Overview

Identity Manager introduces bidirectional password synchronization, by taking advantage of Universal Password and connected system support for publishing or subscribing to passwords.

As with other attributes for a user account, you can choose your authoritative data sources.


Overview of Passwords

eDirectory has several passwords that are used for different purposes. In previous versions of eDirectory and DirXML, connected systems could update only the NDS password, and it was a one-way synchronization.

Universal Password, introduced in eDirectory 8.7.1, is a reversible password that can be synchronized with the other eDirectory passwords if desired. Universal Password is protected by four layers of encryption.

NMAS controls the relationship between Universal Password and the other eDirectory passwords, such as whether Universal Password is kept synchronized with NDS Password, Simple Password, or Distribution Password. NMAS intercepts incoming requests to change passwords and handles them according to your settings in Password Policies (with the exception of some legacy methods, see Planning Login and Change Password Methods for your Users). For an example of the Password Policy interface where you control the relationship between eDirectory passwords, see the figure in Enabling Universal Password.

Identity Manager controls the relationship between eDirectory passwords and connected system passwords. To do this, it uses the Distribution Password, which is the password in eDirectory that you can provide to connected systems. Like Universal Password, Distribution Password is protected by four layers of encryption, and is reversible.

In the Password Policy you can specify whether the Distribution Password should be the same as the Universal Password (the setting is "Synchronize Distribution Password when setting Universal Password"). If the Distribution Password is the same as the Universal Password, and you choose to use bidirectional Password Synchronization with connected systems, keep in mind that you are using Identity Manager to extract the Universal Password from eDirectory and send it to other connected systems. You need to secure the transport of the password, as well as the connected systems it will be stored on. (See Handling Sensitive Information.) If the Distribution Password is not the same as the Universal Password (because you disable the setting in the Password Policy), you can "tunnel" passwords among connected systems using the Distribution Password, without using or affecting the Universal Password or NDS Password.

For more information on the various eDirectory passwords, see the Novell Modular Authentication Services (NMAS) 2.3 Administration Guide. For examples of different ways of using password synchronization with Identity Manager, see Implementing Password Synchronization.


Comparison of Password Synchronization 1.0 and Identity Manager Password Synchronization

 

Password Synchronization 1.0 Password Synchronization with Identity Manager 2

Product delivery

A product separate from DirXML.

Included with Identity Manager, not sold separately.

Platforms

  • Active Directory
  • NT Domain
  • eDirectory

Full bidirectional password synchronization is supported on these platforms:

  • Active Directory
  • eDirectory
  • NIS
  • NT Domain

These connected systems support publishing user passwords to Identity Manager. Because Universal Password (and Distribution Password) is reversible, Identity Manager can distribute passwords to connected systems.

Any connected system that supports the Subscriber password element can subscribe to passwords from Identity Manager.

See "Connected System Support for Password Synchronization" in the Novell Nsure Identity Manager 2.0.1 Administration Guide.

Password used in eDirectory

NDS® Password (non-reversible)

Universal Password (reversible), or Distribution Password (also reversible). The NDS password can also be kept synchronized, if desired. For example scenarios, see "Implementing Password Synchronization" in the Novell Nsure Identity Manager 2.0.1 Administration Guide.

Main functionality for Windows connected systems

To send passwords to DirXML so the eDirectory password is synchronized with the Windows password. Because the NDS password is not reversible, passwords were not sent back to NT or AD.

To provide bidirectional password synchronization. Because Universal Password (and Distribution Password) is reversible, passwords can be synchronized in both directions.

LDAP changes

Not supported.

Supported

Novell ClientTM

Required.

Not required.

nadLoginName attribute

Used for keeping passwords updated.

Not used.

The component that contains the password synchronization functionality

The DirXML driver contained the functionality for updating nadLoginName.

Policies in the driver configuration provide the password synchronization functionality. The driver simply carries out the tasks given by the DirXML engine, which come from logic in the policies. The driver manifest, global configuration values, and driver filter settings must also support password synchronization. These are included in the sample driver configurations, or can be added to an existing driver. See Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.

Agents

A separate piece of software.

No agents are installed; instead, the functionality is now part of the driver.


What is Bidirectional Password Synchronization?

Bidirectional password synchronization is the combination of Identity Manager accepting passwords from the connected systems you specify, and distributing passwords to the connected systems you specify.

The ability to have bidirectional password synchronization with a particular connected system depends on what the connected system supports.

Some connected systems can accept new and modified passwords from Identity Manager, and can also provide the user's actual password to Identity Manager. These connected systems are the ones that support bidirectional password synchronization with Identity Manager. They are the following:

For these connected systems, the user can change a password in one of the systems and have that password synchronized to the other systems through Identity Manager. However, if you are using Advanced Password Rules in your Password Policies, it's best to have users make password changes in the iManager self-service console. This is the best place for password changes because it lists all the rules that the user's password must comply with.

Other connected systems can't provide the user's actual password, so they can't support full bidirectional password synchronization. But they can provide data that can be used to create passwords and send them to Identity Manager, by defining policies within the driver configuration.

Several other systems can accept passwords from Identity Manager, including setting an initial password for a new user, modifying a password, or both.

See Connected System Support for Password Synchronization.


Features of Identity Manager Password Synchronization

To explain the features offered by Identity Manager Password Synchronization, we can divide the subject of bidirectional password synchronization into the two directions: passwords sent from connected systems and accepted by Identity Manager, and passwords distributed by Identity Manager and accepted by connected systems.

The following sections explain the password synchronization features of Identity Manager:


Identity Manager Can Accept Passwords from Connected Systems

As in previous versions of DirXML®, any connected system can publish a password to the identity vault.

You can specify which connected system applications Identity Manager will accept passwords from. You can even choose whether Identity Manager updates the password for users in the same eDirectory tree where Identity Manager is running, or whether Identity Manager simply acts as a conduit or "tunnel," synchronizing passwords only between connected systems. This means that it is possible to keep the eDirectory password separate from the password that Identity Manager distributes to connected systems, if desired.

Some connected systems (AD, other eDirectory trees, NT, and NIS) can provide the user's actual password, which means that when a user changes a password on a connected system, the change can be synchronized to Identity Manager and back out to other connected systems.

Other connected systems don't support providing the user's actual password, but you can configure them to provide a password to Identity Manager that is manufactured in a style sheet, such as an initial password based on last name or employee ID.


Identity Manager Can Distribute Passwords to Connected Systems

Identity Manager Password Synchronization introduces the ability to distribute a common password to connected systems.

In previous versions of DirXML, a driver could send passwords to DirXML from a user account on a connected system, and the password could be used to update the corresponding user in eDirectory. But because the NDS® password in eDirectory is non-reversible, you couldn't push a password out from the central Identity Manager identity vault to multiple connected systems. You could obtain the eDirectory password only by capturing the password before it was stored in eDirectory, such as through the Novell ClientTM.

The new Universal Password provided by eDirectory 8.7.3 is reversible, so it can be distributed.

Identity Manager can accept a password from a connected system, and because Universal Password is reversible, Identity Manager can distribute the password from the identity vault to connected systems that support setting initial passwords for new accounts and modifying password.

Regardless of where the password comes from, Identity Manager uses the Distribution Password as the repository from which it distributes passwords to connected systems. The Distribution Password, like the Universal Password, lets you enforce Password Policies.

For information about using Universal Password and Distribution Password in when synchronizing passwords, see Implementing Password Synchronization.

As with other attributes of a user, you can decide which systems are authoritative sources for passwords, and Identity Manager will distribute the passwords from the authoritative source to the other connected systems.

You can set up bidirectional password synchronization among connected systems that support it.


Identity Manager Can Enforce Password Policies, in the Data Store and on Connected Systems

By making calls to NMASTM, Identity Manager lets you enforce Password Policies on incoming passwords. If the password being published from a connected system to Identity Manager does not comply, you can specify that Identity Manager does not accept the password into the identity vault. This also means that passwords that don't comply with your policies are not distributed to other connected systems.

In addition, Identity Manager lets you enforce Password Policies on connected systems. If the password being published to Identity Manager does not comply, you can specify that Identity Manager not only does not accept the password for distribution, but actually resets the noncompliant password on the connected system using the current Distribution Password in the identity vault.

For example, if you want to require passwords to include at least one numeric character, but the connected system does not itself have the ability to enforce such a policy, you can specify that Identity Manager resets passwords from the connected system that don't comply.

If you are using Advanced Password Rules and are using Identity Manager Password Synchronization, to help ensure that passwords are synchronized successfully we recommend that you research the password policies for all the connected systems to make sure the Advanced Password Rules in the eDirectory Password Policy are compatible.

Keep in mind that you must make sure that the users who are assigned Password Policies match with the users you want to participate in Password Synchronization for connected systems.

Password Policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, and drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica. To get the results you expect from Password Synchronization, make sure the containers that are in a master or read/write replica on the server running the drivers for Password Synchronization match the containers where you have assigned Password Policies with Universal Password enabled. Assigning a Password Policy to a partition root container ensures that all users in that container and subcontainers are assigned the Password Policy.

For information about how Password Policies are assigned to users, see Assigning Password Policies to Users.


Identity Manager Offers Several Scenarios for Synchronizing Passwords

As with other object attributes, Identity Manager lets you decide which systems should be authoritative sources for passwords. Identity Manager gives you flexibility in deciding how you want passwords to flow.

Much of the new functionality of Identity Manager Password Synchronization relies on Universal Password, the new reversible password functionality provided by eDirectory.

However, there are scenarios that don't require you to deploy Universal Password.

Identity Manager Password Synchronization also relies on the Distribution Password, which is the repository from which Identity Manager distributes passwords to connected systems. Like Universal Password, a policy can be enforced on the Distribution Password.

For a basic list of the ways you can implement password synchronization, see Implementing Password Synchronization. These scenarios can be combined to meet the needs of your environment.


Identity Manager Can Sync Passwords on Windows without the Novell Client

A Novell Client is no longer required for password synchronization with Active Directory and NT Domain.


Identity Manager Can Notify Users of Password Synchronization Failures

The previous section, Identity Manager Can Enforce Password Policies, in the Data Store and on Connected Systems, explains that Identity Manager can enforce Password Policies by not accepting passwords that don't comply from connected systems.

Using the new e-mail notification feature, you can specify that Identity Manager notifies the user when a password change they made was not successful.

For example, suppose you have set Identity Manager to not accept an incoming password from NT Domain if it doesn't comply with your Password Policy, and you have enabled e-mail notification. One rule in your Password Policy says that the company name can't be used as a password, and a user changes the password on the NT Domain connected system to be the company name. In this case, NMAS would not accept the password, and Identity Manager would send an e-mail message to the user stating that the password change was not synchronized.

You must set up the e-mail server and templates before you can use this feature. You can customize the text of the messages that Identity Manager sends, and you can customize the notification to send a copy to the administrator. For more information, see Configuring E-Mail Notification.


Identity Manager Can Check the Password Synchronization Status for a User

Identity Manager lets you query connected systems to check the password synchronization status for a user. If the connected system supports the check password feature, you can see whether passwords are synchronizing successfully.

For how to check passwords, see Checking the Password Synchronization Status for a User.

For a list of which systems support checking passwords, see Connected System Support for Password Synchronization.


Diagrams of Password Synchronization Flow

Here's an overview of connected systems publishing passwords to Identity Manager.


Diagram of password publishing to DirXML

Here's an overview of Identity Manager distributing passwords to connected systems.


Diagram of DirXML distributing passwords to connected systems