Novell Home

Keeping the Forest in Synch

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 12 Aug 2004
 

Novell® DirXML® Password Synchronization for Windows is designed to synchronize passwords between any number of Microsoft Active Directory or NT domains and a single Novell eDirectoryTM tree. With the growing popularity of deploying multiple eDirectory trees using DirXML, there is a need to expand password synchronization to a collection of trees. You can find all the details in TID 10086340.

Scenario and Solution

A typical multi-tree deployment has a corporate tree and a workforce tree where synchronization to the Microsoft domain is driven through the workforce tree. Novell Password Synchronization for Windows is installed between the workforce tree and Active Directory.

In this scenario, a problem occurs for password synchronization when passwords are changed in the corporate tree. Users in the corporate tree are associated with the workforce tree but there is no direct link to the Active Directory account, and there is no information in the corporate tree about PasswordSync Agents servicing Active Directory. Because of this, the Novell ClientTM is unable to push a password change to a PasswordSync Agent for synchronization to Active Directory.

The solution is to use the eDirectory driver to populate the corporate tree with the information needed by PasswordSync, and to install PasswordSync Agents into the corporate tree to communicate changes between the corporate tree and participating domains.

Installation

Download the file PWDSCH.EXE from Novell's web site. The file contains the schema files that will allow you to extend the schema for the corporate to install PasswordSync.

Extending the Schema for Password Synchronization

PasswordSync requires the addition of three objects in your eDirectory schema: nadPwdSync, nadPwdProvider, and nadDomain. These objects already exist in the workforce tree that is set up for password synchronization with domains. The corporate tree schema must also be extended to include these objects.

To extend the schema for password synchronization by using the INSTALL.DLM:

  1. Copy PWDSYNC.SCH to a network directory.
  2. Load INSTALL.DLM.
  3. Select Install Additional Schema Files.
  4. Log in to the corporate tree using an account with administrative rights, then choose the PWDSYNC.SCH schema file.

The objects necessary for password synchronization are now available for use by the DirXML drivers.

Configuring the eDirectory Drivers for Password Synchronization

Tree-to-tree synchronization requires a DirXML driver for each eDirectory tree. You need to configure both eDirectory drivers as explained in the steps outlined in the next two sections.

Editing the Workforce Tree's eDirectory Driver
  1. Using ConsoleOne®, log in to the workforce tree and locate the DirXML eDirectory driver.
  2. Edit the driver's subscriber filter to include the nadDomain object with attribute dc and the additional User object attribute nadLoginName, as explained in the following steps.
  3. Right-click the subscriber object and click Properties.
  4. Select the DirXML tab > Filter and click Edit Filter.
  5. In the Classes column, mark nadDomain. In the Attributes column, mark dc. Click OK.
  6. Select User in the classes column and click Edit Filter.
  7. In the top right corner, mark Show All Attributes from All Classes. In the Attributes column, mark nadLoginName. Click OK.

The subscriber filter is ready for password synchronization.

Editing the Corporate Tree's eDirectory Driver

In this task, you will edit the driver's publisher filter to include the nadDomain object with attribute dc and the additional User object attribute nadLoginName.

  1. Using ConsoleOne, log in to the corporate tree and locate the DirXML eDirectory driver.
  2. Right-click the publisher object and click Properties.
  3. Select the DirXML tab > Filter and click Edit Filter.
  4. In the Classes column, select nadDomain. In the Attributes column, select dc. Click OK.
  5. Select User in the Classes column and click Edit Filter.
  6. In the top right corner, select Show All Attributes from All Classes.
  7. In the Attributes column, select nadLoginName and click OK.

Appending a new Publisher Create Rule

  1. Open the existing Publisher Create rule.
  2. Click Append New Rule.
  3. In the description field, enter any descriptive text, such as Password Sync, and click Next.
  4. Select nadDomain from the class list and click Next.
  5. Do not match any attributes. Click Next.
  6. Click Edit Required Attributes List and select dc. Click OK.
  7. Do not enter a DN template. Click Finish.

The style sheet equivalent is as follows:

<!-- Adds a nadDomain object when a dc attr is available -->
   <xsl:template match="add[@class-name='nadDomain']".>
    <xsl:if test="add-attr[@attr-name='dc'] ">
      <xsl:copy>
        <xsl:apply-templates select="@*|node()"/>
      </xsl:copy>
    </xsl:if>
  </xsl:template>

Appending a New Publisher Placement Rule

  1. Open the existing Publisher Placement rule.
  2. Click Append New Rule.
  3. In the description field, enter any descriptive text, such as Password Sync, then click Next.
  4. Select nadDomain from the class list and click Next.
  5. Do not match path prefixes. Click Next.
  6. Do not match attributes. Click Next.
  7. Click Append New Item to place nadDomain objects in the eDirectory driver container. With Data selected, enter the full name of the corporate tree driver followed by a slash and click OK.

For example, type

\Corporate_Tree\MyOrg\DirXML\DriverSet\eDirDriver\

Click Append New Item. Deselect Data and then under the Copy section below, select Name. Click OK.

The style sheet equivalent is as follows:

<xsl:template match="add[@class-name='nadDomain' and add-attr[@attr-name='dc']]">
   <xsl:copy>
     <xsl:attribute name="dest-dn">
       <xsl:value-of
select="concat('\Corporate_Tree\MyOrg\DirXML\DriverSet\eDirDriver\',add-attr[@attr-name='dc']/value)"/>
     </xsl:attribute>
     <!-- Copy the rest of the <add> attributes and content -->
     <xsl:apply-templates select="@*|node()"/>
   </xsl:copy>
</xsl:template>

The corporate tree's eDirectory driver is ready for password synchronization.

Migrating PasswordSync Data

After the corporate tree can accept PasswordSync data for users participating in password synchronization, you should force an update of these user objects from the workforce tree that is participating in password synchronization. You should add the workforce tree's nadDomain objects to the corporate tree.

To migrate PasswordSync data from the workforce tree to the corporate tree:

  1. In ConsoleOne, right-click the DirXML-Driver Set object holding the workforce tree's eDirectory driver.
  2. Click Properties > DirXML-Drivers.
  3. Select the eDirectory driver.
  4. Click Migrate from NDS and click Add.
  5. Select nadDomain and click OK.
  6. Select users and click OK.

The corporate tree is updated with information necessary for the PasswordSync service to run.

Installing PasswordSync into the Corporate Tree

You need to install a PasswordSync Agent to direct password communication between your corporate tree and Active Directory Domains. The PasswordSync Agent should be installed on a computer running Windows 2000 or Windows NT4 SP6. This computer should not be hosting an agent already. NOTE: This computer does not have to be hosting eDirectory, but must at least have a Novell Client and connectivity to both the Active Directory domains and the corporate tree between which passwords will be synchronized.

To install PasswordSync:

  1. Log in to eDirectory as Administrator or equivalent.
  2. Log in to the local Windows computer as Administrator or equivalent.
  3. Run Install\Setup.exe and continue through the Welcome screen.
  4. Select the components you want to install and click Next.
  5. You can install the the Password Synchronization Service, the PasswordSync Snap-in for ConsoleOne, or both. The snap-in can be installed on the same computer where the agent is installed, or on any computer that is convenient for administrative access. NOTE: If you select only the snap-in, files are copied and the installation program finishes.

  6. Confirm your selections by clicking Next.
  7. In the PasswordSync Setup dialog box, select a domain and select the eDirectory DirXML driver.
  8. NOTE: If you type the name of an NT 4 domain rather than browse to it, you must enter the name in uppercase. This requirement is for NT 4 domain names only; Active Directory domain names are not required to be uppercase. You must enter a domain name. Entering an IP address will not work. If the domain is in another tree/ forest the computer on which the Password Sync Agent is being installed must be configured with the address of a WINS server in the target tree/forest.

  9. Enter the name for the new PasswordSync object and the context where it should be placed.
  10. The default object name is the name of the server where you are installing PasswordSync, followed by -pwdsync.

    The default context is that of the container holding the DirXML DriverSet object.

  11. Select the container for which PasswordSync will be assigned as a trustee.
  12. The PasswordSync Agent needs the rights to manage passwords in eDirectory and to read the DirXML drivers that control the domains being synchronized. The installation program lets you select a container high enough in the tree to span all objects that the agent needs to access.

    If you want to make narrower rights assignments, see TID 10086340 on how to use ConsoleOne to add the agent's eDirectory object as a trustee with rights.

  13. Install a password filter by selecting domain contollers from those listed and click Add.
  14. IMPORTANT: Even though Password Filters may have been installed on the domain controllers when the PasswordSync Agent was installed in the workforce tree, the Password Filters must be installed again from the PasswordSync Agent in the corporate tree because configuration information is written to eDirectory during this process.

    Because any domain controller can process a password change request, a filter must be installed on each Active Directory Domain Controller and each NT Primary Domain Controller. You should also install a filter on each NT Backup Domain Controller that could be promoted to a Primary Domain Controller.

    If you have several domain controllers, Novell recommends that you install filters on a few controllers at a time. This will minimize the impact of rebooting many domain controllers at once and will expedite your initial installation. Remote domain controllers will be rebooted automatically when installation is complete. You must reboot the local domain controller manually after installation is complete.

  15. Click Finish.

PasswordSync installation is complete.

Validating Password Synchronization

After PasswordSync is set up, check to make sure that a password change in your corporate tree is synchronized to Active Directory. From the Novell Client, clear all NetWare connections except the connection to your corporate tree, as follows:

  1. Right-click the red N icon in the system tray and then click NetWare Connections.
  2. Select all trees other than the corporate tree and click Detach.

Clear all domain connections, as follows:

  1. At the command prompt, enter net session.
  2. For each session in the list, type net session \\computer-name /DELETE

Then change the password from the Novell Client and verify that you can log in to Active Directory.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell