Synchronizing the AuthPassword Attribute

The UNIX passwords of users can be stored in the Authpassword attribute in Novell^(R) eDirectory^TM for that user. The Authpassword attribute is a multivalued attribute that can store the MD5 and CRYPT hash of the password for that user. For the NIS Driver to update the Authpassword attribute of the user, the PAM module must be installed and configured to capture any password change of the user. It is essential for the NIS driver to obtain the password in clear-text so that the NIS Driver can generate both MD5 and CRYPT hash and update the Authpassword attribute. Hence, the Authpassword attribute will be updated during password change operation only, not during user add operation.

In a multi-platform scenario, when few machines have MD5 and few have CRYPT form of the password, ensure that the correct hash mode is specified during import. If there is a password change in one of the machines, the Authpassword attribute is updated with MD5 and CRYPT. These changes are appropriately synchronized to the rest of the machines through the NIS driver as the driver picks the correct hash and sets it on the target machines.

It is recommended that when Universal password is set up, Authpassword sync option should not be turned on. However, when the AuthPassword sych option is turned on and the universal password is set up, the following occurs:

• On the Subscriber channel, the distribution password is set as the UNIX password. However, if there are no changes in the distribution password and there are changes only in the Authpassword attribute for the user, the correct hash MD5/CRYPT is picked up and set as the password on UNIX.
• On the publisher side, the distribution password is always updated during password change. The Authpassword attribute is also updated MD5 and CRYPT hash in the same sequence as the distribution password.

To enable AuthPassword synchronization to eDirectory:

1. In iManager, click DirXML Management > Overview.

2. Locate the driver in its driver set.

3. Click the driver to open the Driver Overview Page.

4. Click the icon for the driver.

   A page opens where you can edit various driver parameters.

5. Under Driver Parameters, click Edit XML to add the following line in the <driver-options> tag:

   <sync-AuthPass display-name="Synch AuthPassword">yes</sync-AuthPass>

   If you want to disable this feature, specify No instead of Yes in the above line.

6. Click OK.

重要:  When you change the universal password of a user through iManager, the universal password is set in UNIX for that user. However, if the AuthPassword attribute synch option is turned on, the Authpassword value is not updated with the new password. This is updated only when the password is changed in UNIX.

When you change the universal password of a user through iManager, the distribution password is set in UNIX for that user. However, even though the AuthPassword attribute synch option is turned on, the Authpassword value is not updated with the new password. This is updated only when the password is changed in UNIX as mentioned above.