5.8 Implementing Password Synchronization

The Password Synchronization functionality provided in Identity Manager enables you to implement several different scenarios. This section outlines basic scenarios, to help you understand how the settings in Identity Manager Password Synchronization and NMAS password policies affect the way passwords are synchronized. You can use one or more of the scenarios to meet the needs of your environment.

5.8.1 Overview of Identity Manager’s Relationship to NMAS

Utilities and NMAS

Utilities such as iManager and the Novell Client communicate with NMAS rather than directly updating a specific password. NMAS is the entity that determines which passwords are updated.

NMAS synchronizes passwords within an Identity Vault, based on your settings in NMAS password policies.

Legacy utilities that are not Universal Password-enabled update the NDS password directly, instead of communicating with NMAS and letting NMAS determine which passwords are updated. Be aware of how users and help desk administrators use legacy utilities in your environment. Because legacy utilities update the NDS password directly instead of going through NMAS, password drift (Universal Password and NDS password get out of sync) can occur if you are using Universal Password and NMAS 2.3.

For example, to ensure support of Universal Password, make sure that users upgrade to the Novell Client, and make sure that help desk users use ConsoleOne only with the latest Novell Client or NetWare release.

Figure 5-5 Using NMAS to Synchronize Passwords

Utilities go through NMAS to update passwords, except for legacy utilities which update NDS password directly

Identity Manager and NMAS

Identity Manager controls the “entry point” (updating either Universal or Distribution Password directly). NMAS controls the flow of synchronizing passwords inside the Identity Vault.

In Scenario 1, the Identity Manager Driver for eDirectory can be used to update the NDS password directly. This scenario is basically the same as the one provided in DirXML 1.x.

In Scenario 2, Scenario 3, and Scenario 4, Identity Manager is used to update either Universal Password or Distribution Password. Identity Manager goes through NMAS to make password changes. This allows NMAS to update other Identity Vault passwords as determined by NMAS password policy settings, and allows NMAS to enforce Advanced Password Rules from NMAS password policies for passwords being synchronized with connected systems. In these scenarios, the password that Identity Manager distributes to connected systems is always the Distribution Password.

The difference between Scenario 2, Scenario 3, and Scenario 4 lies in the different combinations of NMAS password policy settings and Identity Manager Password Synchronization settings for each connected system driver.

5.8.2 Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults

As in Password Synchronization 1.0, you can synchronize NDS Password between two Identity Vaults by using the eDirectory driver. This scenario does not require Universal Password to be implemented, and can be used with eDirectory 8.6.2 or later. Another name for this kind of password synchronization is synchronizing the public/private key pair.

This method should be used only to synchronize passwords from Identity Vault to Identity Vault. It does not use NMAS and therefore cannot be used to synchronize passwords to connected applications.

Advantages and Disadvantages of Scenario 1

Table 5-11 Advantages: eDirectory to eDirectory Password Synchronization Using NDS Password

Advantages

Disadvantages

Simple configuration. Just include the correct attributes in the driver filter.

If you are deploying Identity Manager and eDirectory 8.7.3 in stages, this method can help you deploy gradually.

  • You don't need to add the new password synchronization policies to driver configurations.

  • Does not require Universal Password to be implemented in the Identity Vault.

  • Can be used with connected vaults running eDirectory 8.6.2 or later.

  • Does not require NMAS 2.3.

Enforces the basic password restrictions you can set for NDS Password.

This method synchronizes passwords between Identity Vaults. Passwords cannot be synchronized to other connected systems.

Does not update Universal Password or Distribution Password.

Because this method does not use NMAS, you can't validate passwords against Advanced Password Rules in password policies for passwords coming from another Identity Vault.

Because this method does not use NMAS, you can't reset passwords on the connected Identity Vault if the passwords don't comply with the NMAS password policy.

E-mail notifications are not provided for password synchronization failures.

Check Password Status operations from the iManager task are not supported. (Distribution Password is required for this feature.)

The following diagram shows that, as in DirXML 1.x, the Identity Manager Driver for eDirectory can be used to synchronize the NDS password between two Identity Vaults. This scenario does not go through NMAS.

Figure 5-6 Using NDS Password to Synchronize between Two Identity Vaults

Scenario 1

Setting Up Scenario 1

To set up this kind of password synchronization, configure the driver.

Universal Password Deployment

Not necessary.

Password Policy Configuration

None.

Password Synchronization Settings

None. The settings on the Password Synchronization page for a driver have no effect on this method of synchronizing NDS Password.

Driver Configuration

Remove the Password Synchronization policies listed in Section 5.3.4, Policies Required in the Driver Configuration. Those policies are intended to support Universal Password and Distribution Password. NDS Password is synchronized by using Public Key and Private Key attributes instead of these policies.

Make sure that the driver filter for both Identity Vault drivers is synchronizing the Public Key and Private Key attributes for all object classes for which passwords should be synchronized. The following figure shows an example.

Figure 5-7 Synchronizing the Private and Public Key Attributes

Private Key and Public Key set to Synchronize in the filter

Troubleshooting Scenario 1

5.8.3 Scenario 2: Using Universal Password to Synchronize Passwords

With Identity Manager, you can synchronize a connected system password with the Universal Password in the Identity Vault.

When Universal Password is updated, the NDS Password, Distribution Password, or Simple Password can also be updated, depending on your settings in the NMAS password policy.

Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Section 5.2, Connected System Support for Password Synchronization.

Advantages and Disadvantages of Scenario 2

Table 5-12 Advantages: Synchronizing by Using Universal Password

Advantages

Disadvantages

Allows synchronization of passwords to and from the Identity Vault and the connected system.

Allows passwords to be validated against the NMAS password policy.

Allows e-mail notifications for failed password operations, such as when a password coming from a connected system does not comply with Password.

Supports the Check Password Status task in iManager, if Universal Password is being synchronized with Distribution Password and if the connected system supports checking passwords.

NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled. If a password coming from a connected system does not comply, an error is generated, and an e-mail notification is sent if you have specified that option.

If you don't want password policy rules enforced, you can deselect Enable Advanced Password Rules in the NMAS password policy.

By design, resetting passwords in the connected system is not supported with this method because the Distribution Password and Universal passwords might not be the same, depending on your settings in the password policies.

Figure 5-8 illustrates the following flow for this scenario:

  1. Passwords come in through Identity Manager.

  2. Identity Manager goes through NMAS to directly update Universal Password.

  3. NMAS synchronizes the Universal Password with the Distribution Password and other passwords according to the NMAS password policy settings.

  4. Identity Manager retrieves the Distribution Password to distribute to connected systems that are set to accept passwords.

Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.

Figure 5-8 Using Universal Password to Synchronize Passwords

Scenario 2

Setting Up Scenario 2

To set up this kind of password synchronization:

Universal Password Deployment

Make sure your environment is ready to use Universal Password. See Section 5.4, Preparing to Use Identity Manager Password Synchronization and Universal Password.

Password Policy Configuration

Make sure that an NMAS password policy is assigned to the parts of the Identity Vault that you want to have this kind of password synchronization.

  1. In iManager, select Passwords > Password Policies.

  2. Select a policy, then click Edit.

  3. Browse to and select the object where you want password synchronization to occur.

    You can assign the policy to the entire tree structure (by browsing to and selecting the Login Policy object in the Security container), a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.

  4. In the password policy, make sure that the following are selected:

    Password Policy settings for Scenario 2
    • Enable Universal Password

    • Synchronize NDS Password when setting Universal Password

    • Synchronize Distribution Password when setting Universal Password

      Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.

  5. Complete your password policy as desired.

    NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled. If you don't want password policy rules enforced, deselect Enable the Advanced Password Rules.

    If you are using Advanced Password Rules, make sure they don't conflict with the password policies on any connected systems that are subscribing to passwords.

Password Synchronization Settings
  1. In iManager, select Passwords > Password Synchronization.

  2. Search for drivers for the connected systems, then select a driver.

  3. Create settings for the driver for the connected system.

    Make sure that the following are selected:

    • Identity Manager accepts passwords (Publisher Channel)

      A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in a the driver configuration using a policy.

    • Application accepts passwords (Subscriber Channel)

      If the connected system does not support accepting passwords, the option is dimmed.

    These settings allow for bidirectional password synchronization if it is supported by the connected system.

    You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only Application accepts passwords (Subscriber Channel).

  4. Make sure that Use Distribution Password for password synchronization is not selected.

    In this scenario, Identity Manager updates the Universal Password directly. The Distribution Password is still used to distribute passwords to connected systems, but is updated from the Universal Password by NMAS instead of by Identity Manager.

  5. (Optional) Select the following if desired:

    • Notify the user of password synchronization failure via e-mail

      Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory User object to be populated.

      E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.

Driver Configuration
  1. Make sure that the required Identity Manager script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization.

    The policies must be in the correct location and the correct order in the driver configuration. For the list of policies, see Section 5.3.4, Policies Required in the Driver Configuration.

    The Identity Manager sample configurations already contain the policies. If you are upgrading an existing driver, you can add the policies by using the instructions in Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.

  2. Set the filter correctly for nspmDistributionPassword attribute:

    • For the Publisher channel, set the driver filter to Ignore for the nspmDistributionPassword attribute for all object classes.

    • For the Subscriber channel, set the driver filter to Notify for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.

    Filter settings for nspmDistributionPassword
  3. For all objects that have Notify set for the nspmDistributionPassword attribute, set both the Public Key and Private Key attributes to Ignore.

    Private Key and Public Key set to Ignore in the filter
  4. To ensure password security, make sure that you control who has rights to Identity Manager objects.

Troubleshooting Scenario 2

Also see the tips in Section 5.13, Troubleshooting Password Synchronization.

Flowchart for Scenario 2

Figure 5-9 illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to Universal Password in this scenario. NMAS decides how to handle the password based on the following:

  • Whether Universal Password is enabled in the NMAS password policy.

  • Whether Advanced Password Rules are enabled that incoming passwords must comply with.

  • What the other settings are in the password policy for synchronizing Universal Password with the other passwords.

Figure 5-9 How NMAS Handles the Password It Receives from Identity Manager

Flowchart for Scenario 2
Trouble Logging in to the Identity Vault
  • Turn on the +AUTH, +DXML, and +DVRS settings in DSTrace.

    Figure 5-10 DSTrace Commands

  • Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify that they are being passed, watch the trace screen with those options turned on.

  • Verify that the password is valid according to the rules of the password policy.

  • Check the NMAS password policy configuration and assignment. Try assigning the policy directly to a user to make sure the correct policy is being used.

  • On the Password Synchronization page for the driver, make sure that DirXML accepts passwords is selected.

  • In the password policy, make sure that Synchronize Distribution Password when setting Universal Password is selected.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting cases where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see Identity Manager rule processing

  • Set the Identity Manager trace level for the driver to 3.

  • Make sure the Password Synchronization Identity Manager Accepts Passwords option is selected.

  • Check the driver filter to make sure the nspmDistributionPassword attribute is set correctly, as explained in Step 2.

  • Verify that the <password> for an Add or <modify-password> element is being sent to the connected system. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first items.

  • Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section 5.3.4, Policies Required in the Driver Configuration.

  • Compare the NMAS password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

E-Mail Not Generated on Password Failure
  • Turn on the +DXML setting in DSTrace to see Identity Manager rule processing.

  • Set the Identity Manager trace level for the driver to 3.

  • Verify that the rule to generate e-mail is selected.

  • Verify that the Identity Vault object contains the correct user e-mail address in the Internet EMail Address attribute.

  • In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured correctly. See Section 5.12, Configuring E-Mail Notification.

Error When Using Check the Object Password

The Check Password Status task in iManager causes the driver to check object password action. If you have problems, review the following:

  • If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter for the correct settings for the nspmDistributionPassword attributes. Also, make sure that the password policy has Synchronize Distribution Password when Setting Universal Password selected.

  • If the Check Object Password returns Not Synchronized, verify that the driver configuration contains the appropriate Password Synchronization policies.

  • Compare the NMAS password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

  • Check Object Password operates from the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized.

  • Keep in mind that for the Identity Manager driver only, Check Password Status is checking the NDS Password instead of the Distribution Password.

Helpful DSTrace Commands

+DXML: To view Identity Manager rule processing and potential error message

+DVRS: To view Identity Manager driver messages

+AUTH: To view NDS password modifications

5.8.4 Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password

In this scenario, Identity Manager updates the Distribution Password directly, and allows NMAS to determine how the other Identity Vault passwords are synchronized.

Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Section 5.2, Connected System Support for Password Synchronization.

Advantages and Disadvantages of Scenario 3

Table 5-13 Advantages: Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password

Advantages

Disadvantages

Allows synchronization of passwords between the Identity Vault and connected systems.

Lets you choose whether or not to enforce password policies for passwords coming from connected systems.

You can specify that notification be sent if password synchronization fails.

If you are enforcing password policies, you can choose to reset a password on the connected system to the Distribution Password if the password doesn't comply.

 

The figure in this scenario illustrates the following flow:

  1. Passwords come in through Identity Manager.

  2. Identity Manager goes through NMAS to directly update Distribution Password

  3. Identity Manager also uses the Distribution Password to distribute to connected systems that you have specified should accept passwords

  4. NMAS synchronizes Universal Password with the Distribution Password, and with other passwords according to the password policy settings.

Although multiple connected systems are shown as connecting to Identity Manager in Figure 5-11, keep in mind that you individually create the settings for each connected system driver.

Figure 5-11 Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password

Scenario 3

Setting Up Scenario 3

To set up this kind of password synchronization:

Universal Password Deployment

Make sure that your environment is ready to use Universal Password. See Section 5.4, Preparing to Use Identity Manager Password Synchronization and Universal Password.

Password Policy Configuration
  1. In iManager, select Passwords > Password Policies.

  2. Make sure a password policy is assigned to the parts of the Identity Vault tree that you want to have this kind of password synchronization. You can assign it to the entire tree structure, a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.

  3. In the password policy, make sure the following are selected:

    Password Policy settings for Scenario 3
    • Enable Universal Password

    • Synchronize NDS Password when setting Universal Password

    • Synchronize Distribution Password when setting Universal Password

      Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.

  4. If you are using Advanced Password Rules, make sure that they don't conflict with the password policies on any connected systems that are subscribing to passwords.

Password Synchronization Settings
  1. In iManager, select Passwords > Password Synchronization.

  2. Search for drivers for the connected systems, then select a driver.

  3. Create settings for the driver for the connected system.

    Make sure that the following are selected:

    • Identity Manager accepts passwords (Publisher Channel)

    • Use Distribution Password for password synchronization

      A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in the driver configuration using a policy.

    • Application accepts passwords (Subscriber Channel)

    These settings allow for bidirectional password synchronization if it is supported by the connected system.

    You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only Application accepts passwords (Subscriber Channel).

  4. Specify whether you want NMAS password policies to be enforced or ignored, using the options under Use Distribution Password for password synchronization.

  5. (Conditional) If you have specified that you want password policies to be enforced, also specify whether you want Identity Manager to reset the connected system password if it does not comply.

  6. (Optional) Select the following if desired:

    • Notify the user of password synchronization failure via e-mail

      Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory user object to be populated.

      E-mail notifications are noninvasive. They do not affect the processing of the XML document that triggered the email. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.

Driver Configuration
  1. Make sure that the required Identity Manager script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization.

    The policies must be in the correct location and the correct order in the driver configuration. For the list of policies, see Section 5.3.4, Policies Required in the Driver Configuration.

    The Identity Manager sample configurations already contain the policies. If you are upgrading an existing driver, you can add the policies using the instructions in Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.

  2. Set the filter correctly for nspmDistributionPassword attribute:

    • For the Publisher channel, set the driver filter to Ignore for the nspmDistributionPassword attribute for all object classes.

    • For the Subscriber channel, set the driver filter to Notify for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.

    Filter settings for nspmDistributionPassword
  3. For all objects that have Notify set for the nspmDistributionPassword attribute, set both the Public Key and Private Key attributes in the driver filter to Ignore.

    Private Key and Public Key set to Ignore in the filter
  4. To ensure password security, make sure that you control who has rights to Identity Manager objects.

Troubleshooting Scenario 3

Also see the tips in Section 5.13, Troubleshooting Password Synchronization.

Flowchart for Scenario 3

Figure 5-12 illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to the Distribution Password in this scenario, and NMAS decides the following:

  • How to handle the password based on whether you have specified that incoming passwords should be validated against password policy rules (if Universal Password and Advanced Password Rules are enabled).

  • What the other settings are in the password policy for synchronizing Universal Password with the other passwords.

Figure 5-12 Password from Identity Manager is Synchronized to the Distribution Password

Flow chart about how NMAS handles passwords in Scenario 3, synching to Distribution Password
Trouble Logging in to eDirectory
  • Turn on the +AUTH, +DXML, and +DVRS settings in DSTrace

    Figure 5-13 DSTrace commands

  • Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify, watch the DSTtrace screen or file with the trace options turned on as noted in the first item.

  • Verify that the password is valid according to the rules of the NMAS password policy.

  • Check the NMAS password policy configuration and assignment. Try assigning the policy directly to the user to make sure the correct policy is being used.

  • On the Password Synchronization page for the driver, make sure that Identity Manager accepts passwords (Publisher Channel) is selected.

  • In the NMAS password policy, make sure that Synchronize Distribution Password when setting Universal Password is selected.

  • In the NMAS password policy, make sure that Synchronize NDS Password when setting Universal Password is selected, if this is desired.

  • If users are logging in through the Novell Client or ConsoleOne, check the version. Legacy Novell Clients and ConsoleOne might not be able to log in to the Identity Vault if the Universal Password is not synchronized with the NDS Password.

    Versions of the Novell Client and ConsoleOne that are aware of the Universal Password are available. See the NMAS 3.0 Administration Guide.

  • Some legacy utilities authenticate by using the NDS Password, and also cannot log in to the Identity Vault if the Universal Password is not synchronized with the NDS Password. If you don't want to use the NDS Password for most users, but you have administrator or help desk users who need to authenticate with legacy utilities, try using a different password policy for help desk users so you can specify different Universal Password synchronization options for them.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see Identity Manager rule processing and potential errors

  • Set the Identity Manager trace level for the driver to 3.

  • Make sure that the Identity Manager accepts passwords (Publisher Channel) option is selected in the Password Synchronization page.

  • In the password policy, make sure that Synchronize Distribution Password when setting Universal Password is not selected.

    Identity Manager uses the Distribution Password to synchronize passwords to connected systems. Universal Password must be synchronized with the Distribution Password for this synchronization method.

  • Check the driver filter for the nspmDistributionPassword attribute.

  • Verify that the <password> element for an Add or a <modify-password> element has been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the options turned on as noted in the first item.

  • Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section 5.3.4, Policies Required in the Driver Configuration.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

E-Mail Not Generated on Password Failure
  • Turn on the +DXML setting in DSTrace to see Identity Manager rule processing

  • Set the Identity Manager trace level for the driver to 3.

  • Verify that the rule to generate e-mail is selected.

  • Verify that the Identity Vault object contains the correct value in the Internet EMail Address attribute.

  • In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured. See Section 5.12, Configuring E-Mail Notification.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.

Error When Using Check Password Status

The Check Password Status task in iManager causes the driver to perform a check object password action.

  • Make sure the connected system supports checking passwords. See Section 5.2, Connected System Support for Password Synchronization.

    If the driver manifest does not indicate that the connected system supports password-check capability, this operation is not available through iManager.

  • If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter, and the Synchronize Universal to Distribution option within the password policy.

  • If the Check Object Password returns Not Synchronized, verify that the driver configuration contains the appropriate Identity Manager Password Synchronization policies.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

  • Check Object Password checks the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized

  • Keep in mind that for the Identity Vault, Check Password Status checks the NDS Password instead of the Universal Password. This means that if the user's password policy does not specify to synchronize the NDS Password with the Universal Password, the passwords are always reported as being not synchronized. In fact, the Distribution Password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS Password and the Distribution Password are synchronized with the Universal Password.

Helpful DSTrace Commands

+DXML: To view Identity Manager rule processing and potential error message.

+DVRS: To view Identity Manager driver messages.

+AUTH: To view NDS password modifications.

5.8.5 Scenario 4: Tunneling

Identity Manager enables you to synchronize passwords among connected systems while keeping the Identity Vault password separate. This is referred to as “tunneling.”

In this scenario, Identity Manager updates the Distribution Password directly. This scenario is almost the same as Section 5.8.4, Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password. The difference is that you make sure the Universal Password and the Distribution Password are not being synchronized. You do this either by not using NMAS password policies, or by using password policies with the option disabled for Synchronize Distribution Password when setting Universal Password.

Advantages and Disadvantages of Scenario 4

Table 5-14 Advantages of Tunneling

Advantages

Disadvantages

Allows synchronization of passwords among connected systems, while keeping the Identity Vault password separate.

The password policy does not need to have Universal Password enabled, but the environment must support Universal Password.

Supports the Check Password Status task in iManager, if the connected system supports it.

You can specify that notification be sent if password synchronization fails.

You can reset a connected system password that does not comply with password policy.

If Universal Password and Advanced Password Rules are enabled, password policies are enforced if you specify that they should be enforced, and passwords on connected systems can be reset.

If Universal Password or Advanced Password Rules are not enabled, password policies are not enforced, and passwords on connected systems cannot be reset.

Figure 5-14 illustrates the following flow:

  1. Passwords come in through Identity Manager.

  2. Identity Manager goes through NMAS to directly update the Distribution Password.

  3. Identity Manager also uses the Distribution Password to distribute passwords to connected systems that you have specified should accept passwords.

The key to this scenario is that in the NMAS password policy, Synchronize Universal Password with Distribution Password is disabled. Because the Distribution Password is not synchronized with the Universal Password, Identity Manager synchronizes passwords among connected systems without affecting passwords in the Identity Vault.

Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.

Figure 5-14 Tunneling, with Identity Manager Updating the Distribution Password

Scenario 4

Setting Up Scenario 4

To set up this kind of password synchronization, configure the following:

Universal Password Deployment

Although you don't need to have password policies with Universal Password enabled, your environment must still must be using eDirectory 8.7.3, which supports Universal Password. See Section 5.4, Preparing to Use Identity Manager Password Synchronization and Universal Password.

Password Policy Configuration

Review your password policy to confirm the following:

  • Make sure Synchronize Distribution Password when setting Universal Password is not selected.

    This is the key to tunneling passwords without the Identity Vault password being affected. By not synchronizing the Universal Password with the Distribution Password, you keep the Distribution Password separate, for use only by Identity Manager for connected systems. Identity Manager acts as a conduit, distributing passwords to and from other connected systems, without affecting the Identity Vault password.

    Password Policy Settings for Scenario 4
  • Complete the other password policy settings as desired.

    The other password settings in the password policy are optional.

Troubleshooting Scenario 4

If password synchronization is set up for tunneling, the Distribution Password is different than the Universal Password and the NDS Password.

See also the tips in Section 5.13, Troubleshooting Password Synchronization.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see Identity Manager rule processing and potential errors.

  • Set the Identity Manager trace level for the driver to 3.

  • Make sure that the Identity Manager accepts passwords (Publisher Channel) option is selected on the Password Synchronization page.

  • In the password policy, make sure that Synchronize Distribution Password when setting Universal Password is not selected.

    Identity Manager uses the Distribution Password to synchronize passwords to connected systems. The Universal Password must be synchronized with the Distribution Password for this synchronization method.

  • Make sure the driver filter has the correct settings for the nspmDistributionPassword attribute.

  • Verify that the <password> element for an Add and a <modify-password> element have been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first item.

  • Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section 5.3.4, Policies Required in the Driver Configuration.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

E-Mails Not Generated on Password Failure
  • Turn on the +DXML setting in DSTrace to see Identity Manager rule processing.

  • Set the Identity Manager trace level for driver to 3.

  • Verify that the rule to generate e-mail is selected.

  • Verify that the Identity Vault object contains the correct value in the Internet EMail Address attribute.

  • In the Notification Configuration task, check the SMTP server and the e-mail template. See Section 5.12, Configuring E-Mail Notification.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.

Error When Using Check Password Status

The Check Password Status task in iManager causes the driver to be perform a Check Object Password action.

  • Make sure that the connected system supports checking passwords. See Section 5.2, Connected System Support for Password Synchronization.

    This operation is not available through iManager if the driver manifest does not indicate that the connected system supports password-check capability.

  • If the Check Object Password action returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the Identity Manager attribute filter, and the Synchronize Universal to Distribution option within the password policy.

  • If the Check Object Password action returns Not Synchronized, verify that the driver configuration contains the appropriate Identity Manager password synchronization policies.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

  • The Check Object Password action checks the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized

Helpful DSTrace Commands

+DXML: To view Identity Manager rule processing and potential error messages.

+DVRS: To view Identity Manager driver messages.

+AUTH: To view NDS password modifications.

+DCLN: To view NDS DCLient messages.

5.8.6 Scenario 5: Synchronizing Application Passwords to the Simple Password

This scenario is a specialized use of password synchronization features. Using Identity Manager and NMAS, you can take a password from a connected system and synchronize it directly to the Identity Vault Simple Password. If the connected system provides only hashed passwords, you can synchronize them to the Simple Password without reversing the hash. Then, other applications can authenticate to the Identity Vault by using the same clear text or hashed password through LDAP or the Novell Client, with NMAS components configured to use the Simple Password as the login method.

If the password in the connected system is in clear text, it can be published as it is from the connected system into the Identity Vault Simple Password store.

If the connected system provides only hashed passwords (MD5, SHA, SHA1,or UNIX Crypt are supported), you must publish them to the Simple Password with an indication of the kind of hash, such as {MD5}.

For another application to authenticate with the same password, you need to customize the other application to take the user's password and authenticate to the Simple Password using LDAP.

NMAS compares the password value from the application with the value in the Simple Password. If the password stored in the Simple Password is a hash value, NMAS first uses the password value from the application to create the correct type of hash value, before comparing. If the password from the application and the Simple Password are the same, NMAS authenticates the user.

In this scenario, Universal Password cannot be used.

Advantages of Synchronizing to the NDS Password

Table 5-15 Advantages of Synchronizing to the NDS Password

Advantages

Disadvantages

  • Lets you update the Simple Password directly.

  • Lets you synchronize a hashed password and use it to authenticate for more than one application, without reversing the hash.

  • This scenario does not allow the use of Universal Password.

  • Forgotten Password and Password Self-Service features can still be used to the extent they are supported for the NDS Password, but they do not work for the Simple Password.

  • Because the Set Universal Password task is dependent on Universal Password, the administrator cannot set a user's password in the Identity Vault by using that task.

Figure 5-15 Synchronizing to the NDS Password

Hash in Simple Password diagram

Setting Up Scenario 5

Password Policy Configuration

No password policy is required for users for this scenario. Universal Password cannot be used.

Password Synchronization Settings

For this scenario, you use Identity Manager Script to directly modify the SAS:Login Configuration attribute. This means that the Password Synchronization global configuration values (GCVs), which are set by using the Password Synchronization page in iManager, have no effect.

Driver Configuration
  1. Make sure that the SAS:Login Configuration attribute in the filter has the setting of Synchronize for both Publisher and Subscriber channels.

    Filter settings for SAS:Login Configuration
  2. Configure the driver policies to publish the password from the connected system.

  3. For hashed passwords, configure the driver policies to prepend the type of hash (if it is not already provided by the application):

    • {MD5}hashed_password

      This password is Base64 encoded.

    • {SHA}hashed_password

      This password is Base64 encoded.

    • {CRYPT}hashed_password

    Clear text passwords and Unix Crypt password hashes are not Base64 encoded.

  4. To place the password into the Simple Password, configure the driver policies to modify the SAS:Login Configuration attribute.

    The following example illustrates how to use a modify-attr element within a modify operation to change the Simple Password to an MD5 hashed password:

    <modify-attr attr-name="SAS:Login Configuration>
        <add-value>
            <value>{MD5}2tEgXrIHtAnGHOzH3ENslg==</value>
        </add-value>
    </modify-attr>
    

    For clear text passwords, follow this example.

    <modify-attr attr-name="SAS:Login Configuration>
        <add-value>
            <value>clearpwd</value>
        </add-value>
    </modify-attr>
    

    For add operations, the add-attr element would contain one of the following:

    <add-attr attr-name="SAS:Login Configuration>
        <value>{MD5}2tEgXrIHtAnGHOzH3ENslg==</value>
    </add-attr>
    

    or

    <add-attr attr-name="SAS:Login Configuration>
        <value>clearpwd</value>
    </add-attr>