See the tips in Section 5.8, Implementing Password Synchronization.
Make sure you have the Simple Password Login Method installed with NMAS.
Make sure you have a copy of the root of the tree on the servers where you need to NMAS to enforce password policies on eDirectory login methods or on passwords from connected systems being synchronized by Identity Manager.
Make sure that the users requiring password synchronization are replicated on the same server with the driver that is synchronizing the passwords. As with other driver functions, the driver can manage only the users that are in a master or read/write replica on the same server.
Make sure SSL is configured properly between the Web server and the Identity Vault.
If you see an error about a password not complying when a user is initially created, but the password is set correctly in the Identity Vault, the default password in the driver policy might not conform to the password policy that applies to that user.
The following scenario uses the Active Directory driver. However, the same issue could occur for another driver.
Providing an Initial Password: You want the Active Directory driver to provide the initial password for a user when the driver creates a new User object in the Identity Vault to match a user in Active Directory. The sample configuration for the Active Directory driver sends the initial password as a separate operation from adding the user, and the sample configuration also includes a policy that provides a default password for a user if no password is provided by Active Directory.
Because adding the user and setting the password are done separately, a new user always receives the default password, even if only momentarily. The default password is soon updated because the Active Directory driver sends the password immediately after adding the user. If the default password does not comply with the Identity Vault password policy for the user, an error is displayed.
For example, if a default password created by using the user’s surname is too short to comply with the password policy, you might see a -216 error saying the password is too short. However, the situation is soon rectified if the Active Directory driver then sends an initial password that does comply
Regardless of the driver you are using, if you want a connected system that is creating User objects to provide the initial password, consider doing one of the actions listed below. These measures are especially important if the initial password does not come with the Add event but instead comes in a subsequent event.
Change the policy on the Publisher channel that creates the default password, so that the default password conforms to the password policies that have been defined for your organization in the Identity Vault. (Select
, then select .)When the initial password comes from the authoritative application, it replaces the default password.
This option is preferable because we recommend that a default password policy exist in order to maintain a high level of security within the system.
On the Publisher channel, remove the policy that creates the default password. In the sample configuration, this policy is provided in the Command Transformation policy set. Adding a user without a password is allowed in the Identity Vault. The assumption for this option is that the password for the newly created User object eventually comes through the Publisher channel, and the User object exists without a password for only a short time.
Password policies are assigned with a tree-centric perspective. In contrast, Password Synchronization is set up per driver. Drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica.
To get the results you expect from Password Synchronization, make sure that the containers that are in a master or read/write replica on the server running the drivers for Password Synchronization match the containers where you have assigned password policies with Universal Password enabled. Assigning a password policy to a partition root container ensures that all users in that container and subcontainers are assigned the password policy.
Helpful DSTrace commands: