5.2 Connected System Support for Password Synchronization

When a User object is created, Identity Manager is always capable of accepting a password from a connected system, even if the connected system does not support providing the user's actual password from that system.

AD, NT, eDirectory, and NIS can accept a password from Identity Manager and also support sending the user's actual password to Identity Manager. This means they offer full support for bidirectional password synchronization.

When you define a policy within the driver configuration on the Publisher channel, other systems can provide data that can be used to create passwords. The example driver configurations for most of the drivers include an example policy that provides a default password based on Surname.

Connected systems have varying abilities to accept a password from Identity Manager. Some connected systems support setting an initial password for new accounts, but not Password Modify events.

The capabilities of the sample driver configurations are noted in the driver manifest. The following tables provide additional information that is not in the driver manifest. The tables indicate whether an application accepts initial password for a new account, versus whether it can accept a modification to an existing password. The manifest indicates only that the connected system is capable of accepting a password, and doesn't show this distinction.

Drivers are in groups so that you can see sample driver configurations that have similar abilities.

5.2.1 Systems That Support Bidirectional Password Synchronization

The following connected systems support bidirectional password synchronization. They can provide the user's actual password on the connected system, and accept passwords from Identity Manager.

Table 5-2 Systems that Support Bidirectional Password Synchronization

Connected System Driver

Subscriber Channel

Subscriber Channel

Subscriber Channel

Publisher Channel

Application Can Accept Setting of Initial Password

Application Can Accept Modification of Password

Application Supports Check Password

Application Can Provide (sync) Password

Active Directory

Yes

Yes

Yes

Yes

eDirectory1

Yes

Yes

Yes

Yes

NT Domain

Yes

Yes

No

Yes

NIS

Yes

Yes

Yes

Yes

SIF

Yes

Yes

No

Yes

1Between Identity Vault trees, you can have bidirectional password synchronization for users even if Universal Password is not enabled for those users. See Section 5.8.2, Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults.

5.2.2 Systems That Accept Passwords from Identity Manager

The following connected systems can accept passwords from Identity Manager to some degree. They can't provide a user's actual password on the connected system to Identity Manager.

Although they can't provide the user's actual password, they can be configured to create a password by using a policy on the Publisher channel, based on other user data in the connected system. (The sample driver configurations demonstrate a default password based on the surname.)

Table 5-3 Systems That Accept Passwords from Identity Manager

Connected System Driver

Subscriber Channel

Subscriber Channel

Subscriber Channel

Publisher Channel

Application Can Accept Setting of Initial Password

Application Can Accept Modification of Password

Application Supports Check Password

Application Can Provide (Sync) Password

Groupwise®

Yes

Yes

No

No2

JDBC

Yes3

No4

No

No5

LDAP

Yes6

Yes6

Yes

No

Notes

Yes

Yes7

Yes7

No

SAP User Management

Yes

Yes

No

No

2GroupWise supports two authentication methods:

  • GroupWise provides its own authentication and maintains user passwords.

  • GroupWise authenticates against eDirectory using LDAP and does not maintain passwords.

    When you use this option, GroupWise ignores driver-synchronized passwords.

3The ability to set an initial password is available on all databases where the OS user account is distinct from the database user account, such as Oracle*, MS SQL, MySQL*, and Sybase*.

4The Identity Manager Driver for JDBC can be used to modify a password on the connected system, but that feature is not demonstrated in the sample driver configuration.

5Passwords can be synchronized as data when stored in a table.

6If the target LDAP server allows setting the userpassword attribute.

7The Notes driver can accept a password modification and check passwords only for the HTTPPassword field in Lotus Notes.

5.2.3 Systems That Don’t Accept or Provide Passwords

The following connected systems can't accept passwords or provide a user's password on the connected system using the sample driver configuration.

Although they can't provide the user's password to Identity Manager, they can be configured to create a password by using a policy on the Publisher channel, based on other user data in the connected system. (The sample driver configurations demonstrate a default password based on surname.)

Table 5-4 Systems That Don’t Accept or Provide Passwords

Connected System Driver

Subscriber Channel

Subscriber Channel

Subscriber Channel

Publisher Channel

Application Can Accept Setting of Initial Password

Application Can Accept Modification of Password

Application Supports Check Password

Application Can Provide (Sync) Password

Delimited Text

No8

No8

No8

No8

Exchange 5.5

No

No

No

No

PeopleSoft 3.6

No

No

No

No

PeopleSoft 4.0

No

No

No

No

SAP HR

No

No

No

No

8The Identity Manager Driver for Delimited Text does not have features in the driver shim that directly support Password Synchronization. However, the driver can be configured to handle passwords, depending on the connected system you are synchronizing with.

5.2.4 Systems That Don’t Support Password Synchronization

The following connected systems are not intended to be used with password synchronization.

Table 5-5 Systems That Don’t Support Password Synchronization

Connected System Driver

Subscriber Channel

Subscriber Channel

Subscriber Channel

Publisher Channel

Application Can Accept Setting of Initial Password

Application Can Accept Modification of Password

Application Supports Check Password

Application Can Provide (sync) Password

Avaya* PBX

No

No

No

No

Entitlements Service Driver

No

No

No

No

GenericLoopBack Service Driver

No

No

No

No

Manual Task Service Driver

No

No

No

No