the security requirements, at least through Samba, using
a group policy file created on a Windows System, though I am not sure
about the Unix side (same as above)
Solution Three:
I've seen a bit of information on pam_mysql and pGina, which might be a
possible option, but information is limited on this, so I haven't been
able to pursue it very far.
Solution Four:
Put in a Windows Server for the Windows System. Setup some method for
the Unix systems (leaning toward LDAP, assuming I can enforce the
security requirements). Then tell the users that they are out of luck,
and have to have 2 separate accounts.
So, thats my current thought process. Any input, thoughts, ideas,
theories are more than welcome. I will of course, summarize in the end.
If I get enough information and can implement a solution, I plan to
write a document that describes the method, in case others are in my
situation.
Thank you.
SMF
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:46 EDT