Implementing Password Synchronization

The Password Synchronization functionality provided in Identity Manager allows you to implement several different scenarios. This section outlines some basic scenarios, to help you understand how the settings in Password Synchronization and Password Policies affect the way passwords are synchronized. You can use one or more of the scenarios to meet the needs of your environment.

In this section:


Overview of Identity Manager Relationship to NMAS

In this section:


Utilities and NMAS

The latest utilities such as iManager and the Novell Client communicate with NMAS rather than directly updating a specific password, and NMAS is the entity that determines which passwords are updated.

NMAS synchronizes passwords within eDirectory, based on your settings in Password Policies.

Legacy utilities that are not Universal Password-enabled update the NDS password directly, instead of communicating with NMAS and letting NMAS determine which passwords are updated. Be aware of how legacy utilities are used in your environment by users and help desk administrators; they can cause "password drift" (Universal Password and NDS password getting out of sync) if you are using Universal Password and NMAS 2.3, because legacy utilities update the NDS password directly instead of going through NMAS. For example, you should make sure users upgrade the Novell Client, and make sure that help desk users use ConsoleOne only with the latest Novell Client or NetWare release to ensure support of Universal Password.


Utilities go through NMAS to update passwords, except for legacy utilities which update NDS password directly


Identity Manager and NMAS

Identity Manager controls the "entry point" (updating either Universal or Distribution Password directly). NMAS controls the flow of synchronizing passwords inside eDirectory.

In Scenario 1, the DirXML Driver for eDirectory can be used to update the NDS password directly. This scenario is basically the same as the one provided in DirXML 1.x.

In Scenario 2, Scenario 3, and Scenario 4, described later in the section, Identity Manager is used to update either Universal Password or Distribution Password, and Identity Manager goes through NMAS to make password changes. This allows NMAS to update other eDirectory passwords as determined by Password Policy settings, and allows NMAS to enforce Advanced Password Rules from Password Policies for passwords being synchronized with connected systems. In these scenarios, the password that Identity Manager distributes to connected systems is always the Distribution Password. The difference between the scenarios lies in the different combinations of NMAS Password Policy settings, and Identity Manager Password Synchronization settings for each connected system driver.


Scenario 1: eDirectory to eDirectory Password Synchronization Using NDS Password

As in Password Synchronization 1.0, you can synchronize NDS Password between two eDirectory trees using the eDirectory driver. This scenario does not require Universal Password to be implemented, and can be used with eDirectory 8.6.2 or later. Another name for this kind of password synchronization is synchronizing the public/private key pair.

This method should only be used to synchronize passwords from eDirectory to eDirectory. It does not use NMAS and therefore cannot be used to synchronize passwords to connected applications.

In this section:


Advantages and Disadvantages of Scenario 1

Advantages Disadvantages

Simple configuration. Just include the correct attributes in the driver filter.

If you are deploying Identity Manager 2 and eDirectory 8.7.3 in stages, this method can help you deploy gradually.

  • You don't need to add the new password synchronization policies to driver configurations.
  • Does not require Universal Password to be implemented in the Identity Manager 2 tree.
  • Can be used with connected trees running eDirectory 8.6.2 or later.
  • Does not require NMAS 2.3.

Enforces the basic password restrictions you can set for NDS Password.

This method synchronizes passwords between eDirectory trees. Passwords cannot be synchronized to other connected systems.

Does not update Universal Password or Distribution Password.

Because this method does not use NMAS, you can't validate passwords against Advanced Password Rules in Password Policies for passwords coming from another tree.

Because this method does not use NMAS, you can't reset passwords on the connected eDirectory tree if they don't comply with Password Policy.

E-mail notifications are not provided for password synchronization failures.

Check Password Status operations from the iManager task are not supported (Distribution Password is required for this feature).


Scenario 1 Diagram

The diagram shows that, as in DirXML 1.x, the DirXML Driver for eDirectory can be used to synchronize the NDS password between two eDirectory trees. This scenario does not go through NMAS.


Scenario 1


Setting Up Scenario 1

To set up this kind of password synchronization:


Universal Password Deployment

Not necessary.


Password Policy Configuration

None.


Password Synchronization Settings

None. The settings on the Password Synchronization page for a driver have no effect on this method of synchronizing NDS Password.


Driver Configuration

Remove the Password Synchronization policies listed in Policies Required in the Driver Configuration. Those policies are intended to support Universal Password and Distribution Password. NDS Password is synchronized using Public Key and Private Key attributes instead of these policies.

Make sure that the Filter for both eDirectory drivers is synchronizing the Public Key and Private Key attributes for all object classes for which passwords should be synchronized. The following figure shows an example.


Private Key and Public Key set to Synchronize in the filter


Troubleshooting Scenario 1

  • Turn on the DXML Dstrace option.
  • Check the driver Filter to make sure the Public Key and Private Key attributes are being synchronized, not ignored.
  • See also the tips in Troubleshooting Password Synchronization.


Scenario 2: Synchronizing Universal Password

With Identity Manager, you can synchronize a connected system password with the Universal Password in eDirectory.

When Universal Password is updated, the NDS Password, Distribution Password, or Simple Password can also be updated, depending on your settings in the Password Policy.

Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Connected System Support for Password Synchronization.

In this section:


Advantages and Disadvantages of Scenario 2

Advantages Disadvantages

Allows synchronization of passwords to and from eDirectory and the connected system.

Allows passwords to be validated against the NMAS Password Policy.

Allows e-mail notifications for failed password operations, such as when a password coming from a connected system does not comply with Password .

Supports the Check Password Status task in iManager, if Universal Password is being synchronized with Distribution Password and if the connected system supports checking passwords.

NMAS enforces the Advanced Password Rules in your Password Policies, if you have the rules enabled. If a password coming from a connected system does not comply, an error is generated, and an e-mail notification is sent if you have specified that option.

If you don't want Password Policy rules enforced, you can uncheck Enable Advanced Password Rules in the Password Policy.

By design, resetting passwords in the connected system is not supported with this method because the Distribution Password and Universal passwords might not be the same, depending on your settings in the Password Policies.


Scenario 2 Diagram

The digram shows that in this scenario, passwords come in through Identity Manager, which goes through NMAS to directly update Universal Password. Then, NMAS synchronizes the Universal Password with the Distribution Password and other passwords according to the Password Policy settings. Finally, Identity Manager retrieves the Distribution Password to distribute to connected systems that are set to accept passwords.

Although multiple connected systems are shown as connecting to Identity Manager in this digram, keep in mind that you individually create the settings for each connected system driver.


Scenario 2


Setting Up Scenario 2

To set up this kind of password synchronization:


Universal Password Deployment

Make sure your environment is ready to use Universal Password. See Preparing to Use Identity Manager Password Synchronization and Universal Password.


Password Policy Configuration

In Password Management > Manage Password Policies, do the following:

  1. Make sure a Password Policy is assigned to the parts of the eDirectory tree that you want to have this kind of password synchronization. You can assign it to the whole tree (using Login Policy object), a partition root container, a container, or a specific user. We recommend that you assign Password Policies as high in the tree as possible to simplify management.

  2. In the Password Policy, make sure the following are selected:

    • Enable Universal Password
    • Synchronize NDS Password when Setting Universal Password
    • Synchronize Distribution Password when Setting Universal Password

      Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be checked to allow bidirectional password synchronization.


    Password Policy settings for Scenario 2
  3. Complete your Password Policy as desired.

    NMAS enforces the Advanced Password Rules in your Password Policies, if you have the rules enabled. If you don't want Password Policy rules enforced, deselect Enable Advanced Password Rules.

  4. If you are using Advanced Password Rules, make sure they don't conflict with the password policies on any connected systems that are subscribing to passwords.


Password Synchronization Settings

In Password Management > Password Synchronization, create these settings for the driver for the connected system:

  1. Make sure the following are selected:

    • DirXML Accepts Passwords (Publisher Channel)

      A message is displayed on the page if the driver manifest does not contain a "password-publish" capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in a the driver confguration using a policy.

    • Application Accepts Passwords (Subscriber Channel)

      If the connected system does not support accepting passwords, the option is dimmed.


    Password Sync settings for Scenario 2

    These settings allow for bidirectional password synchronization if it is supported by the connected system.

    You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only Application Accepts Passwords (Subscriber Channel).

  2. Make sure the following is not checked:

    • Use Distribution Password for Password Synchronization

    In this scenario, Identity Manager updates the Universal Password directly. The Distribution Password is still used to distribute passwords to connected systems, but is updated from the Universal Password by NMAS instead of by Identity Manager.

  3. (Optional) Select the following if desired:

    • Notify the User of Password Synchronization Failure via E-mail

      Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory user object to be populated.

      E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail, and if they fail they are not retried unless the operation itself is retried.

      However, debug messages for e-mail notifications are written to the trace file.


Driver Configuration
  1. Make sure the required Identity Manager script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization. The policies must be in the correct location and the correct order in the driver configuration. For the list of policies, see Policies Required in the Driver Configuration.

    The Identity Manager sample configurations already contain the policies. If you are upgrading an existing driver, you can add the policies using the instructions in Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.

  2. Set the filter correctly for nspmDistributionPassword attribute:

    • For the Publisher channel, set the Filter to Ignore for the nspmDistributionPassword attribute for all object classes.
    • For the Subscriber channel, set the Filter to Notify for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.

    Filter settings for nspmDistributionPassword
  3. Ignore both the Public Key and Private Key attributes in the driver filter for all objects that have Notify set for the nspmDistributionPassword attribute.


    Private Key and Public Key set to Ignore in the filter
  4. To ensure password security, make sure you control who has rights to Identity Manager objects.


Troubleshooting Scenario 2

In this section:

See also the tips in Troubleshooting Password Synchronization.


Flowchart for Scenario 2

The following flowchart shows how NMAS handles the password it receives from Identity Manager. The password is synchronized to Universal Password in this scenario, and NMAS decides how to handle the password based on whether Universal Password is enabled in the Password Policy, whether Advanced Password Rules are enabled that incoming passwords must comply with, and what the other settings are in the Password Policy for synchronizing Universal Password with the other passwords.


Flowchart for Scenario 2

Trouble Logging in to eDirectory
  • Turn on the +AUTH, +DCLN, +DXML, and +DVRS settings in DSTrace
  • Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify that they are being passed, watch the trace screen with those options turned on.
  • Verify that the password is valid according to the rules of the Password Policy.
  • Check NMAS Password Policy configuration and assignment. Try assigning the policy directly to user make sure the correct policy is being used.
  • On the Password Synchronization page for the driver, make sure "DirXML Accepts Passwords" is selected.
  • In the Password Policy, make sure Synchronize Distribution Password when Setting Universal Password is selected.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting cases where this connected system is publishing passwords to Identity Manager, and another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see Identity Manager rule processing
  • Set the DirXML trace level for the driver to 3.
  • Make sure the Password Synchronization "DirXML Accepts Passwords" option is selected.
  • Check the driver filter to make sure the nspmDistributionPassword attribute is set correctly, as explained in Step 2.
  • Verify that the <password> for an add or <modify-password> element is being sent to the connected system. To verify, watch the DSTRACE screen or file with the trace options turned on as noted in the first items.
  • Verify that the driver configuration includes the DirXML script password policies in the correct location and correct order, as described in Policies Required in the Driver Configuration.
  • Compare the Password Policy in eDirectory with any password policies enforced by the connected system, to make sure they are compatible.

E-Mail Not Generated on Password Failure
  • Turn on the +DXML setting in DSTrace to see DirXML rule processing
  • Set the DirXML trace level for the driver to 3.
  • Verify that the rule to generate e-mail is selected.
  • Verify that the eDirectory object contains the correct user e-mail address in the Internet EMail Address attribute.
  • In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured correctly. See Configuring E-Mail Notification.

Error When Using Check the Object Password

The Check Password Status task in iManager causes the driver to be given a check object password action to perform. If you have problems, review the following:

  • If the Check Object Password returns -603, the eDirectory object does not contain an nspmDistributionPassword attribute. Check the driver filter for the correct settings for the nspmDistributionPassword attributes, and make sure the Password Policy has Synchronize Distribution Password when Setting Universal Password selected.
  • If the Check Object Password returns "Not Synchronized," verify that the driver configuration contains the appropriate Password Synchronization policies.
  • Compare the Password Policy in eDirectory with any password policies enforced by the connected system, to make sure they are compatible.
  • Check Object Password operates from the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized.
  • Keep in mind that for the eDirectory driver only, Check Password Status is checking the NDS Password instead of the Distribution Password.

Helpful DSTrace Commands

+DXML: To view DirXML rule processing and potential error message

+DVRS: To view DirXML driver messages

+AUTH: To view NDS password modifications

+DCLN: To view NDS DClient messages


Scenario 3: Synchronizing eDirectory and Connected Systems with Identity Manager Updating the Distribution Password

In this method, Identity Manager updates the Distribution Password directly, and allows NMAS to determine how the other eDirectory passwords are synchronized.

Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Connected System Support for Password Synchronization.

In this section:


Advantages and Disadvantages of Scenario 3

Advantages Disadvantages

Allows synchronization of passwords between eDirectory and connected systems.

Lets you choose whether or not to enforce Password Policies for passwords coming from connected systems.

You can specify that notification be sent if password synchronization fails.

If you are enforcing Password Policies, you can choose to reset a password on the connected system to the Distribution Password if the password doesn't comply.

 


Scenario 3 Diagram

The diagram shows that in this scenario, passwords come in through Identity Manager, which goes through NMAS to directly update Distribution Password. Identity Manager also uses the Distribution Password to distribute to connected systems that you have specified should accept passwords. NMAS synchronizes Universal Password with the Distribution Password, and with other passwords according to the Password Policy settings.

Although multiple connected systems are shown as connecting to Identity Manager in this diagram, keep in mind that you individually create the settings for each connected system driver.


Scenario 3


Setting Up Scenario 3

To set up this kind of password synchronization:


Universal Password Deployment

Make sure your environment is ready to use Universal Password. See Preparing to Use Identity Manager Password Synchronization and Universal Password.


Password Policy Configuration

In Password Management > Manage Password Policies, do the following:

  1. Make sure a Password Policy is assigned to the parts of the eDirectory tree that you want to have this kind of password synchronization. You can assign it to the whole tree, a partition root container, a container, or a specific user. We recommend that you assign Password Policies as high in the tree as possible to simplify management.

  2. In the Password Policy, make sure the following are selected:

    • Enable Universal Password
    • Synchronize NDS Password When Setting Universal Password
    • Synchronize Distribution Password When Setting Universal Password

      Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.


    Password Policy settings for Scenario 3
  3. If you are using Advanced Password Rules, make sure they don't conflict with the password policies on any connected systems that are subscribing to passwords.


Password Synchronization Settings

In Password Management > Password Synchronization, use these settings:

  1. Make sure the following are selected:

    • DirXML Accepts Passwords (Publisher Channel)
      • Use Distribution Password for Password Synchronization

      A message is displayed on the page if the driver manifest does not contain a "password-publish" capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in the driver configuration using a policy.

    • Application accepts passwords (Subscriber Channel)

    Pass Sync settings for Scenario 3

    These settings allow for bidirectional password synchronization if it is supported by the connected system.

    You can adjust the settings to match your business policies for the authoritative source for password. For example, if a connected system should subscribe to passwords but not publish, select only Application Accepts Passwords (Subscriber Channel).

  2. Specify whether you want Password Policies to be enforced or ignored, using the options under Use Distribution Password for password synchronization.

  3. (Conditional) If you have specified that you want Password Policies to be enforced, also specify whether you want Identity Manager to reset the connected system password if it does not comply.

  4. (Optional) Select the following if desired:

    • Notify the User of Password Synchronization Failure via E-mail

      Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory user object to be populated.

      E-mail notifications are noninvasive. They do not affect the processing of the XML document that triggered the email and if they fail they are not retried unless the operation itself is retried.

      However, debug messages for e-mail notifications are written to the trace file.


Driver Configuration
  1. Make sure the required DirXML script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization. The policies must be in the correct location and the correct order in the driver configuration. For the list of policies, see Policies Required in the Driver Configuration.

    The Identity Manager sample configurations already contain the policies. If you are upgrading an existing driver, you can add the policies using the instructions in Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.

  2. Set the filter correctly for nspmDistributionPassword attribute:

    • For the Publisher channel, set the driver filter to Ignore for the nspmDistributionPassword attribute for all object classes.
    • For the Subscriber channel, set the driver filter to Notify for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.

    Filter settings for nspmDistributionPassword
  3. Ignore both the Public Key and Private Key attributes in the driver filter for all objects that have Notify set for the nspmDistributionPassword attribute.


    Private Key and Public Key set to Ignore in the filter
  4. To ensure password security, make sure you control who has rights to DirXML objects.


Troubleshooting Scenario 3

In this section:

See also the tips in Troubleshooting Password Synchronization.


Flowchart for Scenario 3

The following flowchart shows how NMAS handles the password it receives from Identity Manager. The password is synchronized to the Distribution Password in this scenario, and NMAS decides how to handle the password based on whether you have specified that incoming passwords should be validated against Password Policy rules (if Universal Password and Advanced Password Rules are enabled), and what the other settings are in the Password Policy for synchronizing Universal Password with the other passwords.


Flow chart about how NMAS handles passwords in Scenario 3, synching to Distribution Password

Trouble Logging in to eDirectory
  • Turn on the +AUTH, +DCLN, +DXML, and +DVRS settings in DSTrace
  • Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify, watch the DSTRACE screen or file with the trace options turned on as noted in the first item.
  • Verify that the password is valid according to the rules of the Password Policy.
  • Check Password Policy configuration and assignment. Try assigning the policy directly to the user to make sure the correct policy is being used.
  • On the Password Synchronization page for the driver, make sure that DirXML Accepts Passwords (Publisher Channel) is selected.
  • In the Password Policy, make sure that Synchronize Distribution Password when Setting Universal Password is selected.
  • In the Password Policy, make sure that Synchronize NDS Password when Setting Universal Password is selected, if this is desired.
  • If users are logging in through the Novell Client or ConsoleOne, check the version. Legacy Novell Clients and ConsoleOne might not be able to log in to eDirectory if the Universal Password is not synchronized with the NDS Password.

    Versions of the Novell Client and ConsoleOne are available that are aware of the Universal Password. See the NMAS 2.3 Administration Guide.

  • Some legacy utilities authenticate using the NDS Password, and also cannot log in to eDirectory if the Universal Password is not synchronized with the NDS Password. If you don't want to use the NDS Password for most users, but you have administrator or help desk users who need to authenticate with legacy utilities, try using a different Password Policy for help desk users so you can specify different Universal Password synchronization options for them.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, and another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings to see DirXML rule processing and potential errors
  • Set the DirXML trace level for driver to 3.
  • Make sure that the DirXML Accepts Passwords (Publisher Channel) option is selected in the Password Synchronization page.
  • In the Password Policy, make sure that Synchronize Distribution Password when Setting Universal Password is selected.

    Identity Manager uses the Distribution Password to synchronize passwords to connected systems. Universal Password must be synchronized with the Distribution Password for this synchronization method.

  • Check the driver filter for the nspmDistributionPassword attribute.
  • Verify that the <password> element for an add or a <modify-password> element have been converted to add and modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTRACE screen or file with the options turned on as noted in the first item.
  • Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Policies Required in the Driver Configuration.
  • Compare the Password Policy in eDirectory with any password policies enforced by the connected system, to make sure they are compatible.

E-Mail Not Generated on Password Failure
  • Turn on the +DXML setting in DSTrace to see DirXML rule processing
  • Set the DirXML trace level for the driver to 3.
  • Verify that the rule to generate e-mail is selected.
  • Verify that the eDirectory object contains the correct value in the Internet EMail Address attribute.
  • In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured. See Configuring E-Mail Notification.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail, and if they fail they are not retried unless the operation itself is retried.

However, debug messages for e-mail notifications are written to the trace file.


Error When Using Check Password Status

The Check Password Status task in iManager causes the driver to be given a check object password action to perform.

  • Make sure the connected system supports checking passwords. See Connected System Support for Password Synchronization.

    This operation is not available through iManager if the driver manifest does not indicate that the connected system supports password-check capability.

  • If the Check Object Password returns -603, the eDirectory object does not contain an nspmDistributionPassword attribute. Check the driver filter, and the "Synchronize Universal to Distribution" option within the Password Policy.
  • If the Check Object Password returns "Not Synchronized", verify that the driver configuration contains the appropriate Identity Manager Password Synchronization policies.
  • Compare the Password Policy in eDirectory with any password policies enforced by the connected system, to make sure they are compatible.
  • Check Object Password checks the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized
  • Keep in mind that for eDirectory, the Check Password Status checks the NDS Password instead of the Universal Password. This means that if the user's Password Policy does not specify to synchronize the NDS Password with the Universal Password, the passwords are always reported as being not synchronized. In fact, the Distribution Password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS Password and the Distribution Password are synchronized with the Universal Password.

Helpful DSTrace Commands

+DXML: To view DirXML rule processing and potential error message.

+DVRS: To view DirXML driver messages

+AUTH: To view NDS password modifications

+DCLN: To view NDS DCLient messages


Scenario 4: Tunneling --- Synchronizing Connected Systems but not eDirectory, with Identity Manager Updating the Distribution Password

Identity Manager allows you to synchronize passwords among connected sytems while keeping the eDirectory password separate. In this documentation, this is referred to as "tunneling."

In this method, Identity Manager updates the Distribution Password directly. This method is almost the same as the previous one, Scenario 3: Synchronizing eDirectory and Connected Systems with Identity Manager Updating the Distribution Password. The difference is that you make sure the Universal Password and the Distribution Password are not being synchronized. You do this either by not using Password Policies, or by using Password Policies with the option disabled for Synchronize Distribution Password When Setting Universal Password.

In this section:


Advantages and Disadvantages of Scenario 4

Advantages Disadvantages

Allows synchronization of passwords among connected systems, while keeping eDirectory password separate.

Password Policies are not required.

If you are using a Password Policy, the policy does not need to have Universal Password enabled. However, the environment must support Universal Password.

Supports the Check Password Status task in iManager, if the connected system supports it.

You can specify that notification be sent if password synchronization fails.

You can reset a connected system password that does not comply with Password Policy.

If Universal Password and Advanced Password Rules are enabled, Password Policies are enforced if you specify that they should be enforced, and passwords on connected systems can be reset.

If Universal Password or Advanced Password Rules are not enabled, Password Policies are not enforced, and passwords on connected systems cannot be reset.


Scenario 4 Diagram

The diagram shows that in this scenario, passwords come in through Identity Manager, which goes through NMAS to directly update the Distribution Password. Identity Manager also uses the Distribution Password to distribute to connected systems that you have specified should accept passwords.

The key to this scenario is that in the Password Policy, the setting is disabled for Synchronize Universal Password with Distribution Password. Because the Distribution Password is not synchronized with the Universal Password, Identity Manager synchronizes passwords among connected systems without affecting passwords in eDirectory.

Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.


Scenario 4


Setting Up Scenario 4

To set up this kind of password synchronization:


Universal Password Deployment

Although you don't need to have Password Policies with Universal Password enabled, your environment must still must be using eDirectory 8.7.3, which supports Universal Password. See Preparing to Use Identity Manager Password Synchronization and Universal Password.


Password Policy Configuration

No Password Policy is required for eDirectory users for this method.

However, if you use a Password Policy, you must do the following:

  1. Make sure the following is not checked:

    • Synchronize Distribution Password when Setting Universal Password

      This is the key to tunneling passwords without the eDirectory password being affected. By not synchronizing the Universal Password with the Distribution Password, you keep the Distribution Password separate, for use only by Identity Manager for connected systems. Identity Manager acts as a conduit, distributing passwords to and from other connected systems, without affecting the eDirectory password.


    Password Policy Settings for Scenario 4
  2. Complete the other Password Policy settings as desired.

    The other password settings in the Password Policy are up to you.


Troubleshooting Scenario 4

If password synchronization is set up for tunneling, the Distribution Password is different than the Universal Password and the NDS Password.

In this section:

See also the tips in Troubleshooting Password Synchronization.


Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, and another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see DirXML rule processing and potential errors
  • Set the DirXML trace level for the driver to 3.
  • Make sure that the DirXML Accepts Passwords (Publisher Channel) option is selected on the Password Synchronization page.
  • In the Password Policy, make sure that "Synchronize Distribution Password When Setting Universal Password" is selected.

    Identity Manager uses the Distribution Password to synchronize passwords to connected systems. The Universal Password must be synchronized with the Distribution Password for this synchronization method.

  • Make sure the driver filter has the correct settings for the nspmDistributionPassword attribute.
  • Verify that the <password> element for an add or a <modify-password> element have been converted to add and modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTRACE screen or file with the trace options turned on as noted in the first item.
  • Verify that the driver configuration includes the DirXML script password policies in the correct location and correct order, as described in Policies Required in the Driver Configuration.
  • Compare the Password Policy in eDirectory with any password policies enforced by the connected system, to make sure they are compatible.

E-Mails Not Generated on Password Failure
  • Turn on the +DXML setting in DSTrace to see DirXML rule processing
  • Set the DirXML trace level for driver to 3.
  • Verify that the rule to generate e-mail is selected.
  • Verify that the eDirectory object contains the correct value in the Internet EMail Address attribute.
  • In Notification Configuration task, check the SMTP server and the e-mail template. See Configuring E-Mail Notification.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail, and if they fail they will not be retried unless the operation itself is retried.

However, debug messages for e-mail notifications are written to the trace file.


Error When Using Check Password Status

The Check Password Status task in iManager causes the driver to be given a Check Object Password action to perform.

  • Make sure the connected system supports checking passwords. See Connected System Support for Password Synchronization.

    This operation is not available through iManager if the driver manifest does not indicate that the connected system supports password-check capability.

  • If the Check Object Password returns -603, the eDirectory object does not contain an nspmDistributionPassword attribute. Check the DirXML attribute filter, and the Synchronize Universal to Distribution option within the Password Policy.
  • If the Check Object Password returns Not Synchronized, verify that the driver configuration contains the appropriate DirXML password synchronization policies.
  • Compare the Password Policy in eDirectory with any password policies enforced by the connected system, to make sure they are compatible.
  • Check Object Password checks the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized

Helpful DSTrace Commands

+DXML: To view DirXML rule processing and potential error messages.

+DVRS: To view DirXML driver messages

+AUTH: To view NDS password modifications

+DCLN: To view NDS DCLient messages


Scenario 5: Synchronizing Application Passwords to the Simple Password

This scenario is a specialized use of password synchronization features. Using Identity Manager and NMAS, you can take a password from a connected system and synchronize it directly to the eDirectory Simple Password. If the connected system provides only hashed passwords, you can synchronize them to the Simple Password without reversing the hash. Then, other applications can authenticate to eDirectory using the same clear text or hashed password through LDAP or the Novell Client, with NMAS components configured to use the Simple Password as the login method.

If the password in the connected system is in clear text, it can be published as it is from the connected system into the eDirectory Simple Password store.

If the connected system provides only hashed passwords (MD5, SHA, or UNIX crypt are supported), you must publish them to the Simple Password with an indication of the kind of hash, such as {MD5}.

For another application to authenticate with the same password, you need to customize the other application to take the user's password and authenticate to the Simple Password using LDAP.

NMAS compares the password value from the application with the value in the Simple Password. If the password stored in the Simple Password is a hash value, NMAS first uses the password value from the application to create the correct type of hash value, before comparing. If the password from the application and the Simple Password are the same, NMAS authenticates the user.

In this scenario, Universal Password cannot be used.

In this section:


Advantages and Disadvantages

Advantages Disadvantages
  • Lets you update the Simple Password directly.
  • Lets you synchronize a hashed password and use it to authenticate for more than one application, without reversing the hash.
  • This scenario does not allow the use of Universal Password.
  • Forgotten Password and Password Self-Service features can still be used to the extent they are supported for the NDS Password, but they do not work for the Simple Password.
  • Because the Password Management > Set Universal Password task is dependent on Universal Password, the Administrator cannot set a user's password in eDirectory using that task.


Scenario 5 Diagram


Hash in Simple Password diagram


Setting Up Scenario 5


Password Policy Configuration

No Password Policy is required for users for this scenario. Universal Password cannot be used.


Password Synchronization Settings

For this scenario, you use DirXML Script to directly modify the SAS:Login Configuration attribute. This means that the Password Synchronization global configuration values (GCVs), which are set using the Password Management > Password Synchronization task in iManager, have no effect.


Driver Configuration
  1. Make sure the filter has the setting of Sync for both Publisher and Subscriber channels for the SAS:Login Configuration attribute.


    Filter settings for SAS:Login Configuration
  2. Configure the driver policies to publish the password from the connected system.

  3. For hashed passwords, configure the driver policies to prepend the type of hash (if it is not already provided by the application):

    • {MD5}hashed_password

      This password is Base 64 encoded.

    • {SHA}hashed_password

      This password is Base 64 encoded.

    • {CRYPT}hashed_password

    Clear text passwords and Unix Crypt password hashes are not Base64 encoded.

  4. To place the password into the Simple Password, configure the driver policies to modify the SAS:Login Configuration attribute.

    For example, this is how you would use a modify-attr element within a modify operation to change the Simple Password to an MD5 hashed password.

    <modify-attr attr-name="SAS:Login Configuration> 
    <add-value>
    <value>{MD5}2tEgXrIHtAnGHOzH3ENslg==</value>
    </add-value>
    </modify-attr>

    For clear text passwords, follow this example.

    <modify-attr attr-name="SAS:Login Configuration> 
    <add-value>
    <value>clearpwd</value>
    </add-value>
    </modify-attr>

    For add operations, the add-attr element would contain one of the following:

    <add-attr attr-name="SAS:Login Configuration> 
    <value>{MD5}2tEgXrIHtAnGHOzH3ENslg==</value>
    </add-attr>

    or

    <add-attr attr-name="SAS:Login Configuration> 
    <value>clearpwd</value>
    </add-attr>