9.5 Securing Connected Systems

Keep in mind that the connected systems that you are synchronizing data to might store or transport that data in a compromising manner.

Secure the systems to which you exchange passwords. For example LDAP, NIS, and Windows each have security concerns that you must consider before enabling password synchronization with those systems.

Many software vendors provide specific security guidelines that you should follow for their products.

9.5.1 Password Generation

Identity Manager 3.5 includes a pre-defined password generation job for the Job Scheduler. The password generation job generates random passwords for a group of User objects in eDirectory, either periodically or on demand. This functionality is designed primarily to support products like Novell Certificate Login, but can also be used in other situations.

Invoking the password generation job initializes NMAS with the password policy, and the following occurs for each object in the specified job scope:

  1. NMAS generates a random password consistent with the password policy specified in the job. Password policies are stored in nspmPasswordPolicy objects. Typically, each connected system has its own policy object. These policy objects can be stored in DirXML-Driver and DirXML-DriverSet objects.

  2. Each generated password i submitted, one at a time, to the containing driver’s subscriber channel.

    If the object has a non-disabled association for the driver then a <generated-password> event is submitted to the subscriber channel event queue (cache) of the driver.

    If the object has no association for the driver and the option to submit events for non-associated objects is selected then a <generated-password> event is submitted to the subscriber channel event queue (cache) of the driver.

  3. It is up to the subscriber channel policies to handle the generated passwords. Job Scheduler is only responsible for generating the passwords and handing them off to the subscriber channel.