Connected System Support for Password Synchronization

Identity Manager is always capable of accepting a password from a connected system, even if the connected system does not support providing the user's actual password from that system.

AD, NT, eDir, and NIS can accept a password from Identity Manager and also support sending the user's actual password to Identity Manager. This means they offer full support for bidirectional password synchronization.

Other systems can provide data that can be used to create passwords, by defining a policy within the driver configuration on the Publisher channel. The sample driver configurations for most of the drivers show an example of this; a policy is included that provides a default password based on Surname.

Connected systems have varying abilities to accept a password from Identity Manager. Some connected systems support setting an initial password set for new accounts, but not password modify events.

This section contains a list of the connected systems and what the sample driver configurations support.

The capabilities of the sample driver configurations are noted in the driver manifest. This table provides the following additional information that is not in the driver manifest:

Connected System Driver Subscriber Channel Subscriber Channel Subscriber Channel Publisher Channel
Application Can Accept Setting of Initial Password Application Can Accept Modification of Password Application Supports Check Password Application Can Provide (sync) Password
The following connected systems support bidirectional password synchronization.

They can provide the user's actual password on the connected system, and accept passwords from Identity Manager.

Active Directory

Yes

Yes

Yes

Yes

eDirectory1

Yes

Yes

Yes

Yes

NT Domain

Yes

Yes

No

Yes

NIS

Yes

Yes

Yes

Yes

SIF

Yes

Yes

No

Yes
The following connected systems can accept passwords from Identity Manager to some degree. They can't provide a user's actual password on the connected system to Identity Manager.

Although they can't provide the user's actual password, they can be configured to create a password using a policy on the Publisher channel, based on other user data in the connected system. (The sample driver configurations demonstrate default password based on surname.)

Groupwise®

Yes

Yes

No

No2

JDBC

Yes3

No4

No

No5

LDAP

Yes6

Yes6

Yes

No

Notes

Yes

Yes7

Yes7

No

SAP User Management

Yes

Yes

No

No
The following connected systems can't accept passwords or provide a user's password on the connected system using the sample driver configuration.

Although they can't provide the user's password to Identity Manager, they can be configured to create a password using a policy on the Publisher channel, based on other user data in the connected system. (The sample driver configurations demonstrate default password based on surname.)

Delimited Text

No8

No8

No8

No8

Exchange 5.5

No

No

No

No

PeopleSoft 3.6

No

No

No

No

PeopleSoft 4.0

No

No

No

No

SAP HR

No

No

No

No
The following connected systems are not intended to be used with password synchronization.

Avaya* PBX

No

No

No

No

Entitlements Service Driver

No

No

No

No

LoopBack Service Driver

No

No

No

No

Manual Task Service Driver

No

No

No

No

1Between eDirectory trees, you can have bidirectional password synchronization for users even if Universal Password is not enabled for those users. See Scenario 1: eDirectory to eDirectory Password Synchronization Using NDS Password.

2GroupWise supports two authentication methods. 1) GroupWise provides its own authentication and maintains user passwords. 2) GroupWise authenticates against eDirectory using LDAP and does not maintain passwords. When using option 2, driver-synchronized passwords are ignored by GroupWise.

3The ability to set an initial password is available on all databases where the OS user account is distinct from the database user account, such as Oracle*, MS SQL, MySQL*, and Sybase*.

4The DirXML Driver for JDBC can be used to modify a password on the connected system, but that feature is not demonstrated in the sample driver configuration.

5Passwords can be synchronized as data when stored in a table.

6If the target LDAP server allows setting the userpassword attribute.

7The Notes driver can accept a password modification and check passwords only for the HTTPPassword field in Lotus Notes.

8The DirXML Driver for Delimited Text does not have features in the driver shim that directly support Password Synchronization. However, the driver can be configured to handle passwords, depending on the connected system you are synchronizing with.