5.1 Overview

Identity Manager provides bidirectional password synchronization, by taking advantage of Universal Password and connected system support for publishing or subscribing to passwords.

As with other attributes for a user account, you can choose your authoritative data sources.

5.1.1 Overview of Passwords

NDS® passwords, Simple passwords, Distribution passwords, and Universal passwords are used for different purposes. In previous versions of eDirectory™ and Identity Manager, connected systems could update only the NDS password, in a one-way synchronization.

Identity Manager uses Universal Password, which is a reversible password that can be synchronized with the other Identity Vault passwords. Universal Password was introduced in eDirectory 8.7.1, and is protected by three layers of encryption.

NMAS™ controls the relationship between Universal Password and the other Identity Vault passwords. For example, NMAS controls whether Universal Password is kept synchronized with NDS Password, Simple Password, or Distribution Password. NMAS intercepts incoming requests to change passwords and handles them according to settings in NMAS password policies.

Identity Manager uses the Distribution Password to control password synchronization between the Identity Vault and connected systems. Identity Manager implements certain password synchronization features using the Distribution Password, including bi-directional password synchronization policies between Identity Vault and connected systems; password tunneling; and password check status on connected systems.

Like Universal Password, Distribution Password is protected by three layers of encryption, and is reversible.

In the NMAS password policy, you can specify whether the Distribution Password should be the same as the Universal Password. (The setting is Synchronize Distribution Password when setting Universal Password). If the Distribution Password is the same as the Universal Password, and you choose to use bidirectional Password Synchronization with connected systems, keep in mind that you are using Identity Manager to extract the Universal Password from eDirectory and send it to other connected systems. You need to secure the transport of the password, as well as the connected systems it will be stored on. (See Section 7.0, Security: Best Practices.)

If the Distribution Password is not the same as the Universal Password (because you disable the setting in the NMAS password policy), you can “tunnel” passwords among connected systems that use the Distribution Password, without using or affecting the Universal Password or NDS Password. Keep in mind that tunnelling synchronizes passwords among connected systems only. If enabled, tunneling does not set the Identity Vault/Universal password.

For more information on the various eDirectory passwords, see the Novell Modular Authentication Services (NMAS) 2.3 Administration Guide . For examples of different ways of using password synchronization with Identity Manager, see Section 5.8, Implementing Password Synchronization.

5.1.2 What is Bidirectional Password Synchronization?

Bidirectional password synchronization is the combination of Identity Manager accepting passwords from the connected systems you specify, and distributing passwords to the connected systems you specify.

The ability to have bidirectional password synchronization with a particular connected system depends on what the connected system supports.

Some connected systems can accept new and modified passwords from Identity Manager, and can also provide the user's actual password to Identity Manager. These connected systems are the ones that support bidirectional password synchronization with Identity Manager:

  • Active Directory

  • Novell® eDirectory

  • Network Information Services (NIS)

  • NT Domain

For these connected systems, the user can change a password in one of the systems and have that password synchronized to the other systems through Identity Manager. However, if you are using Advanced Password Rules in your NMAS password policies, it's best to have users make password changes in the User Application self-service console. This is the best place for password changes because it lists all the rules that the user's password must comply with.

Because other connected systems can't provide the user's actual password, they can't support full bidirectional password synchronization. However, they can provide data that can be used to create passwords and send them to Identity Manager, by defining policies within the driver configuration.

Several other systems can accept passwords from Identity Manager, including setting an initial password for a new user, modifying a password, or both. See Section 5.2, Connected System Support for Password Synchronization.

5.1.3 Comparison of Password Synchronization 1.0 and Identity Manager Password Synchronization

Table 5-1 Comparison: Password Synchronization 1.0 and Identity Manager Password Synchronization

Password Synchronization 1.0

Password Synchronization with Identity Manager 2 and 3

Product delivery

A product separate from Identity Manager.

Included with Identity Manager, not sold separately.

Platforms

  • Active Directory

  • NT Domain

  • eDirectory

Full bidirectional password synchronization is supported on these platforms:

  • Active Directory

  • eDirectory

  • NIS

  • NT Domain

These connected systems support publishing user passwords to Identity Manager. Because Universal Password and Distribution Password are reversible, Identity Manager can distribute passwords to connected systems.

Any connected system that supports the Subscriber password element can subscribe to passwords from Identity Manager.

See Section 5.2, Connected System Support for Password Synchronization.

Password used in an Identity Vault

NDS Password (non-reversible)

Universal Password (reversible), or Distribution Password (also reversible). The NDS password can also be kept synchronized, if desired. For example scenarios, see Section 5.8, Implementing Password Synchronization.

Main functionality for Windows connected systems

To send passwords to Identity Manager so the Identity Vault password is synchronized with the Windows password. Because the NDS password is not reversible, passwords were not sent back to NT or AD.

To provide bidirectional password synchronization. Because Universal Password and Distribution Password are reversible, passwords can be synchronized in both directions.

LDAP changes

Not supported.

Supported

Novell® Client™

Required.

Not required.

nadLoginName attribute

Used for keeping passwords updated.

Not used.

The component that contains the password synchronization functionality

The Identity Manager driver contained the functionality for updating nadLoginName.

Identity Manager policies in the driver configuration provide the password synchronization functionality. The driver simply carries out the tasks given by the metadirectory engine, which come from logic in the policies. The driver manifest, global configuration values, and driver filter settings must also support password synchronization. These are included in the sample driver configurations, or can be added to an existing driver. See Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.

Agents

A separate piece of software.

No agents are installed; instead, the functionality is now part of the driver.

5.1.4 Features of Identity Manager Password Synchronization

Identity Manager Password Synchronization is bidirectional. Passwords can be sent from connected systems and accepted by Identity Manager, and passwords can be distributed by Identity Manager and accepted by connected systems.

Accepting Passwords from Connected Systems

As in previous versions of DirXML® and Identity Manager, any connected system can publish a password to the Identity Vault.

You can specify which connected system applications Identity Manager accepts passwords from. You can even choose whether Identity Manager updates the password for users in the same Identity Vault where Identity Manager is running, or whether Identity Manager simply acts as a conduit or “tunnel,” synchronizing passwords only between connected systems. This means that it is possible to keep the Identity Vault password separate from the password that Identity Manager distributes to connected systems, if desired.

Some connected systems (AD, other Identity Vaults, NT, and NIS) can provide the user's actual password, which means that when a user changes a password on a connected system, the change can be synchronized to Identity Manager and back out to other connected systems.

Other connected systems don't support providing the user's actual password, but you can configure them to provide to Identity Manager a password that is manufactured in a style sheet, such as an initial password based on last name or employee ID.

Distributing Passwords to Connected Systems

Identity Manager Password Synchronization can distribute a common password to connected systems.

In previous versions of Identity Manager, a driver could send passwords to Identity Manager from a user account on a connected system, and the password could be used to update the corresponding user in eDirectory. But because the NDS password in eDirectory is non-reversible, you couldn't push a password out from the central Identity Manager Identity Vault to multiple connected systems. You could obtain the eDirectory password only by capturing the password before it was stored in eDirectory, such as through the Novell Client.

The Universal Password provided by eDirectory 8.7.3 is reversible. It can be distributed.

Identity Manager can accept a password from a connected system. Because Universal Password is reversible, Identity Manager can distribute the password from the Identity Vault to connected systems that support setting initial passwords for new accounts and modifying a password.

Regardless of where the password comes from, Identity Manager uses the Distribution Password as the repository from which it distributes passwords to connected systems. The Distribution Password, like the Universal Password, lets you enforce password policies.

For information about using Universal Password and Distribution Password when synchronizing passwords, see Implementing Password Synchronization.

As with other attributes of a user, you can decide which systems are authoritative sources for passwords. Identity Manager distributes the passwords from the authoritative source to the other connected systems.

You can set up bidirectional password synchronization among connected systems that support it.

Enforcing Password Policies in the Data Store and on Connected Systems

By making calls to NMAS, Identity Manager can enforce password policies on incoming passwords. If the password being published from a connected system to Identity Manager does not comply, you can specify that Identity Manager not accept the password into the Identity Vault. This also means that passwords that don't comply with your policies are not distributed to other connected systems.

In addition, Identity Manager can enforce password policies on connected systems. If the password being published to Identity Manager does not comply with rules in a policy, you can specify that Identity Manager not only does not accept the password for distribution, but actually resets the noncompliant password on the connected system by using the current Distribution Password in the Identity Vault.

For example, you want to require passwords to include at least one numeric character. However, the connected system does not itself have the ability to enforce such a policy. You specify that Identity Manager resets passwords that flow from the connected system but do not comply with rules in the policy.

If you are using Advanced Password Rules and Identity Manager Password Synchronization, we recommend that you research the password policies for all the connected systems to make sure that the Advanced Password Rules in the eDirectory password policy are compatible. This research helps ensure that passwords are synchronized successfully.

Keep in mind that you must make sure that the users who are assigned NMAS password policies match with the users you want to participate in Password Synchronization for connected systems.

NMAS password policies are assigned with a tree-centric perspective. In contrast, Password Synchronization is set up per driver. Also, drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica. To get the results you expect from Password Synchronization, make sure the containers that are in a master or read/write replica on the server running the drivers for Password Synchronization match the containers where you have assigned password policies with Universal Password enabled. Assigning a password policy to a partition root container ensures that all users in that container and subcontainers are assigned the password policy.

For information about how NMAS password policies are assigned to users, see “Assigning Password Policies to Users” in the Password Management Administration Guide .

Scenarios for Synchronizing Passwords

Identity Manager enables you to specify which systems should be authoritative sources for passwords. Also, you decide how you want passwords to flow.

Much of the functionality of Identity Manager Password Synchronization relies on Universal Password, the reversible password functionality provided by the Identity Vault. However, some scenarios don't require you to deploy Universal Password.

Identity Manager Password Synchronization also relies on the Distribution Password. As with Universal Password, a policy can be enforced on the Distribution Password.

For basic ways that you can implement password synchronization, see Implementing Password Synchronization. You can combine these scenarios to meet the needs of your environment.

Synchronizing Passwords on Windows without the Novell Client

A Novell Client is no longer required for password synchronization with Active Directory and NT Domain.

Notifying Users of Password Synchronization Failures

The Enforcing Password Policies in the Data Store and on Connected Systems section explains that Identity Manager can enforce password policies by not accepting (from connected systems) passwords that don't comply.

Using the e-mail notification feature, you can specify that Identity Manager notify the user when a password change that the user made was not successful.

Scenario. You have set Identity Manager to not accept an incoming password from NT Domain if it doesn't comply with your password policy. You have enabled e-mail notification. One rule in your NMAS password policy specifies that the company name can't be used as a password. A user changes the password on the NT Domain connected system to be the company name. NMAS does not accept the password, and Identity Manager sends an e-mail message to the user stating that the password change was not synchronized.

Before you can use this feature, you must set up the e-mail server and templates. You can customize the following:

  • The text of the messages that Identity Manager sends

  • The notification, to send a copy to the administrator

For more information, see Configuring E-Mail Notification.

Checking the Password Synchronization Status for a User

Identity Manager enables you to query connected systems to check a user’s password synchronization status. If the connected system supports the check password feature, you can find out whether passwords are synchronizing successfully.

For information on how to check passwords, see Checking the Password Synchronization Status for a User.

For a list of which systems support checking passwords, see Connected System Support for Password Synchronization.

5.1.5 Overview Illustrations of Password Synchronization Flow

The following figure describes how connected systems publish passwords to Identity Manager.

Figure 5-1 How Connected Systems Publish Passwords to Identity Manager.

Diagram of password publishing to Identity Manager

The following figure describes how Identity Manager distributes passwords to connected systems.

Figure 5-2 How Identity Manager Distributes Passwords to Connected Systems

Diagram of Identity Manager distributing passwords to connected systems

5.1.6 How Figures Display

This documentation frequently uses figures in procedures to illustrate options in iManager. How the options actually display on your desktop depends on your browser.

For example, Internet Explorer displays iManager options by using tabs.

Figure 5-3 Tabs in iManager

However, the Firefox browser displays iManager options by using a drop-down list.

Figure 5-4 A Drop-Down List in iManager

In this documentation, figures are displayed as they appear in the Firefox browser.