Integrating Microsoft AD, Unix and then some………

This will be an earnest attempt to publish blog entries more frequently. I thank my esteemed peers, John and Mark, for their goading me following a recent blogging webcast. I also just installed performancing, – a wonderful Firefox add-on. Maybe its just an excuse but I was honestly looking for a simple “write ‘n publish” tool.


I have spoken with several customers who want “one userid and password for my AD and Unix users”.

More often than not the Unix workstations and servers are stand-alone with /etc/passwd files, not even an NIS naming service.

Well the simple and elegant solution is as follows:

1. Configure Sun Java Directory Server as a naming service for Unix. No need to publish, a how-to guide here; books, formal documentation and the blogs of my esteemed colleagues adequately enumerate the configuration steps.

2. Configure Sun Java Identity Synchronization for Windows, a component of Sun Java Directory Server, to synchronize your Unix users (stored in LDAP in step 1), including bidirectional password changes, creates, updates deletes and even group membership (available in Sun Java Directory Server 6.0 due out imminently, but hush lest I publish details on products not readily available and run afoul of Sun’s legal team. Let me just leave you with a microscopic taste of what’s to come).

3. Voila, your AD and Unix users are synchronized, one login, one password.

A neat, elegant and simple point solution.

Aye, and there lies the rub – a point solution. Not to demean Sun Java Identity Synchronization for Windows, it is a great product and it has its place in the Enterprise.

However, as I have asked every customer with whom I have addressed this issue: Which other applications do you wish to integrate their users and passwords: HR? CRM? Databases? Mainframes? AD? LDAP?  Some customers will answer: “I want AD/LDAP to authenticate everything”. LDAP as your company’s backbone user store was the thinking years ago. Now everything is distributed. Allow each application to use it own datastore and synchronize with Sun Java Identity Manager. Identity Manager provides in essence an umbrella with spokes to connect to all your applications. Identity Manager provisions and deprovision users, synchronize updates and passwords with a complete audit trail and to whit an approval process! 

An Identity Management deployment in a nutshell:
1. Ensure the initial integration of two or three applications using Identity Manager is accomplished on time and within budget.
2. Sun’s Velocity Identity Deployment Tool can certainly help accomplish phase one.
3. Showcase your achievements to management.
4. With the initial infrastructure in place, the incremental effort of adding new applications is smaller and management will very likely approve future phases of the project, because the first phase was a success.

Technorati Tags: , ,

powered by performancing firefox