This section contains information that is specific to the Identity Manager Driver for eDirectory, and assumes that you are familiar with the information in
Implementing Password Synchronization
in the
Novell Identity Manager 3.5.1 Administration Guide
Novell Identity Manager 3.5.1 Administration Guide
.
The driver shim continues to work as in earlier releases. In Identity Manager 2.0, new policies were added to the sample driver configuration to support Identity Manager Password Synchronization, including synchronizing Universal Password.
If you decide to enforce password policies in multiple trees, make sure that the Advanced Password Rules in the password policies are compatible in each tree, so that password synchronization can be successful.
If you enforce incompatible password policies in multiple eDirectory trees, and choose to set a password back if it does not comply (with the option
), you could encounter a loop in which each Identity Vault server tries to change a noncompliant password.Information about password policies is in “Managing Passwords by Using Password Policies,” in the Password Management Administration Guide.
If the filter for the driver has the setting
for the Public Key and Private Key attributes, the NDS® password is synchronized between trees, regardless of any other settings you have created.If you want to synchronize passwords using Universal Password, make sure you set the filter on both eDirectory drivers to
for the Public Key and Private Key attributes for all classes that you want to synchronize Universal Password.To add Identity Manager Password Synchronization functionality to an existing driver configuration, see
Upgrading Existing Driver Configurations to Support Password Synchronization
in the
Novell Identity Manager 3.5.1 Administration Guide
.
The new policies for password synchronization are intended to support Universal Password and Distribution Password. If you are planning to synchronize only the NDS Password, these policies should not be added to the driver configuration. NDS Password is synchronized by using Public Key and Private Key attributes instead of these policies.
The Check Password Status task in iManager does not work for a connected system if the Password Policy has Universal Password enabled and does not have the setting selected for synchronizing Universal Password with NDS Password.
The Check Password Status task lets you see whether a user’s password in Identity Manager is synchronized with the password on connected systems.
If you are using the Identity Manager Driver for eDirectory, and the password policy for a user specifies in the Configuration Options tab that the NDS Password should not be updated when the Universal Password is updated, then the Check Password Status task for that user always shows that the password is not synchronized. The password status is shown as not synchronized, even if the Identity Manager Distribution Password and the Universal Password on the connected system are in fact the same.
This is because the Identity Vault check-password functionality is checking the NDS Password at this time, instead of going through NMAS™ to refer to the Universal Password.
By default, the NDS Password is updated when the Universal Password is updated in the password policy. If you select this option, Check Password Status should be accurate for the connected system.
To use the driver, you must have the Novell® Certificate Server™ running on each server that hosts the driver. You must also create a Certificate Authority (CA) for SSL encryption to work. We recommend that the certificates used for SSL be issued by the Certificate Authority from one of the trees containing the driver. If your tree does not have a Certificate Authority, create one. You can use an external Certificate Authority.
For instructions on creating CAs and configuring the Certificate Server, refer to Section 5.1, Configuring Secure Identity Manager Data Transfers.