The LDAP driver supports password synchronization on the Subscriber channel, meaning that you can send passwords from the Identity Vault to any connected LDAP directory.
Password synchronization on the Publisher channel (LDAP directory to Identity Vault) is supported with Sun Java System Directory version 5.2 and Sun Java System Directory Server Enterprise Edition version 6.3. requires you to install an Identity Manager plug-in to the Sun Java System Directory.
The following sections provide information to help you use the plug-in:
The plug-in is a post-operation plug-in. Sun Java System Directory notifies the plug-in whenever a password is set or changed. The plug-in then encrypts the password by using the Advanced Encryption Standard (AES) and stores the encrypted password on the novellDistPassword attribute. The LDAP driver can then synchronize the encrypted password to Novell Identity Manager. The LDAP driver decrypts the password and uses it to set the Identity Manager distribution password.
IMPORTANT:Only passwords that are set or modified after the plug-in is installed can be synchronized.
The plug-in is located on the Identity Manager 4.0 DVD and on the Identity Manager 4.0 CD for the Windows, Linux, Solaris, and AIX platforms.
Table 2-1 Plug-In Location
Copy the plug-in file, novl-idm-pswd.dll, to the lib directory in your Sun Java System Directory installation location.
The installation location differs between Sun Java System Directory 5.2 and Sun Java System Directory Server Enterprise Edition 6.3.x.
On Windows, the default installation location is the lib directory within C:\Program Files\Sun\MPS.
On other platforms, the installation location is often /var/Sun/mps. Find the installation location on your system and put the plug-in file inside the lib directory.
On Solaris SPARC* computers, plug-ins are available in two versions: a 32-bit version and a 64-bit version.
By default, the 32-bit version is found at /var/Sun/mps/lib. The 64-bit version is found at /var/Sun/mps/lib/64.
Copy both versions to their respective locations on your Solaris installation. At runtime, the Sun Java System Directory 5.2 loads the appropriate version.
On Windows and other platforms, the installation location is often sunDSEE-installation-path/ds6. Find the installation location on your system, and put the plug-in file inside that lib directory.
On Solaris SPARC* computers, the 32-bit version is found at sunDSEE-installation-path/ds6/lib. The 64-bit version is found at sunDSEE-installation-path/ds6/lib/64.
Copy both versions to their respective locations on your Solaris installation. At runtime, the Sun Java System Directory Server Enterprise Edition 6.3.x loads the appropriate version.
Locate and edit the novl-idm-pswd.ldif or novl-idm-pswd-win32.ldif file. The file is located in the sun_password_plugins directory on your CD or DVD image.
The .ldif file contains plug-in configuration information that you apply to the directory. It also contains two schema definitions:
One definition is for the novellDistPassword attribute that stores the encrypted password.
The other definition is for the novellDistPasswordUser auxiliary class that is applied to your users to allow the use of the novellDistPassword attribute.
As a convenience, the .ldif file also contains an instruction to turn on the Retro Changelog Plugin, which most customers want turned on to enable Publisher channel operations with the Identity Manager LDAP driver. If you know that the changelog is already enabled, or if you don't want to enable the changelog, you can remove the Retro Changelog Plugin section from the .ldif file.
Most users need to edit only two items in the .ldif file:
The nsslapd-pluginPath attribute
The nsslapd-pluginarg0 attribute
Ensure that the value of nsslapd-pluginPath is the path where you installed the plug-in. Set the value of nsslapd-pluginarg0 to a password that will be used to generate an AES key used to encrypt user passwords. When you create the LDAP driver, you will configure the driver with this same encryption password.
Solaris users should set the value of nsslapd-pluginPath to the path of the 32-bit version of the plug-in, even if the operating system is 64-bit. At runtime, the directory determines whether to load the 32-bit or the 64-bit version of the plug-in.
Apply the novl-idm-pswd.ldif or novl-idm-pswd-win32.ldif file to the Sun directory.
To complete this step, you need to know the configuration administrator's DN and password. Typically, the DN will be "uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot". However, the password will vary. You also need to know the LDAP port used by your Sun directory.
The ldapmodify command line utility that was installed with your Sun Java System Directories can be used to apply the .ldif file. Use a command similar to the following:
ldapmodify -h localhost -p 389 -D "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w password -f novl-idm-pswd.ldif
Restart Sun Java System Directory so that your changes take affect and the plug-in starts.
For troubleshooting, note any errors that might appear on the console.