5.7 Upgrading Existing Driver Configurations to Support Password Synchronization

This section explains how to add support for Identity Manager Password Synchronization to existing driver configurations, instead of replacing your existing driver configurations with the Identity Manager sample configurations.

You add support to each driver that you want to participate in password synchronization. You do this by importing an “overlay” configuration file to add the policies, driver manifest, and the GCVs, all at once.

After adding the policies, driver manifest, and GCVs, you must also add the nspmDistributionPassword attribute to the driver filter.

IMPORTANT:If you are upgrading an Identity Manager Driver for AD or NT Domain, and that driver is being used with Password Synchronization 1.0, follow the upgrade instructions in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain, at Identity Manager Drivers.

The policies added in this procedure are for supporting Password Synchronization by using Universal Password and Distribution Password. If you are using the Identity Manager driver to synchronize only the NDS Password, you should not use the policies in the Identity Manager driver configuration. NDS Password is synchronized by using Public Key and Private Key attributes instead of these policies, as described in Section 5.8.2, Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults.

Prerequisites

5.7.1 Step 1: Convert the Driver to Identity Manager 3.0.1 Format

  1. Make sure that your environment is ready to use Universal Password.

    See Section 5.4, Preparing to Use Identity Manager Password Synchronization and Universal Password.

    If you are using DirXML® 1.1a, see Section 2.3, Upgrading a Driver Configuration from DirXML 1.1a to Identity Manager Format.

  2. In iManager, click Identity Manager Utilities > I mport Drivers.

  3. Select the driver set where your existing driver resides, then click Next.

  4. In the list of driver configurations that appears, scroll to Additional Policies, then select only Password Synchronization 2.0 Policies.

  5. Click Next.

  6. In the Existing drivers drop-down list, select your existing driver to update.

  7. In the Connected System drop-down list, select the connected system type.

    If the driver name doesn’t appear in the drop-down list, select Other Systems.

    Based on the type of driver, the Import Driver Wizard makes entries in the driver manifest that indicate the capabilities of the driver configuration and the connected system:

    • Whether the connected system can provide passwords to Identity Manager.

      This refers to the users's actual password on the connected system, not to a password that can be created using a style sheet. Only AD, eDirectory, and NIS can do this.

    • Whether the connected system can accept passwords from Identity Manager

    • Whether the connected system can check a password to see if it matches the password in Identity Manager.

    Correct entries in the driver manifest are required for Password Synchronization policies to work. The driver manifest indicates the combined ability of the connected system, the Identity Manager driver shim, and the driver configuration policies, and usually should not be edited by the network administrator.

  8. Click Next.

  9. If you don’t have driver manifest or GCV values that you want to save, select Update everything about that driver.

    This option gives you the driver manifest, global configuration values (GCVs), and Identity Manager policies necessary for password synchronization.

    The driver manifest and GCVs overwrite any values that already exist. Because these kinds of driver parameters were new in Identity Manager 2, a DirXML 1. x driver should have no existing values to be overwritten.

    The password synchronization policies don't overwrite any existing policy objects. They are simply added to the Driver object.

    NOTE:If you do have driver manifest or GCV values that you want to save, select Update only selected policies in that driver, and select the check boxes for all the policies. This option imports the password policies but does not change the driver manifest or GCVs. You need to manually paste in any additional values.

  10. Click Next, then click Finish to complete the wizard.

    At this point, the new policies have been created as policy objects under the Driver object, but are not yet part of the driver configuration. To link them in, you must manually insert each of them at the right point in the driver configuration on the Subscriber and Publisher channels.

5.7.2 Step 2: Add to the Driver Configuration

For a list of the policies you add, and where to insert them, see Section 5.3.4, Policies Required in the Driver Configuration.

Insert each of the new policies into the correct place on your existing driver configuration.

If the policy set has multiple policies, make sure these Identity Manager password synchronization policies are listed last.

Repeat the following steps for each policy.

  1. Select Identity Manager > I dentity Manager Overview, then search for the driver set that contains the driver you are updating.

  2. Click the driver that you just updated (for example, AvayaPBX).

  3. Click the icon (for example, Command Transformation Policies on the Publisher channel) for the place where you need to add one of the new policies.

  4. Click Insert to add the new policy.

  5. Click Use an existing policy, browse for the new policy object, then click OK.

  6. If you have more than one policy in the list for any of the new policies, use the arrow buttons up arrow icon down arrow icon to move the new policies to the correct location in the list.

    Make sure that the policies are in the order listed in Section 5.3.4, Policies Required in the Driver Configuration.

5.7.3 Step 3: Change Filter Settings

  1. For the object classes that you want to synchronize passwords for (such as User), make sure that nspmDistributionPassword attribute is in the filter and has the following settings:

    • For the Publisher channel, set the filter to Ignore for the nspmDistributionPassword attribute.

    • For the Subscriber channel, set the filter to Notify for the nspmDistribution Password attribute.

    Filter settings for nspmDistributionPassword

    To view the attribute, you might have to scroll to and select the class (for example, User), then scroll through the attributes.

    If the nspmDistributionPassword isn’t listed:

    1. Make sure that the class is selected, then click Add Attribute.

    2. Scroll to and select nspmDistributionPassword, then click OK.

  2. For all objects that have Notify set for the nspmDistributionPassword attribute, set both the Public Key and Private Key attributes to Ignore.

    Private Key and Public Key set to Ignore in the filter

  3. For each driver that you want to upgrade to participate in password synchronization, repeat Step 2 (in “Converting the Driver to Identity Manager 3.0.1 Format”) through Step 2 in this section (“Change Filter Settings”).

    At this point, the driver has the new driver shim, Identity Manager format, and the other elements that are necessary in the driver configuration to support password synchronization: driver manifest, GCVs, password synchronization policies, and filter settings.

  4. Check the individual driver implementation guides for any additional steps or information on setting up Identity Manager Password Synchronization. See Identity Manager Drivers.

  5. Turn on Universal Password for users by creating password policies with Universal Password enabled.

    See “Creating Password Policies” in the Password Management Administration Guide . If you previously used Universal Password with NetWare 6.5, some extra steps are described in “(NetWare 6.5 only) Re-Creating Universal Password Assignments” in the Password Management Administration Guide.

    We recommend that you assign password policies as high in the tree as possible.

    The Configuration Options page has options for how you want NMAS to keep the different kinds of passwords synchronized. The default settings should work for most implementations. For more information, see the online help for that page.

    For scenarios on using Password Synchronization, and how password policies fit in, see Section 5.8, Implementing Password Synchronization.

    NMAS password policies are assigned with a tree-centric perspective. In contrast, Password Synchronization is set up per driver. Drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica.

    To get the results you expect from Password Synchronization, make sure that the containers in a master or read/write replica on the server running the drivers for Password Synchronization match the containers where you have assigned password policies with Universal Password enabled. Assigning a password policy to a partition root container ensures that all users in that container and subcontainers are assigned the password policy.

5.7.4 Step 4: Setting Up Password Synchronization Flow

Make sure that your password flow is set the way you want it for each connected system.

  1. In iManager, select Passwords > Password Synchronization.

  2. Search a tree or container for the drivers for connected systems that you want to manage.

  3. View the current settings for password flow by selecting a driver

    This page lists the global configuration values (GCVs). Change them by selecting options.

    Identity Manager controls the entry point (which password Identity Manager updates). NMAS controls the flow of passwords between each different kind of password, based on the options you set in Configuration Options. (Step 3 displays the Configuration Options page.) If you select Use Distribution Password for password synchronization, Identity Manager uses Distribution Password directly. If you deselect this option, Identity Manager uses Universal Password directly.

    For information (including illustrations) on these options, see Section 5.8, Implementing Password Synchronization. Also see the online help.

  4. Test password synchronization.

    Confirm that the Identity Manager password is distributed to the systems you specified.

    Confirm that the connected systems you specified are publishing passwords to Identity Manager.

    For troubleshooting tips, see Section 5.8, Implementing Password Synchronization.