10.6 Tips on Password Synchronization

We recommend that you use a secure connection when you are synchronizing passwords. Vulnerable connections are between the following:

You can create a secure connection by doing one or more of the following:

For password synchronization to work when the driver shim isn’t running on the domain controller, you must have SSL configured.

10.6.1 Providing Initial Passwords

If you see an error about a password not complying when a user is initially created, you need to check your password policies.

For example, perhaps you want the Active Directory driver to provide the initial password for a user when the Active Directory driver creates a User object in the Identity Vault. When a user is created, the driver shim creates the user and then sets the password.

Because adding the user and setting the password are done separately, the new user in this example receives the default password, even if only momentarily. The password is soon updated because the Active Directory driver sends it immediately after adding the user.

If the default password doesn’t comply with the eDirectory Password Policy for the user, an error is displayed. For example, if a default password that was created by using the user’s surname is too short to comply with the Password Policy, you might see a -216 error saying that the password is too short. However, the situation is soon rectified if the Active Directory driver then sends an initial password that does comply.

Regardless of the driver you are using, if you want a connected system that is creating User objects to provide the initial password, consider doing one of the following:

  • Change the policy on the Publisher channel that creates default passwords, so that default passwords conform to the Password policies (created by using the Manage Password Policies option in Password Management) that have been defined for your organization in the Identity Vault. When the initial password comes from the authoritative application, it replaces the default password.

    This option is preferable. We recommend that a default password policy exist in order to maintain a high level of security within the system.

  • Remove the policy on the Publisher channel that creates default password. In the sample configuration, this policy is provided in the Command Transformation policy set. Adding a user without a password is allowed in eDirectory. The assumption for this option is that the password for the newly created User object eventually comes through the Publisher channel, so the user object exists without a password only for a short time.

These measures are especially important if the initial password does not come with the Add event, but comes in a subsequent event. A user is added to eDirectory in two stages. The object is created in the initial Add event and then the password is set for this user. In the Create rule in the Subscriber channel, there is a suggested rule to veto if the nspmDistributionPassword operational attribute is not available. This causes the initial Add event to end with a veto, and the subsequent Modify event ends with only modify-attr attr-name="nspmDistributionPassword" attribute, which turns the Modify event into a synthetic Add event. Because the initial Add event was vetoed, the password Modify event is converted into another Add event, but this time it can complete.