IDM Password Synch with eDirectory and AD
Novell Cool Solutions: AppNote
By Dave Simons
Digg This -
Posted: 17 Jan 2007
Novell Identity Manager can be used not only to synchronize user and group accounts but also to synchronize passwords.
In this AppNote I will explain how to set up password synchronization between Novell eDirectory and Microsoft AD. I assume that you have a fully functional IDM connection between eDirectory and AD. See the following AppNote for instructions on how to set up Active Directory with IDM, in order to get users synchronized between eDirectory and AD:
To use PasswordSync with Identity Manager, you need to complete these tasks:
- Install/configure PasswordSync on the Domain Controller
- Import/config the driver into the existing Active Directory Driver set
- Configure Universal Passwords in your eDirectory
Installing PasswordSync on the Domain Controller
1. Open the Control Panel on the AD server.
2. Click Identity Manager PassSync.
3. Click "Yes" to the first question.
Figure 1 - Selecting the machine with the DirXML driver
4. In the upcoming window, select "ad.local" if it's there; otherwise, add your own domain and click "Filters."
Figure 2 - Selecting the AD domain
This screen now appears:
Figure 3 - Selecting a password filterYou will see your own Domain Controller, but the status is still "Not Installed." To change this,
5. Select your domain (in my case, "ad.local") and click Add. Now the Password Sync will be enabled on your domain, and the Remote Loader is ready for password synchronization.
6. As the status screen indicates, reboot the server.
7. Go back again to "Identity Manager PassSync" in your control panel, and you will see the status is changed to Running. Now you know you did everything OK.
Importing/Configuring the Driver into the Existing Active Directory Driver Set
Now you need to configure the Metadirectory server for password synchronization.
1. Open iManager and go to Identity Manager Utilities in the left menu.
2. Select Import Driver.
3. In the "In an existing driver set?" box, browse to and select the driver you created (in my case, "idm.servers.sddu.").
Figure 4 - Import Drivers wizard in iManager
4. Click Next.
5. In the default imported drivers shown, scroll down and select "Password Synchronization 2.0 Policies."
Figure 5 - Selecting password synchronization policies
6. Click Next.
7. In this screen, make sure you select the Existing Driver: "Active Directory." The Connected system should be Active Directory.
Figure 6 - Choosing the AD driver to update
8. Click Next.
9. In the next screen, click Next and accept the default setting to update everything about the driver.
Figure 7 - Driver settings
When the driver is updated, this screen appears:
Figure 8 - Import Drivers Summary
10. Click "Finish with Overview" and start the Active Directory Driver, if it has not started by itself.
Now the Active Directory Driver on the Metadirectory server is ready to synchronize the passwords between eDirectory and AD.
Configuring Universal Passwords in eDirectory
Novell Universal Password provides more options on password requirements, and it's easy to configure. Note that when you use Universal Password, there are some requirements you should be aware of. See the following URL and make sure you understand all it says before you continue:
OK, let's enable Universal Password with iManager.
1. Open iManager and select Passwords from the left menu.
Figure 9 - iManager Password Policies
You'll see one Password policy in the list - the Identity Manager Policy - so you need to create a new one.
2. Click New.
The following screen appears:
Figure 10 - Naming the Password Policy
3. Give your policy a name and check the box to create the default settings.
4. Click Next.
You will see a list of password policy settings the Default policy has set.
Figure 11 - Password Policy Summary
5. Click Finish to continue.
Now when you go back to the Password link in the left menu, you see the newly created policy in the list.
Figure 12 - Password Policy List
6. Select the policy and click Edit. You will be assigning the policy to the users.
7. In the Default policy configuration screen, leave all the settings as they are and click the Policy Assignment tab.
8. Select the OU from where the Universal policy should come.
Figure 13 - Selecting the OU
Important: If you select an OU, the OU must be the Partition Root! If this is not the case, only the users directly under the OU will get the password policy. If the OU is the Partition Root, all objects under it and in the OU under it will be affected.
9. Click Apply to accept and save the settings.
Testing the Password Synchronization
1. From ConsoleOne, change a user's password (I changed the password of user "twan.techniek.users.sddu").
2. Go back to iManager, and under the Password button in the left menu select "Check Password Status".
3. In the screen that appears, select a user that is associated with the Universal Password Policy (in my case, "twan.techniek.users.sddu").
Figure 14 - Check Password Status, select user
4. Click OK.
Notice that the password is synchronized with the Identity Driver.
Figure 15 - Synchronized status
You have successfully set up and configured password synchronization between eDirectory and AD. You should now be able to log in to AD with your user (such as "twan.techniek.users.sddu") with the password you just changed in ConsoleOne.
When this is successfully done, you have a working Identity Manager Driver that also synchronizes Passwords from eDirectory to Active Directory.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com