Changing Passwords: LDAP, Identity Manager, and Active Directory
Novell Cool Solutions: Tip
Digg This -
Posted: 26 Jan 2005
Changing passwords? Easy. Changing passwords from an LDAP client? Um, easy, I guess. Replicating password changes through Active Directory? Hmmm ... A few of our Forum experts lend their thoughts on these questions recently posed by a reader ...
Reader: "Can an LDAP client modify the NDS password? We are planning on implementing the DirXML starter pack to syncronize two trees. One tree is going to be used for authentication to the DMZ from the Internet, using a 3rd-party appliance. The question I have been asked is this: if the user's NDS password has expired, can it be changed from the 3rd-party appliance and replicated to the other tree? I have the passwords syncing via DirXML currently, so it is just a matter of determining if the password can be changed with the LDAP client. (And the 3rd-party appliance having the capabilities as well, which I am looking into)."
Expert 1: Check out the following documents:
This deals with changing passwords after objects have been bulk imported into eDirectory, or where a user does not have sufficient rights to change passwords. The LDAP Server returns the error message - "insufficient access".
There is sample code here to help you change and set passwords using LDAP Java beans.
Expert 2: Assuming you are using NLDAP to change the eDir (RSA keypair) password, then DirXML (Identity Manager) will sync the changed RSA keypair to the other three. This will work fine. If you were doing other kinds of password synchronization, such as with Active Directory, it would not be able to sync the changed password to the MAD driver. That's because it doesn't have the password to work with, it only has the RSA keypair. Things get more interesting when you involve Universal Password and IDM2.
Reader: "If AD were in the mix with DirXML (which could happen in the very near future), and if the password were changed in NDS, wouldn't it get replicated out to AD? The LDAP client would change the password in the DMZ tree, then DirXML would replicate this change to the production tree, and then the production tree would then replicate this change to the AD. Is that correct?"
Expert 2: No. NLDAP will change the RSA public key and private key in the DMZ tree. DirXML will then sync the RSA public key and private key to the production tree. But note that there is no "password" in this case, so there's nothing left to send to the MAD (or any other) database as a password change.
The "password sync" part of DirXML is in two parts. First, there is a "password filter" that gets installed on your Domain Controllers (all) that will snag the clear text of the password from the Windows password change and sync it to eDir's RSA private/public key pair. Second, there is a Client32 hook that will snag the eDirectory password change prior to the RSA encryption and will send it over to an agent that can then use it to set the Windows password. Other password changes, such as LDAP, do not fall in to either of these categories.
Now, if you go with Identity Manager 2, they have added significant functionality to the password syncing abilities. Server-side changes (NLDAP, etc.) are caught and synced, via the Universal and Distribution password stuff. You'll need to read up on Universal password and its configuration to take advantage of that.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com