Novell Home

My Favorites

Close

Please to see your favorites.

Active Directory and NT Password Synchronization for multiple eDirectory trees

(Last modified: 21Jul2004)

This document (10086340) is provided subject to the disclaimer at the end of this document.

goal

Active Directory and NT Password Synchronization for multiple eDirectory trees

symptom

Multitree password synchronization

note

Novell® DirXML® Password Synchronization for Windows is designed to synchronize passwords between any number of Microsoft Active Directory or NT domains and a single Novell eDirectoryTM tree. With the growing popularity of deploying multiple eDirectory trees using DirXML, there is a need to expand password synchronization to a collection of trees.
A typical multi-tree deployment has a corporate tree and a workforce tree where synchronization to the Microsoft domain is driven through the workforce tree. Novell Password Synchronization for Windows is installed between the workforce tree and Active Directory.

In this scenario, a problem occurs for password synchronization when passwords are changed in the corporate tree. Users in the corporate tree are associated with the workforce tree but there is no direct link to the Active Directory account, and there is no information in the corporate tree about PasswordSync Agents servicing Active Directory. Because of this, the Novell ClientTM is unable to push a password change to a PasswordSync Agent for synchronization to Active Directory.
 
The solution is to use the eDirectory driver to populate the corporate tree with the information needed by PasswordSync, and to install PasswordSync Agents into the corporate tree to communicate changes between the corporate tree and participating domains.

fix

Installation instructions:

Download the file PWDSCH.EXE from Novell's web site .  The file contains the schema files that will allow you to extend the schema for the corporate to install PasswordSync.

Extending the Schema for Password Synchronization
PasswordSync requires the addition of three objects in your eDirectory schema: nadPwdSync, nadPwdProvider, and nadDomain. These objects already exist in the workforce tree that is set up for password synchronization with domains. The corporate tree schema must also be extended to include these objects.
To extend the schema for password synchronization by using the INSTALL.DLM:
    1 Copy PWDSYNC.SCH to a network directory.
    2 Load INSTALL.DLM.
    3 Select Install Additional Schema Files.
    4 Log in to the corporate tree using an account with administrative rights, then choose the PWDSYNC.SCH schema file.
The objects necessary for password synchronization are now available for use by the DirXML drivers.
 
Configuring the eDirectory Drivers for Password Synchronization
Tree-to-tree synchronization requires a DirXML driver for each eDirectory tree. You need to configure both eDirectory drivers as explained in the following steps.
Edit the Workforce Tree's eDirectory Driver
    1 Using ConsoleOne® , log in to the workforce tree and locate the DirXML eDirectory driver.
    2 Edit the driver's subscriber filter to include the nadDomain object with attribute dc and the additional User object attribute nadLoginName:
    2a Right-click the subscriber object and click Properties.
    2b Select the DirXML tab > Filter and click Edit Filter.
    2c In the Classes column, mark nadDomain. In the Attributes column, mark dc. Click OK.
    2d Select User in the classes column and click Edit Filter.
    2e In the top right corner, mark Show All Attributes from All Classes. In the Attributes column, mark nadLoginName. Click OK.
The subscriber filter is ready for password synchronization.
Edit the Corporate Tree's eDirectory Driver
    1 Using ConsoleOne, log in to the corporate tree and locate the DirXML eDirectory driver.
    2 Edit the driver's publisher filter to include the nadDomain object with attribute dc and the additional User object attribute nadLoginName:
    2a Right-click the publisher object and click Properties.
    2b Select the DirXML tab > Filter and click Edit Filter.
    2c In the Classes column, select nadDomain. In the Attributes column, select dc. Click OK.
    2d Select User in the Classes column and click Edit Filter.
    2e In the top right corner, select Show All Attributes from All Classes. In the Attributes column, select nadLoginName. Click OK.
    3 Append a new Publisher Create rule:
    3a Open the existing Publisher Create rule.
    3b Click Append New Rule.
    3c In the description field, enter any descriptive text, such as Password Sync, then click Next.
    3d Select nadDomain from the class list and click Next.
    3e Do not match any attributes. Click Next.
    3f Click Edit Required Attributes List and select dc. Click OK.
    3g Do not enter a DN template. Click Finish.
The style sheet equivalent is as follows:
<!-- Adds a nadDomain object when a dc attr is available -->
   <xsl:template match="add[@class-name='nadDomain']".>
          <xsl:if test="add-attr[@attr-name='dc'] ">
                <xsl:copy>
                     <xsl:apply-templates select="@*|node()"/>
                 </xsl:copy>
          </xsl:if>
    </xsl:template>
    4 Append a new Publisher Placement rule:
    4a Open the existing Publisher Placement rule.
    4b Click Append New Rule.
    4c In the description field, enter any descriptive text, such as Password Sync, then click Next.
    4d Select nadDomain from the class list and click Next.
    4e Do not match path prefixes. Click Next.
    4f Do not match attributes. Click Next.
    4g Click Append New Item to place nadDomain objects in the eDirectory driver container. With Data selected, enter the full name of the corporate tree driver followed by a slash and click OK.
For example, type
\Corporate_Tree\MyOrg\DirXML\DriverSet\eDirDriver\
    4h Click Append New Item. Deselect Data and then under the Copy section below, select Name. Click OK.
The style sheet equivalent is as follows:
<xsl:template match="add[@class-name='nadDomain' and add-attr[@attr-name='dc']]">
  <xsl:copy>
     <xsl:attribute name="dest-dn">
        <xsl:value-of select="concat('\Corporate_Tree\MyOrg\DirXML\DriverSet\eDirDriver\',add-attr[@attr-name='dc']/value)"/>
     </xsl:attribute>
     <!-- Copy the rest of the <add> attributes and content -->
     <xsl:apply-templates select="@*|node()"/>
  </xsl:copy>
</xsl:template>
The corporate tree's eDirectory driver is ready for password synchronization.

Migrating PasswordSync Data
After the corporate tree can accept PasswordSync data for users participating in password synchronization, you should force an update of these user objects from the workforce tree that is participating in password synchronization. You should add the workforce tree's nadDomain objects to the corporate tree.
To migrate PasswordSync data from the workforce tree to the corporate tree:
    1 In ConsoleOne, right-click the DirXML-Driver Set object holding the workforce tree's eDirectory driver.
    2 Click Properties > DirXML-Drivers.
    3 Select the eDirectory driver.
    4 Click Migrate from NDS > click Add.
    5 Select nadDomain and click OK.
    6 Select users and click OK.
The corporate tree is updated with information necessary for the PasswordSync service to run.
 
Installing PasswordSync into the Corporate Tree
You need to install a PasswordSync Agent to direct password communication between your corporate tree and Active Directory Domains.
The PasswordSync Agent should be installed on a computer running Windows 2000 or Windows NT4 SP6. This computer should not be hosting an agent already.
NOTE: This computer does not have to be hosting eDirectory, but must at least have a Novell Client and connectivity to both the Active Directory domains and the corporate tree between which passwords will be synchronized.
To install PasswordSync:
    1 Log in to eDirectory as Administrator or equivalent.
    2 Log in to the local Windows computer as Administrator or equivalent.
    3 Run Install\Setup.exe and continue through the Welcome screen.
    4 Select the components you want to install and click Next.
You can install the the Password Synchronization Service, the PasswordSync Snap-in for ConsoleOne, or both.
The snap-in can be installed on the same computer where the agent is installed, or on any computer that is convenient for administrative access.
NOTE: If you select only the snap-in, files are copied and the installation program finishes.
    5 Confirm your selections by clicking Next.
    6 In the PasswordSync Setup dialog box, select a domain and select the eDirectory DirXML driver.
NOTE: If you type the name of an NT 4 domain rather than browse to it, you must enter the name in uppercase. This requirement is for NT 4 domain names only; Active Directory domain names are not required to be uppercase.
You must enter a domain name. Entering an IP address will not work. If the domain is in another tree/ forest the computer on which the Password Sync Agent is being installed must be configured with the address of a WINS server in the target tree/forest.
    7 Enter the name for the new PasswordSync object and the context where it should be placed.
The default object name is the name of the server where you are installing PasswordSync, followed by -pwdsync.
 
The default context is that of the container holding the DirXML DriverSet object.
    8 Select the container for which PasswordSync will be assigned as a trustee.
The PasswordSync Agent needs the rights to manage passwords in eDirectory and to read the DirXML drivers that control the domains being synchronized. The installation program lets you select a container high enough in the tree to span all objects that the agent needs to access.
If you want to make narrower rights assignments, use ConsoleOne to add the agent's eDirectory object as a trustee with rights as outlined:

Object:User Objects participating in password synchronization
Attribute:Password Expiration Interval
Rights:compare, read

Object:User objects participating in password synchronization
Attribute: Password Management
Rights:compare, read, write

Object:User Objects participating in password synchronization
Attribute:Password Expiration Time
Rights:write

Object:nadDomain object
Attribute:Server
Rights:compare, read

Object:Server object holding the PwdSync index (by default, this is the server where DirXML is installed)
Attribute:Index Definition
Rights:compare, read

  9 Install a password filter by selecting domain contollers from those listed and click Add.
IMPORTANT: Even though Password Filters may have been installed on the domain controllers when the PasswordSync Agent was installed in the workforce tree, the Password Filters must be installed again from the PasswordSync Agent in the corporate tree because configuration information is written to eDirectory during this proess.
Because any domain controller can process a password change request, a filter must be installed on each Active Directory Domain Controller and each NT Primary Domain Controller. You should also install a filter on each NT Backup Domain Controller that could be promoted to a Primary Domain Controller.
If you have several domain controllers, Novell recommends that you install filters on a few controllers at a time. This will minimize the impact of rebooting many
domain controllers at once and will expedite your initial installation. Remote domain controllers will be rebooted automatically when installation is complete. You must reboot the local domain controller manually after installation is complete.
    10 Click Finish.
PasswordSync installation is complete.

Validating Password Synchronization
After PasswordSync is set up, check to make sure that a password change in your corporate tree is synchronized to Active Directory.
    1 From the Novell Client, clear all NetWare connections except the connection to your corporate tree.
    1a Right-click the red N icon in the system tray and then click NetWare Connections.
    1b Select all trees other than the corporate tree and click Detach.
    2 Clear all domain connections.
    2a At the command prompt, type
net session.
    2b For each session in the list, type
net session \\computer-name /DELETE
    3 Change the password from the Novell Client.
    4 Verify that you can log in to Active Directory.

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10086340
  • Solution ID: NOVL91988
  • Creation Date: 20Aug2003
  • Modified Date: 21Jul2004
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback