When a User object is created, Identity Manager is always capable of accepting a password from a connected system, even if the connected system does not support providing the user's actual password from that system.
AD, NT, eDirectory, and NIS can accept a password from Identity Manager and also support sending the user's actual password to Identity Manager. This means they offer full support for bidirectional password synchronization.
When you define a policy within the driver configuration on the Publisher channel, other systems can provide data that can be used to create passwords. The example driver configurations for most of the drivers include an example policy that provides a default password based on Surname.
Connected systems have varying abilities to accept a password from Identity Manager. Some connected systems support setting an initial password for new accounts, but not Password Modify events.
The capabilities of the sample driver configurations are noted in the driver manifest. The following tables provide additional information that is not in the driver manifest. The tables indicate whether an application accepts initial password for a new account, versus whether it can accept a modification to an existing password. The manifest indicates only that the connected system is capable of accepting a password, and doesn't show this distinction.
Drivers are in groups so that you can see sample driver configurations that have similar abilities.
The following connected systems support bidirectional password synchronization. They can provide the user's actual password on the connected system, and accept passwords from Identity Manager.
Table 5-2 Systems that Support Bidirectional Password Synchronization
1Between Identity Vault trees, you can have bidirectional password synchronization for users even if Universal Password is not enabled for those users. See Section 5.8.2, Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults.
The following connected systems can accept passwords from Identity Manager to some degree. They can't provide a user's actual password on the connected system to Identity Manager.
Although they can't provide the user's actual password, they can be configured to create a password by using a policy on the Publisher channel, based on other user data in the connected system. (The sample driver configurations demonstrate a default password based on the surname.)
Table 5-3 Systems That Accept Passwords from Identity Manager
2GroupWise supports two authentication methods:
GroupWise provides its own authentication and maintains user passwords.
GroupWise authenticates against eDirectory using LDAP and does not maintain passwords.
When you use this option, GroupWise ignores driver-synchronized passwords.
3The ability to set an initial password is available on all databases where the OS user account is distinct from the database user account, such as Oracle*, MS SQL, MySQL*, and Sybase*.
4The Identity Manager Driver for JDBC can be used to modify a password on the connected system, but that feature is not demonstrated in the sample driver configuration.
5Passwords can be synchronized as data when stored in a table.
6If the target LDAP server allows setting the userpassword attribute.
7The Notes driver can accept a password modification and check passwords only for the HTTPPassword field in Lotus Notes.
The following connected systems can't accept passwords or provide a user's password on the connected system using the sample driver configuration.
Although they can't provide the user's password to Identity Manager, they can be configured to create a password by using a policy on the Publisher channel, based on other user data in the connected system. (The sample driver configurations demonstrate a default password based on surname.)
Table 5-4 Systems That Don’t Accept or Provide Passwords
8The Identity Manager Driver for Delimited Text does not have features in the driver shim that directly support Password Synchronization. However, the driver can be configured to handle passwords, depending on the connected system you are synchronizing with.
The following connected systems are not intended to be used with password synchronization.
Table 5-5 Systems That Don’t Support Password Synchronization