Universal Passwords and Password Synchronization
Novell Cool Solutions: Feature
Digg This -
Posted: 13 Nov 2003
Editor's Note: You can download the current version of this Technical Brief here: IdMgrTechBrief.pdf
Novell? Nsure? Identity Manager, based on DirXML technology, provides a new opportunity for password synchronization within an Enterprise. Password synchronization that was provided by Pass Sync 1.0 in DirXML allowed users to sync passwords from an Active Directory* or NT Domain environment to eDirectory?. With the new capabilities provided with Universal Password in Novell eDirectory 8.7.1, users can share passwords beyond eDirectory through Identity Manager with other applications that accept password setting.
System-Wide Password Changes
Novell Nsure Identity Manager 2.0 is registered with NMAS? and will accept an event of password change when done so by any avenue into eDirectory; i.e., LDAP, iManager, Novell? Client?, etc. Through the enablement of Universal Password within your environment, a variety of password policies can be defined at different levels and then be distributed to those connected systems defined through Identity Manager policies and connections.
Bi-directional Active Directory Passwords
For Active Directory and NT Domains, password synchronization now takes on new meaning by implementing bi-directional password synchronization. Password Synchronization for these two sources, AD and NT, are now combined within the DirXML driver component of Identity Manager 2.0 and require Universal Password and require a password policy to be defined and enabled for the bi-directional synchronization of passwords.
Using Active Directory as an example a driver can be installed on 1 DC, wherein a password filter is installed on any of the participating DCs. The filter is distributed to the participating DC's and registered to the driver by a control panel applet that is installed and launched where the driver is installed. Data is synced among the DCs in the domain eventually syncing with the domain controller being monitored by the AD driver. Data is then synced with Novell eDirectory via DirXML technology. Caching mechanisms are in place at both the filter and driver interface points in order to guarantee delivery of the password should connectivity be temporarily suspended.
When passwords are changed on a participating DC, the filter captures the password, encrypts it, and notifies the driver via an RPC connection. The password is encrypted and security is handled through Microsoft's RPC transport mechanism and is outside the control of Novell's implementation. The driver then synchronizes this password via the Novell DirXML driver to eDirectory. This password can be configured to update the NDS? password as it is today, or be selected via a management console to update the universal password. If universal password is selected, the password can then be distributed to other applications that subscribe to receiving a password via DirXML. Thus you can literally share the password from Active Directory to eDirectory to Lotus Notes*, etc., through the use of DirXML drivers and enabling and configuring password flow through Identity Manager policies.
Novell uses all published Microsoft* APIs in all connectivity with Microsoft products. Thus appropriate administrators rights must be granted to the Active Directory driver in order for it to interface with Microsoft's APIs and participate in event processing. Microsoft uses NetBios and WINs to communicate between Domain Controllers. Novell Nsure Identity Manager currently requires this configuration as it matches our current test environments. DNS may be an alternative configuration approach, however, at this time Novell has not verified its operability with Identity Manager 2.0. Please look for a future brief or announcement regarding supporting a DNS configuration. Whether or not auditing is enabled on Microsoft products has no relevance on Novell Nsure Identity Manager's ability to synchronize data with Active Directory, including passwords.
Participation with other password management features using Universal Password is an additive topic of discussion. Universal password when updated whether it is via a console to Novell Nsure Identity Manager 2.0, eDirectory directly, or via DirXML, i.e., coming from AD as mentioned above, delivers the password element to DirXML whereby it can then send it, encrypted, to the receiving application, i.e., Active Directory.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com