Support for Universal Password

See Preparing to Use Universal Password.

Password Synchronization Capabilities Declared in the Driver Manifest

The driver manifest declares whether a connected system supports the following password synchronization functions:

• Publishing the user's actual password to Identity Manager
• Accepting a password from Identity Manager (the manifest does not distinguish between accepting the creation of an initial password versus accepting password modifications)
• Letting Identity Manager check the password on the connected system, to determine the password synchronization status for a user

NOTE:  The driver manifest is written by the driver developer, or the Identity Manager expert who creates the driver configuration. It is not meant to be edited by a network administrator. It represents the true capabilities of the driver shim and configuration, so changing the manifest alone does not change functionality. To add functionality, the driver shim, connected system, or driver configuration would need to be enhanced.

The driver configurations delivered with Identity Manager contain driver manifest entries. To add them to an existing driver, see Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.

Password Synchronization Settings You Create Using Global Configuration Values

New in Identity Manager are global configuration values, which let you set a constant value that you can reference in a policy. (They are sometimes called server variables, because they are held in an attribute that is per replica.)

For Password Synchronization, they allow you to create settings for the flow of passwords to and from Identity Manager.

Because the password synchronization policies in the driver configuration are written to behave differently based on your settings in the global configuration value, it's easy to change the flow of passwords without having to edit policies.

You control the following settings for each connected system separately, using global configuration values. Note that in the interface, Identity Manager is referred to as DirXML.

• Whether Identity Manager accepts passwords from the connected system.

  This setting applies to a password provided by the connected system, as well as a password that could be created by policies in the driver configuration on the Publisher channel. If you disable this setting, both kinds of passwords are stripped out so they don't reach Identity Manager.

• Which method of synchronization Identity Manager uses, updating Universal Password directly, or Distribution Password directly. Identity Manager controls the entry point, meaning which password Identity Manager updates. NMAS controls the flow of passwords between each different kind of password, based on what you have set in the Password Policy in Universal Password > Configuration Options.

  See Implementing Password Synchronization for examples of scenarios using these methods.

• Whether Password Policies are enforced on passwords coming in to Identity Manager from a connected system.

  If they are enforced, this means that passwords coming in are not written to the Identity Manager data store if they don't comply.

• Whether Identity Manager enforces Password Policies on a connected system by resetting passwords that don't comply, using the Identity Manager password.

  This option is dimmed in the interface if the connected system doesn't support it (as declared in the driver manifest).

• Whether the connected system accepts passwords.

  This setting applies to both a password distributed by Identity Manager and a password that could be created by policies in the driver configuration on the subscriber channel. If you disable this setting, both kinds of passwords are stripped out so they don't reach the connected system.

  This option is dimmed in the interface if the connected system doesn't support it (as declared in the driver manifest).

• Whether users are notified by e-mail when a password is not synchronized

The driver configurations delivered with Identity Manager contain driver manifest entries. To add them to an existing driver, see Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.

The Password Synchronization task in iManager (Password Management > Password Synchronization) is where you should edit these GCVs. This graphical interface lets you specify how you want passwords to flow among connected systems and Identity Manager.

After you specify where you want to search for connected system drivers, the interface displays an overview of the password flow settings for all the connected system drivers it finds. Here's an example of the overview page:

On this page, you can click a driver name to drill down and see all the settings you control.

The following figure shows the page that appears. This is the graphical interface for setting the global configuration values for Password Synchronization.

If an option on this page is dimmed, it is because the driver manifest shows that the connected system does not support it.

NOTE:  This interface lets you set global configuration values on each driver separately. Global configuration values on a driver override those on the driver set, and setting them on a specific driver gives you more granular control. This page can display only the global configuration values that are present on the individual driver.

Global configuration values can be set on the driver set object, and can be inherited by a driver in that driver set if the driver does not have values of its own. If a driver has no settings of its own and instead inherits the global configuration values from the driver set, this interface does not display them. Although this interface does not display inherited global configuration values, they are still honored by the password synchronization policies.

Policies Required in the Driver Configuration

Policies on the Publisher and Subscriber Channels for each driver govern the password flow, based on your settings in the global configuration variables explained above.

These policies are included in the driver configurations in Identity Manager.

If you are upgrading an existing driver configuration instead of replacing it, you must add these policies to the configuration. (See Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.)

These policies must be in your driver configuration in the correct location for password synchronization to work.

Location in the Driver Configuration	Password Synchronization Policy Name	What the Policy Does
Publisher Command Transformation These policies must be present in this order, a they must be the last policies in the Publisher Command Transformation policy set.	Password(Pub)-Default Password Policy	Adds a default password to an add object if the add does not already contain a password. This policy and the Password(Sub)-Default Password Policy are the only policies that you can modify or remove. The others should be used without changes, in order for password synchronization functionality to work properly.
	Password(Pub)-Check Password GCV	Checks the GCV to determine whether you have specified that Identity Manager accepts passwords from this connected system. If not, it strips out all password elements. The name of the GCV is enable-password-publish, and the display name is "DirXML accepts passwords from application."
	Password(Pub)-Publish Distribution Password	Transforms the <password> element to the form that allows it to update Universal Password. This policy references the following GCVs: publish-password-to-dp, and enforce-password-policy.
	Password(Pub)-Publish NDS Password	Allows the <password> element to go through if you have specified that the NDS password should be updated. If not, it strips out the <password> element. This policy references the GCV named publish-password-to-nds.
	Password(Pub)-Add Password Payload	Puts in payload data that is passed around in the engine for purposes of e-mail notification.
Publisher Input Transformation We recommend that this policy be listed last if there are multiple policies in the Input Transformation.	Password(Pub)-Sub Email Notifications	If the payload information comes through, and the status shows a problem, it sends e-mail to the user. It sends the mail to the user's e-mail address indicated in the Internet EMail Address attribute in eDirectory. This policy references the GCV named notify-user-on-password-dist-failure to determine whether to send notification e-mails.
Subscriber Command Transformation These policies must be present in this order, and they must be the last policies in the Subscriber Command Transformation policy set.	Password(Sub)-Transform Distribution Password	Transforms the Universal Password to a <password> element.
	Password(Sub)-Default Password Policy	Adds a default password to an add object if the add does not already contain a password. This policy and the Password(Pub)-Default Password Policy are the only policies that you can modify or remove. The others should be used without changes, in order for password synchronization functionality to work properly.
	Password(Sub)-Check Password GCV	Checks the GCV to determine whether you have specified that the connected system accepts passwords. If not, it strips out all password elements. The name of the GCV is enable-password-subscribe, and the display name is "Application accepts passwords from DirXML data store."
	Password(Sub)-Add Password Payload	Puts in payload data that is passed around in the engine for purposes of e-mail notification.
Subscriber Output Transformation We recommend that this policy be listed last if there are multiple policies in the Output Transformation.	Password(Sub)-Pub Email Notifications	If the payload information comes through, and the status shows a problem, it sends e-mail to the user. This policy references the GCV named notify-user-on-password-dist-failure to determine whether to send notification e-mails.

Filters You Install on the Connected System to Capture Passwords

For AD, NT Domain, and NIS, filters must be installed to capture the user's password.

See Setting Up Password Filters.

Password Policies You Create for Your Users

Password Policies must be used to enable Universal Password for your users (although you can use some features of Password Synchronization without Universal Password). The Password Policy also lets you specify Advanced Password Rules, and specify whether user's existing passwords are checked for compliance with the rules.

You must understand Password Policies to use Identity Manager Password Synchronization.

Password Policies are explained in Managing Passwords by Using Password Policies.

NMAS Login Methods

For some situations, you must have the NMAS Simple Password Login Method in place to be able to do password functions. For example, LDAP requires it.

For information about login methods, see the Novell Modular Authentication Services (NMAS) 2.3 Administration Guide.