Password Synchronization

This section contains information that is specified to the DirXML Driver for eDirectory, and assumes that you are familiar with the information in "Implementing Password Synchronization" in the Novell Nsure Identity Manager 2 Administration Guide.

• The driver shim works the same way, but new policies have been added to the sample driver configuration to support Identity Manager Password Synchronization, including synchronizing Universal Password.
• If you are using the driver to connect to eDirectory 8.6.2, you can synchronize only the NDS Password, as in previous releases.

  If you are using the driver to connect to eDirectory 8.7.3, you have more options to choose from, including synchronizing Universal Password.

  See the description of the different scenarios in "Implementing Password Synchronization" in the Novell Nsure Identity Manager 2 Administration Guide.

• If you decide to enforce Password Policy in multiple trees, make sure the Advanced Password Rules in the Password Policies are compatible in each tree, so that password synchronization can be successful.

  If you enforce incompatible Password Policies in multiple eDirectory trees, and choose to set a password back if it does not comply (with the option "If password does not comply, enforce Password Policy on the connected system by resetting user's password to the Distribution Password"), you could encounter a loop in which each eDirectory server tries to change a noncompliant password.

  Information about Password Policies is in "Managing Passwords Using Password Policies" in the Novell Nsure Identity Manager 2 Administration Guide.

• If the filter for the driver has the setting Synchronize for the Public Key and Private Key attributes, the NDS Password is synchronized between trees regardless of any other settings you have created.

  If you want to synchronize passwords using Universal Password, make sure you set the filter on both eDirectory drivers to Ignore for the Public Key and Private Key attributes for all classes that you want to synchronize Universal Password.

• The Check Password Status task in iManager does not work for an eDirectory connected system if the Password Policy has Universal Password enabled and does not have the setting checked for synchronizing Universal Password with NDS Password.

  The Check Password Status task lets you see whether a user's password in Identity Manager is synchronized with the password on connected systems.

  If you are using the DirXML Driver for eDirectory, and the Password Policy for a user specifies in the Configuration Options tab that the NDS Password should not be updated when the Universal Password is updated, then the Check Password Status task for that user will always show that the password is not synchronized. The password status will be shown as not synchronized, even if the Identity Manager Distribution Password and the Universal Password on the eDirectory connected system are in fact the same.

  This is because the eDirectory check password functionality is checking the NDS Password at this time, instead of going through NMAS to refer to the Universal Password.

  If you select the option to update the NDS Password when the Universal Password is updated in the Password Policy (this is the setting by default), then Check Password Status should be accurate for the eDirectory connected system.