RE: Solaris 9 authentication and access control into Active Directory
From: Myers, Mike (Mike.Myers_at_nwdc.net)
Date: Tue, 14 Sep 2004 11:16:42 -0700 To: "Ron Ogle" <firstname.lastname@example.org>, email@example.com
We have been looking at a similar project except that it needs to be cross platform (Solaris and HP-UX).
We found some limitations in the SEAM product (and to be honest, HP's product as well) in that if the user was in too many Windows group the PAC (Privilege Access Certificate?) which gets tagged onto the end of the Kerberos ticket by AD causes the ticket to exceed the size that will fit in a single UDP packet. The AD server would return an error (52/0x34) which SEAM said was "undefined" because it was at the time SEAM last pulled source from MIT but has subsequently been defined as "RESPONSE_TOO_BIG." The client is supposed to switch to TCP and redo the request, but SEAM doesn't know this and bails.
We put requests in to both vendors to fix this and neither seemed really excited to do it. Sun's response was, "It'll be in Solaris 10..."
Given that level of support, we started looking at commercial vendors and found a company called Vintela who has a pretty nice package called "Vintela Authentication Services" which is cross platform and has some other nice features (eg. a nice snap in to manage the Active Directory side of things in MMC, etc.).
I just today received notice that they've released a new version which at first glace appears to address some of our concerns when we demoed the software a few months back.
Generally the company seems very eager to please and willing to integrate changes that we asked for.
- Mike Myers, Mike.Myers <at> nwdc.net