Novell Home

Implementing Password Sync When Tree and Domain Have the Same Name

Novell Cool Solutions: Feature
By Armando A. Perez

Digg This - Slashdot This

Posted: 14 Feb 2003
 

The Background:

We are using DirXML to sync user data between our production AD (Domain name is PROD) and eDirectory (tree name is PROD) environment, with eDirectory being the authoritative source for user account information. We would also like to use the Password Sync option of DirXML to sync passwords between AD and eDirectory.

Our desktop environment consists of W2K workstations with the latest Novell Client (4.83, SP1). About 90% of these workstations are NOT members of the PROD domain. There are about 50 users of the domain, with about 150 workstations being part of the domain.

Our environment also includes ZENworks for Desktops, v3.2 with DLU enabled. DLU is enabled for non-domain users.

For future capability, we have implemented a separate DirXML "master NDS tree", titled PROD-MASTER that will be used as the "hub" for sharing DirXML data with other systems. Originally, the Master tree would have communicated with the PROD tree but NOT the PROD domain. The Master tree will also be used to allow LDAP authentication with our UNIX servers.

The Problem:

The current version of Novell's Password Sync requires that the domain name be different than the NDS tree name. As noted above, we fall into this category and cannot therefore implement the Password Sync option without changing either the domain name or NDS tree name.

Either option is not desirable as our NT environment is used for application use, while our NDS environment is used for file, print, application (ZENworks), and e-mail services (GroupWise). Changing either name would require extensive planning and testing and a long implementation period.

The Solution:

By implementing the AD DirXML driver and Password Sync Option on the PROD domain and PROD-MASTER tree, we fulfill the requirement of having unique domain and NDS tree names.

By utilizing either a password changing web interface or MMC (Microsoft Management Console) to change a user's DOMAIN account, the Password Sync filter detects this change and changes the DOMAIN and the PROD-MASTER user's passwords.

Once the password is changed on the PROD-MASTER tree, specialized DirXML filters/coding will then propagate the CN, public and private keys associated with the user, to be flowed back into the PROD production tree. These keys are used by NDS to authenticate users into the network.

What changes?

Since the initial designing of the AD DirXML driver, we have been planning to create a one-to-one relationship with the current NDS user objects, along with the DOMAIN/AD accounts. So, each current NDS user will need to have a corresponding DOMAIN/AD account as well. However, about 95% of our users will never use their domain account. All of our domain accounts are stored in one OU in AD.

When a PROD NDS user password needs to be reset, this reset will need to be done via either...

  1. Microsoft Management Console on the PROD Domain/AD
  2. ConsoleONE attached to the PROD-MASTER tree and a member of the domain (with the user having password reset capabilities on both the AD/Domain and NDS environments)
  3. Web-Based utility that resets the AD/Domain and/or NDS accounts

Please note that GroupWise password resets must still be changed via ConsoleONE on the PROD tree. GroupWise passwords are different than NDS passwords. The procedures that are used today to change GroupWise passwords will still be used.

If the user's password is reset on the PROD tree, via ConsoleONE, the password will not propagate to PROD domain, since no Password Sync filter/drivers are installed on the PROD tree. However, they will propagate to the PROD-MASTER tree (since the filters are properly set up on the DirXML eDirectory pub and sub channels, using SSL).

One advantage in changing the password via MMC or a web-based AD password changer is that the user need not be aware of their context within the corresponding NDS environment. Since DirXML associations exist between the AD and the NDS accounts, passwords are reset on the correct NDS/AD accounts (we don't allow duplicate CN names to exist in any of our AD or NDS OUs).

Also, for complete coverage with regards to password changes, ALL user computers MUST have the latest Novell Client.

Password Change Scenarios:

Scenario Result Change in Procedure
Password is changed by the user (with Novell client installed) and the computer is NOT a member of the domain. By default, the password is changed in the PROD tree and local workstation then, via DirXML eDirectory driver, the public and private keys are propagated to PROD-MASTER tree. PROD domain does NOT get updated. None. The problem of not having the domain password in sync with the PROD tree is not a factor since the user does not log into the PROD domain. However, if the computer does become a member of the domain, a password reset will need to be done.
Password is changed by the user (with Novell client installed) and the computer IS a member of the domain. By default, the password is changed in the PROD tree and PROD domain. Then, via the DirXML eDirectory driver, the public and private keys are propagated to PROD-MASTER tree. PROD domain password gets changed and the Password Sync filter, changes the password on the PROD-MASTER tree. None. All resources (PROD tree and domain, as well as the PROD-MASTER tree) are changed.
Password for an NDS account is changed by admin using ConsoleONE on PROD tree (non-active domain user). Admin computer may or may not be a member of the domain. By default, the password is changed in the PROD tree and local workstation (via ZEN's DLU) then, via DirXML eDirectory driver, the public and private keys are propagated to PROD-MASTER tree. PROD domain does NOT get updated. None. The problem of not having the domain password in sync with the PROD tree is not a factor since the user does not log into the PROD domain, even though they have a corresponding domain account. However, if the computer does become a member of the domain, a password reset will need to be done.
Password for an NDS account is changed by admin using ConsoleONE on PROD tree (active domain user and user's computer is a member of the domain). Admin computer may or may not be a member of the domain. By default, the password is changed in the PROD tree and then, via DirXML eDirectory driver, the public and private keys are propagated to PROD-MASTER tree. PROD domain does NOT get updated. Password needs to be reset on the domain account via MMC or other tool. Under this scenario, the passwords will NOT be in sync, causing the user to have different passwords for the PROD tree and domain.
Password for a PROD domain account is changed by admin using MMC (non-active domain user). The password is changed in AD and the PasswordSync filter changes the password on the PROD-MASTER tree. Then, via the DirXML eDirectory driver, the public and private keys are propagated to the PROD tree. Users are allowed to log (and the password is changed as well) into their local workstation because of ZEN's DLU. None. All resources (PROD tree and domain, as well as the PROD-MASTER tree) are changed.
Password for a PROD domain account is changed by admin using MMC (active domain user and user's computer is a member of the domain). The password is changed in AD and the PasswordSync filter changes the password on the PROD-MASTER tree. Then, via the DirXML eDirectory driver, the public and private keys are propagated to the PROD tree. None. All resources (PROD tree and domain, as well as the PROD-MASTER tree) are changed.
Password for a PROD domain account is changed by admin using web-based tool (non-active domain user). The password is changed in AD and the PasswordSync filter changes the password on the PROD-MASTER tree. Then, via the DirXML eDirectory driver, the public and private keys are propagated to the PROD tree. Users are allowed to log (and the password is changed as well) into their local workstation because of ZEN's DLU. None. All resources (PROD tree and domain, as well as the PROD-MASTER tree) are changed.
Password for a PROD domain account is changed by admin using web-based tool (active domain user and user's computer is a member of the domain). The password is changed in AD and the PasswordSync filter changes the password on the PROD-MASTER tree. Then, via the DirXML eDirectory driver, the public and private keys are propagated to the PROD tree. Users are allowed to log (and the password is changed as well) into their local workstation because of ZEN's DLU. None. All resources (PROD tree and domain, as well as the PROD-MASTER tree) are changed.
Password for a PROD domain account is changed by domain member computer with only the "Client for Microsoft Networks" installed (active domain user and user's computer is a member of the domain and no Novell client is installed). The password is changed in AD and the PasswordSync filter changes the password on the PROD-MASTER tree. Then, via the DirXML eDirectory driver, the public and private keys are propagated to the PROD tree. Users are allowed to log (and the password is changed as well) into their local workstation because of ZEN's DLU. None. All resources (PROD tree and domain, as well as the PROD-MASTER tree) are changed.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell