Novell is now a part of Micro Focus

DirXML PasswordSync for NT/Windows 2000

Novell Cool Solutions: Feature
By Olivier Bourumeau

Digg This - Slashdot This

Posted: 30 Jul 2002

Executive Summary

This document is meant to be a reference for the DirXML PasswordSync for Windows NT/2000 solution. It from data collected internally or based on field experience.

Password Synchronization Overview

DirXML Password Synchronization allows passwords to be securely, consistently, and automatically shared across Novell eDirectory, Microsoft NT domains, and Microsoft Active Directory.

With PasswordSync, a user can log in to each of these systems using a single password. Administrators can manage passwords in one place. Anytime a password is changed in one of these environments it will be updated in all of them.

Design considerations

In order to capture the user password change the DirXML PasswordSync solution needs to be implemented in eDirectory where users authenticate.

The PasswordSync solution requires a DirXML NT driver to be associated with the Domain object created in eDirectory during the installation (for more detail see PasswordSync documentation at

How DirXML PasswordSync works

Conceptually, PasswordSync can be seen as a service that sits between systems communicating password change notifications among the systems.

The figure below illustrates PasswordSync communication. A PasswordSync Agent accepts change notifications from a group of Novell Clients, a group of NT domains with a trust relationship, and a group of Active Directory domains. The arrows represent authenticated and encrypted channels to safeguard the password.

The PasswordSync service detects password changes in a security domain using a password filter. Changes are forwarded to a PasswordSync Agent that updates the other domains.

The PasswordSync Agent runs as a service on NT 4 or Windows 2000 computers. You can install the agent on as many computers as necessary to achieve the domain coverage and redundancy you need.

The PasswordSync Filter for NT domains and Active Directory run on a domain controller. It serves two purposes: maintaining a list of PasswordSync Agents that need updated information and routing change notification to those agents.

From an NT client stand point

Microsoft clients forward password change requests to a domain controller for processing. The PasswordSync Filter intercepts the password before it is encrypted and notifies an agent of the change. Because any Active Directory Domain Controller or any NT Primary Domain Controller can process a password change request, a filter must be installed on each domain controller.

PasswordSync installs Windows domain filters remotely to ease the setup burden. The domain filters for NT and Active Directory are managed solely by PasswordSync Agents. They do not read eDirectory and they do not have any dependency on the Novell Client.

From Novell client 32

In this section we will use an example based on real life experience. This can be different depending upon the context in which the solution has to be deployed.

Users authenticate in an eDirectory Tree (workforce) as well as in the local workstation (using the Dynamic Local User pushed by a ZENworks policy). Users are changing the password from the client by pressing CTRL+ALT+DEL and selecting change password.

When a change password request is issued from the client the following process occurs:

  • The client 32 queries the User object for the nadLoginName attribute that holds the DN of the domain that he is a member of. Action 1 in Figure 2
  • Then the client 32 requests the DN of the password sync object servicing that domain. The domain object holds this information. Action 2 in Figure 2
  • Next the client 32 queries the password sync object that holds the name of the server hosting the PasswordSync agent. Action 3 in Figure 2
  • The client then forward the password change request to the PasswordSync agent. Action 4 in Error! Reference source not found.
  • The PasswordSync agent sends the password change request to all registered Password filters (one on every DC). Action 5 in Figure 2
  • Finally the password filters update the local SAM (NT Domain) with the new password. Action 6 in Figure 2

Note: The processes described above apply as well when the password is changed by the admin using ConsoleOne. ConsoleOne uses some Novell client's API call when a password change is requested. Therefore the above process will apply on the specific user that the admin changes the password. Of course if a password needs to be changed from ConsoleOne it should be perform from the Workforce Tree, as it is the only eDirectory that has the PasswordSync solution installed.

The filter for eDirectory runs on the Novell Client. Unlike Microsoft clients, the Novell Client does not forward the password itself to other network resources. The PasswordSync Filter for eDirectory is an update to the Novell Client that will transmit the password securely to the PasswordSync service for processing. Once the client is updated, passwords can be synchronized whether changes are made by the user at a workstation or by an administrator through tools such as Novell ConsoleOne. PasswordSync will not catch password changes made through a client that does not have the latest version of the Novell Client software installed. Novell ZENworks or login scripts can be used to reduce the burden of updating Novell Clients.

Comments and tips from the field

From Holger Dopp:
Password Sync in the current release is only suitable in a NT/W2K environment, where NO MetaDirectory or eProvisioning solution is involved.
If you have multiple systems that need to have the same password, you must provide a central password set utility/servlet/etc. to get the password and set it directly to the connected systems.

From Olivier Bourumeau
If you want the password to be sync'ed from let say a web password management tool you will need to implement the C API calls that the Novell client does in this web base password change solution. This could be a NPS gadget password change enhancement.

You can download the PasswordSync API here

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates