Password synchronization on the Publisher channel works only with the Sun Java System Directory. You can have password synchronization on the Publisher channel by installing a plug-in and configuring the driver to accept password changes from the plug-in. For example, on Linux* the directory is linux/setup/utilities/sun_password_plugins directory, and on Windows* it is nt\dirxml\utilities\sun_password_plugins. These directories reside on the Identity Manager DVD or download image.
These directories contain the NovellĀ® Identity Manager Password plug-in for Sun Java System Directory for several platforms. The plug-in can be used to synchronize user passwords from Sun Java System Directory to the Novell Identity Manager Identity Vault via the Identity Manager distribution password.
IMPORTANT:Only passwords that are set or modified after the plug-in is installed can be synchronized.
The plug-in is a post-operation plug-in. Sun Java System Directory notifies the plug-in whenever a password is set or changed. The plug-in then encrypts the password by using the Advanced Encryption Standard (AES) and stores the encrypted password on the novellDistPassword attribute. The LDAP driver can then synchronize the encrypted password to Novell Identity Manager. The LDAP driver decrypts the password and uses it to set the Identity Manager distribution password.
Several versions of the Novell Identity Manager Password plug-in exist. You can install these versions in your Sun Java System directory on Windows, Linux, Solaris* SPARC*, or AIX*.
NOTE: The plug-in has been tested only on certain versions of the following platforms:
Windows XP Professional
Red Hat* 7.2
Solaris 8 64-bit
AIX 5.1
Locate the correct plug-in binary file.
The plug-in binary files are stored in directories representing the supported platforms.
For example, if your Sun directory runs on AIX, look in the AIX directory. The plug-in filename is novl-idm-pswd.so on all platforms except Windows, where the filename is novl-idm-pswd.dll.
Copy the binary plug-in file to the lib directory in your Sun Java System Directory installation location.
For example, on Windows the default installation location for Sun Java System Directory is C:\Program Files\Sun\MPS and inside that directory is a lib directory. Put novl-idm-pswd.dll in the lib directory.
On other platforms, the default installation location is often /var/Sun/mps. You need to locate the Sun Java System Directory installation location on your system, and put the plug-in file inside the lib directory.
NOTE:On Solaris SPARC computers, the Sun Java System Directory installation includes two versions of most libraries: a 32-bit version and a 64-bit version. By default, the 32-bit version is found at /var/Sun/mps/lib. The 64-bit version is found at /var/Sun/mps/lib/64.
Both a 32-bit and a 64-bit version of the plug-in are provided. Copy both versions to their respective locations on your Solaris installation. At runtime, the Sun Java System Directory determines which version is the appropriate version to load.
Locate and edit the novl-idm-pswd.ldif file.
The .ldif file contains plug-in configuration information that you apply to the directory. It also contains two schema definitions:
One definition is for the novellDistPassword attribute that stores the encrypted password.
The other definition is for the novellDistPasswordUser auxiliary class that is applied to your users to allow the use of the novellDistPassword attribute.
As a convenience, the .ldif file also contains an instruction to turn on the Retro Changelog Plugin, which most customers want turned on to enable Publisher channel operations with the Identity Manager LDAP driver. If you know that the changelog is already enabled, or if you don't want to enable the changelog, you can remove the Retro Changelog Plugin section from the .ldif file.
Most users need to edit only two items in the .ldif file:
The nsslapd-pluginPath attribute
The nsslapd-pluginarg0 attribute
Ensure that the value of nsslapd-pluginPath is the path where you installed the plug-in. For example, if you installed the plug-in in the /var/Sun/mps/lib directory, the value should be /var/Sun/mps/lib/novl-idm-pswd.so. Set the value of nsslapd-pluginarg0 to a password that will be used to generate an AES key used to encrypt user passwords. This must match the password used in Step 6.
NOTE:Solaris users should set the value of nsslapd-pluginPath to the path of the 32-bit version of the plug-in, even if the operating system is 64-bit. (See Step 2.) At runtime, the directory determines whether to load the 32-bit or the 64-bit version of the plug-in.
Apply the novl-idm-pswd.ldif file to the Sun directory.
To complete this step, you need to know the configuration administrator's DN and password. Typically, the DN will be "uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot". However, the password will vary. You also need to know the LDAP port used by your Sun directory.
The ldapmodify command line utility that was installed with your Sun Java System Directories can be used to apply the .ldif file. Use a command similar to the following:
ldapmodify -h localhost -p 389 -D "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w password -f novl-idm-pswd.ldif
Restart Sun Java System Directory so that your changes take affect and the plug-in starts.
For troubleshooting, note any errors that might appear on the console.
Install and configure the LDAP driver for Identity Manager.
If you are installing from Identity Manager version 3.0.5 or later, and are using the supplied example configuration template for the LDAP driver, a section at the end of the Publisher Settings enables you to configure the driver to synchronize passwords found in a Sun directory.
IMPORTANT:Use the same encryption password (used to generate an AES key) for both the LDAP driver configuration and the Novell Identity Manager Password plug-in on Sun Java System Directory.
If you are upgrading an existing driver and can't use the sample configuration template provided with Identity Manager 3.0.5 or later, you can add the appropriate Publisher settings yourself. See Section 2.3.1, Manually Adding Publisher Settings.
In iManager, select .
Copy the following XML and paste it at the end of your Publisher settings, but still within the definitions element.
<group>
<definition display-name="Use Sun Password Plugin"
name="useSunPluginGroup" type="enum">
<description>Specify Yes if you have installed and
configured the Novell Identity Manager Password Plugin on
Sun Java System Directory and want to use it to
synchronize to the Identity Manager distribution
password.</description>
<enum-choice display-name="Yes">yes</enum-choice>
<enum-choice display-name="No">no</enum-choice>
<value>yes</value>
</definition>
<subordinates active-value="yes">
<definition display-name="Password Publishing Encryption
Password" name="pub-password-encryption-key"
type="string">
<description>Enter the same password configured on the
Novell Identity Manager Password Plugin on the Sun
Java System Directory. This password will be used to
generate a key that will decrypt the passwords.
</description>
<value>enter encrypt password</value>
</definition>
</subordinates>
</group>