An Introduction to NDS for Solaris 2.0
Articles and Tips: article
01 Apr 1999
The broad reach of Novell Directory Services has now extended to Sun's Solaris platform. This introductory article will fill you in on the features and advantages of this exciting new product.
NDS for Solaris 2.0 implements the NDS service on SPARC Solaris servers and workstations. Solaris servers and workstations act as directory servers, along with NetWare 5 and Windows NT servers.
The product allows you to place replicas of the NDS database on a Solaris server. These replicas utilize the same directory services provided on NetWare 5 servers. The ability to add replicas provides access to the NDS database on local Solaris servers, enabling accessibility on remote networks.
The Solaris user accounts can be migrated to NDS, thereby eliminating the need to have two databases. The product, along with NDS for NT and NetWare 5, allows administrators to create and administer a single user account across NetWare 5, Windows NT and Solaris systems. A NDS for Solaris snap-in to NetWare Administrator is provided so that these accounts can be administered from a single point. All users can use the secure NDS authentication, instead of the native Solaris authentication schemes. Thus, it is a safe way to unify your entire network and make all resources easier to access, develop, and manage. The product is enabled for IP only.
This introduction to NDS for Solaris is adapted from the Product White Paper and other documents available at:
Advantages of Using NDS
User accounts in the UNIX operating system have been traditionally managed using etc/passwd, etc/group and other local system files. This is fine for a small organization with a small number of servers but is not scalable for organizations that have hundreds of UNIX workstations and servers distributed throughout their organization.
Sun Microsystems, Inc. provided a solution called NIS, which allows the user, group and other per-server databases to be stored in a master server and replicated to other servers in the organization. Though NIS is available for most flavors of UNIX, it is difficult to administer. The network administrator has to create and modify user accounts on a single server only and use NIS tools to reflect the change to all the other servers. NIS uses a flat database which is not scalable for enterprise wide deployment. It is also difficult to administer since all the administration is centralized.
The improved version of NIS, called NIS+, replicates the servers incrementally and has a hierarchical name space which improves flexibility. But it continues to retain the master-slave replication architecture, which is difficult to administer. NIS+ is not as widely deployed as NIS.
Novell's NDS is an extensible, scalable, reliable, and available directory service. NDS provides a single database for managing corporate user and group accounts as well as other objects on the network like servers, volumes, printers, and workstations. NDS was designed from the ground up to be a distributed directory service where service management is centralized and content management is delegated. In other words, in an NDS environment, servers throughout the organization can sit in a locked closet, and an administrator at company headquarters in San Francisco can authenticate to the network, create new user accounts for users at the branch office in New York City, and manage the new accounts. The administrator can also distribute software, manage desktop settings, and remote control workstations—all from a single location and with a single management utility (see Figure 1). Other NDS management tools, including diagnostic and repair tools, are based on this strategy for ease of administration and enormous cost savings.
Figure 1: Single point of administration through NDS.
This solution, available only from Novell, provides the following key benefits to network administrators:
A single user account for NetWare, NT and Solaris
NDS as the single point of administration for NetWare, NT and Solaris user accounts
NDS-based secure authentication for user accounts
Mix and match Solaris, NetWare or NT servers for storing copies of the directory database
Users are provided with the following benefits:
Only one account name and password to remember
Speedy and reliable access to NDS because of the local replica
About NDS for Solaris
Today's enterprise networks, being heterogeneous in nature, create various challenges for network administrators. One of the most significant challenges is managing users and groups on different platforms, in the whole enterprise. NDS for Solaris addresses this challenge by integrating Solaris and NetWare user accounts into an enterprise-wide directory, NDS. The product relocates Solaris user accounts and groups to NDS, which enables administrators to manage Solaris user accounts and groups through NDS.
The product includes an authentication module and a name service module to provide NDS authentication and name service to Solaris applications. These modules are implemented using two infrastructural components on Solaris, called the Pluggable Authentication Modules (PAM) and Name Service Switch (NSS), using published standard programming interfaces. This allows existing applications on Solaris to run unchanged.
Because Sun Microsystems, Inc. has instrumented all its system commands and utilities such as login, telnet, ps, ls, etc., to use PAM and NSS, the commands and utilities can access the NDS service in a transparent manner. Network administrators can administer all aspects of Solaris user accounts using NetWare Administrator. The administrator can enter Solaris attributes for those users who need to access Solaris systems.
NDS for Solaris also hosts NDS natively on a Solaris system. This version of NDS is fully compatible with the version of NDS on NetWare 5. Therefore, the product is capable of hosting one or more replicas of a NDS partition locally on a Solaris server.
The local replicas on a Solaris server can be administered exactly like the replicas on a NetWare server, that is, through NetWare administration tools such as NetWare Administrator and NDS Manager, from a Windows workstation. Replicas hosted on a Solaris server are indistinguishable from replicas hosted on a NetWare server.
From the perspective of the Solaris user accounts and groups, nothing has changed. All workstations and applications on Solaris will continue to function as they always did before NDS for Solaris was installed.
How NDS for Solaris Works
NDS for Solaris extends the NDS schema to include the Solaris user and group attributes. Since NDS is an organization-wide repository, Solaris accounts can be administered like any other NDS object using NetWare Administrator.
A tool is provided for easy migration to NDS of existing Solaris users in the /etc/passwd, NIS, and NIS+ databases. This helps administrators to move existing user accounts on Solaris systems to NDS. The administrator can control the NetWare semantics to be adopted for the Solaris user accounts that are migrated to NDS. The password of the user account is also migrated.
NDS for Solaris installs a Read/Write replica of NDS on the Solaris server. This local replica on the Solaris server is indistinguishable from and is administered exactly like the replicas on a NetWare server.
Each Solaris system is reconfigured to use NDS for authentication and to access user account information. A Pluggable Authentication Module (PAM) provider intercepts the system entry requests to authenticate the users and redirects them to NDS. A Name Service Switch (NSS) provider is deployed to intercept all database accesses and redirect them to NDS.
The product architecture diagram is shown in Figure 2.
Figure 2: NDS for Solaris architecture.
Deploying NDS for Solaris
This section contains a brief description of the procedure for deploying NDS for Solaris 2.0.
To deploy the product, you need to:
Run the Windows setup program
Run the Solaris Install program
Configure the product
The Windows setup program will extend the NDS schema to support Solaris accounts. The Solaris install program installs the Solaris binaries on the Solaris system. NDS for Solaris 2.0 consists of two components - the NDS User Account Management component and the NDS Server component. Before you begin the actual installation, you must decide whether you want to install either one or both the product components.
After the installations are complete, the migrate utility needs to be run to move the user data in NIS, NIS+, or files into NDS. The migrate utility will also populate NDS with Solaris client objects.
Once the migration is complete, the product is ready for use.
During the trial period, administrators could configure their Solaris systems to authenticate to both NDS and NIS. Subsequently, NIS need not be used for storing user account information. NDS can be used for all user administration and authentication purposes.
Administering Solaris User Accounts Through NDS
The Solaris user accounts, groups and hosts are viewed as objects in NDS. To administer the objects, the administrator can use the NetWare Administrator utility that is shipped with NetWare 5. Using this administration utility, the administrator can also control the access permission of individual users to specific Solaris systems.
NDS for Solaris can co-exist with NIS, NIS+, and files databases. The administrator can configure the databases in such a way that some users authenticate to NDS and others to NIS. Also, the administrator can configure the Solaris systems to authenticate to both NDS and NIS.
Some of the local system administration accounts, such as root, must continue to be stored in files. This is because these accounts will need to authenticate during times when NDS service may not be available (such as during OS installation and OS initialization).
NDS for Solaris automatically looks up the NDS context of the user who is logging in, and Solaris users don't have to remember their NDS context.
NDS Authentication for Solaris Users
Solaris 2.6 includes a framework called the Pluggable Authentication Module (PAM), which is a standard published by the Open Group. This framework isolates the applications from the specific authentication mechanisms and allows administrators to choose among the authentication mechanisms to be used by the applications. Thus, the applications themselves will remain unaffected by any change in authentication mechanism. All system entry utilities such as login, telnet, ftp, and so on, have been modified by Sun to fit into the PAM framework.
NDS for Solaris provides a pam_nds module so that the administrator can configure the applications to use NDS for authentication. After the NDS authentication is completed, the user will continue to have the same privileges and rights as are available when authenticating to NIS or files. The user will be presented the Solaris shell as usual, the user profile will be set as before, and the access rights to file and print services will remain unaltered.
The pam_nds module provides four types of services—Authentication, Account, Session and Password—to all applications. For example, through the Password service, all the current NetWare password policies for password definition, expiration, and so on, will be applicable to Solaris users also.
Migrating Solaris User Accounts to NDS
NDS for Solaris provides easy migration of existing Solaris users in the files, NIS, and NIS+ databases to NDS. The migration tool will help administrators to move existing user accounts on Solaris systems to NDS. The administrator can control the NetWare semantics to be adopted for the Solaris user accounts that are migrated to NDS. The password is also migrated to NDS in a secure manner.
The NDS replica on the Solaris server is managed using the NetWare administration utilities, NetWare Administrator and NDS Manager. NDS objects are managed using NetWare Administrator, while replicas and partitions are managed using NDS Manager.
Once all UNIX users and groups are migrated to NDS, they can be administered like any other NDS object. NetWare Administrator can be used to create, modify and delete UNIX users in the directory. To administer the objects, the administrator has to run NWADMN32.EXE in the SYS:\PUBLIC\WIN32 directory from a Windows desktop.
Interoperability with Novell Products and Utilities
NDS for Solaris 2.0 is enabled for IP only. It interoperates with other Novell products over IP only. NDS for Solaris 2.0 can interoperate with NetWare 5 client utilities. NDS Objects can be administered as usual by NetWare Administrator and NDS Partitions can be managed using the NDS Manager utility.
NDS for Solaris 2.0 interoperates with NetWare 5. The replicas on NDS for Solaris 2.0 and NetWare 5 can synchronize over IP.
NDS for Solaris 2.0 interoperates with Z.E.N.works when both are on the same NDS tree.
NDS for Solaris interoperates with NetWare 4.11 (DS version 6.00) when all the following conditions are met:
The master replica of the root partition needs to reside on the NetWare 5 server.
If a replica of a partition resides on the NetWare 4.11 server, the master replica of this partition needs to reside on the NetWare 5 server. This is required for proper replica synchronization.
If a replica of a partition resides on the NDS for Solaris system, the master replica of this partition needs to reside on the NetWare 5 server.
NDS for Solaris 2.0 and NetWare 4.11 should not hold replicas of the same partition.
Novell recommends the following for complete interoperability:
Put the master replica of any partition on a NetWare 5 server. If a master replica is stored on a NetWare 4.11 server, the partition should not appear along any path from Root to partitions hosted on Solaris.
Design your partitions so that replicas on NetWare 4.11 or Solaris servers contain complete sub-trees. Use a NetWare 5 server to maintain connectivity between these sub-trees.
There should be no shared objects between the partitions containing only NetWare 4.11 and NDS for Solaris 2.0 servers, for external references and back-links to work.
NDS for Solaris 2.0 has the following minimum system requirements:
SPARCstation II or above with Solaris 2.6 installed and 64 MB of RAM.
To install the NDS User Account Management (UAM) component, 4 MB of disk space is required.
To install the NDS Server, 7 MB of disk space is required. For a Solaris system that is hosting an NDS replica, 7 MB per 1,000 users is required in each replica.
To install the NDS for Solaris online documentation, 12 MB of disk space is required.
NDS tree with the master replica of the root partition on a NetWare 5 server with NDS version 7.09. The master replica of the partition into which the product will be installed must also be on a NetWare 5 server.
The NetWare 5 servers must be enabled for IP.
Windows 95/98 or Windows NT system with the corresponding Novell Client software, enabled for IP, from the Novell Client CD-ROM (version 3.01).
Administrative rights to all portions of the NDS tree that will contain user objects. For the first NDS for Solaris installation, you will need administrative rights to the root of the tree to extend the schema.
Netscape Navigator 3 or above or, Netscape Communicator for Solaris v2.6, to view the NDS for Solaris online documentation.
Frequently Asked Questions
Q. Aside from Solaris, what other platforms support NDS?
A. NDS in now available on all server platforms including: NetWare 4 and 5, Microsoft NT, IBM OS/390 (to ship in Q2), IBM AIX, and Linux.
Q. What percentage of the server market does NDS now reach?
A. Based on IDC statistics for 1998 server operating environments (12/98; Jean Bozman), NDS now reaches a potential audience of about 65% of the server market.
Q. Which version of Solaris does NDS for Solaris support?
A. NDS for Solaris supports Solaris 2.6 (SPARC version).
Q. When will NDS support Solaris 7?
A. NDS for Solaris was not thoroughly tested with Solaris 7, but it should interoperate with Sun's newest version of Solaris. NDS will be tested with—and will support—Solaris 7 in future releases.
Q. What percentage UNIX customers use Solaris?
A. The most recent IDC report (12/98; Jean Bozman) covering server operating environments license shipments showed 51.1 percent growth for Solaris SPARC servers in 1998. In 1997 Sun shipped 92,000 Solaris SPARC servers or 12.6 percent share of the UNIX market. In 1998 Sun shipped 139,000 Solaris SPARC servers or 18.6 percent share of the UNIX market.
Q. With NDS for Solaris, how many and what type of applications can now leverage NDS?
A. There are more applications for Solaris than for any other brand of UNIX. There are over 7,000 independent ISVs developing for Solaris and over 12,000 applications that run on Solaris, according to a report in Network World on April 27, 1998.
The most popular applications in Solaris environments are mission-critical applications such as database and data mining applications, enterprise resource planning (ERP) applications, and a large number of custom applications in education, engineering, research, financial, and military environments. Any of these applications that leverage the UNIX Pluggable Authentication Module (PAM) framework APIs for login services (login, rologin, and telnet) can now use NDS to manage access to UNIX applications on Solaris.
Q. What markets open up for Novell as a result of NDS for Solaris?
A. Solaris is a popular operating system in the enterprise space, and has a strong presence in mission-critical computing environments. With NDS for Solaris, any market that requires 24x7 uptime from both its server operating environment and directory services can benefit from NDS' stability and performance. We believe that the ISPs, telcos, and other large service providers that use NDS to manage their Solaris systems will not only benefit from the current offering, but will also benefit from other directory-enabled services that Novell will be tailoring for the Solaris market. These services include desktop management, application distribution, policy-based management, collaboration, network management, caching, authentication, single-sign on, and PKI services, and more. All of these services will be available to NDS for Solaris users this year.
Q. Is this the first version of NDS for Solaris? Why is it called version 2.0?
A. This is the first version of NDS for Solaris. It is called version 2.0 because it provides the same features and benefits as offered in the recently release NDS for NT 2.0—mainly the ability to both redirect Solaris to NDS as well as to store an NDS replica on a Solaris system. NDS for Solaris versions 1.0 and 2.0 were developed concurrently, so we decided to roll both versions into a single release.
Q. Does Novell have a partnership with Sun regarding NDS for Solaris 2.0?
A. No, Novell developed NDS for Solaris and Novell will sell it. Since Novell and Sun share many of the same customers, both companies are interested in satisfying customer needs today. Both Novell and Sun believe that open directory services supporting the LDAP standard, such as NDS, will become mission-critical.
Q. How does Sun intend to support NDS for Solaris?
A. Although NDS for Solaris is a Novell product, Sun is pleased Novell has decided to extend its directory service to their leading UNIX platform. Sun supports Novell's efforts to make Solaris more manageable and accessible. Both companies are exploring ways to work together to solve our customers' needs. At a minimum, you can expect to see information about NDS for Solaris on Sun's Web site.
Q. How much does NDS for Solaris cost?
A. NDS for Solaris 2.0 pricing is the same as pricing for NDS for NT 2.0, with two separate licensing components: a server license and a per-user connection license. Each Solaris server that stores an NDS replica requires a server license for $695. Each user license is $26. Owners of NetWare 4.x and NetWare 5 may obtain matching licenses for Solaris servers storing NDS replicas at no charge. Customers who qualify can download NDS for Solaris from the Novell Web site at http://www.novell.com/products/nds/nds4solaris/. To order or for more information, customers may contact an authorized Novell reseller or call at (888) 321-4272 in the U.S. and Canada or (801) 228-4272 worldwide.
Q. Is there an evaluation copy of NDS for Solaris 2.0 available? If so, how can I obtain it?
A. The evaluation or trial version can be downloaded from the "Free Downloads" section on the Novell home page or from the NDS for Solaris product Web site at http://www.novell.com/products/nds/nds4solaris/.
Q. Is NDS for Solaris Year 2000 ready?
A. Yes, all Novell products released since 1998 are Y2K ready. In fact, all NDS-enabled products and services are Y2K ready.
Q. Does NDS for Solaris support a pure IP solution?
A. Yes. NDS for Solaris is intended to be deployed in TCP/IP networks with a mixture of Solaris and NetWare 5 servers. In fact, this product uses the TCP/IP protocol exclusively and cannot replicate over IPX without at least one NetWare 5 server somewhere in the network.
Q. What new features will be in future versions of NDS for Solaris? When will the next version be available?
A. As with all future products, our plans may be subject to change. We cannot comment on when the next version will be available.
Q. Does NDS for Solaris compromise Solaris security?
A. NDS for Solaris does not compromise Solaris security in any way. Because everything is stored in one directory and we provide a single password, security is increased and user difficulties are decreased while working with the network. In fact, NDS for Solaris extends the security of the Solaris system. Since users in NDS have only one identity (for all platforms), if an administrator locks a user account, the user's NT, NetWare, and Solaris accounts are all locked. A single identity for users makes intruder detection and password protection powerful.
NDS for Solaris upgrades the Solaris system to use a true directory service and gives you a single user account and a single point of administration for mixed NetWare and Solaris networks. This significantly reduces the amount of time administrators spend in managing multi-platform networks. It allows administrators the flexibility of managing all Solaris users and their resources in NDS using one administration utility.
This latest step in Novell's integration strategy demonstrates Novell's commitment to support the heterogeneous networks that customers need by providing robust NDS support across platforms while making networks easier to manage.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.