Article
Search
Shameless Plugs
Most Popular
Who's online
Online users
User login
6159
IDM Password Synch with eDirectory and AD
Novell Identity Manager can be used not only to synchronize user and group accounts but also to synchronize passwords.
In this AppNote I will explain how to set up password synchronization between Novell eDirectory and Microsoft AD. I assume that you have a fully functional IDM connection between eDirectory and AD. See the following AppNote for instructions on how to set up Active Directory with IDM, in order to get users synchronized between eDirectory and AD:
To use PasswordSync with Identity Manager, you need to complete these tasks:
- Install/configure PasswordSync on the Domain Controller
- Import/config the driver into the existing Active Directory Driver set
- Configure Universal Passwords in your eDirectory
Installing PasswordSync on the Domain Controller
- Open the Control Panel on the AD server.
- Click Identity Manager PassSync.
- Click "Yes" to the first question.
- In the upcoming window, select "ad.local" if it's there; otherwise, add your own domain and click "Filters."
This screen now appears:
Figure 3 - Selecting a password filter
You will see your own Domain Controller, but the status is still "Not Installed." To change this,
- Select your domain (in my case, "ad.local") and click Add. Now the Password Sync will be enabled on your domain, and the Remote Loader is ready for password synchronization.
- As the status screen indicates, reboot the server.
- Go back again to "Identity Manager PassSync" in your control panel, and you will see the status is changed to Running. Now you know you did everything OK.
Importing/Configuring the Driver into the Existing Active Directory Driver Set
Now you need to configure the Metadirectory server for password synchronization.
- Open iManager and go to Identity Manager Utilities in the left menu.
- Select Import Driver.
- In the "In an existing driver set?" box, browse to and select the driver you created (in my case, "idm.servers.sddu.").
- Click Next.
- In the default imported drivers shown, scroll down and select "Password Synchronization 2.0 Policies."
- Click Next.
- In this screen, make sure you select the Existing Driver: "Active Directory." The Connected system should be Active Directory.
- Click Next.
- In the next screen, click Next and accept the default setting to update everything about the driver.
When the driver is updated, this screen appears:
-
10. Click "Finish with Overview" and start the Active Directory Driver, if it has not started by itself.
Now the Active Directory Driver on the Metadirectory server is ready to synchronize the passwords between eDirectory and AD.
Configuring Universal Passwords in eDirectory
Novell Universal Password provides more options on password requirements, and it's easy to configure. Note that when you use Universal Password, there are some requirements you should be aware of. See the following URL and make sure you understand all it says before you continue:
http://www.novell.com/documentation/idm/admin/data/bnzqodn.html
OK, let's enable Universal Password with iManager.
- Open iManager and select Passwords from the left menu.
You'll see one Password policy in the list - the Identity Manager Policy - so you need to create a new one.
- Click New.
The following screen appears:
- Give your policy a name and check the box to create the default settings.
- Click Next.
You will see a list of password policy settings the Default policy has set.
- Click Finish to continue.
Now when you go back to the Password link in the left menu, you see the newly created policy in the list.
- Select the policy and click Edit. You will be assigning the policy to the users.
- In the Default policy configuration screen, leave all the settings as they are and click the Policy Assignment tab.
- Select the OU from where the Universal policy should come.
Important: If you select an OU, the OU must be the Partition Root! If this is not the case, only the users directly under the OU will get the password policy. If the OU is the Partition Root, all objects under it and in the OU under it will be affected.
- Click Apply to accept and save the settings.
Testing the Password Synchronization
- From ConsoleOne, change a user's password (I changed the password of user "twan.techniek.users.sddu").
- Go back to iManager, and under the Password button in the left menu select "Check Password Status".
- In the screen that appears, select a user that is associated with the Universal Password Policy (in my case, "twan.techniek.users.sddu").
- Click OK.
Notice that the password is synchronized with the Identity Driver.
Conclusion
You have successfully set up and configured password synchronization between eDirectory and AD. You should now be able to log in to AD with your user (such as "twan.techniek.users.sddu") with the password you just changed in ConsoleOne.
When this is successfully done, you have a working Identity Manager Driver that also synchronizes Passwords from eDirectory to Active Directory.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
- Be the first to comment! To leave a comment you need to Login or Register
- 6159 reads
0