Novell Doc: Novell Identity Manager 3.5.1 Administration Guide - Prerequisites for Password Synchronization

5.3 Prerequisites for Password Synchronization

Password Synchronization depends on the following elements being in place:

5.3.1 Support for Universal Password

To accommodate password synchronization across connected systems, Identity Manager requires Universal Password. See the following:

“Deploying Universal Password” in the Password Management Administration Guide
Section 5.4.3, Preparing to Use Universal Password

5.3.2 Password Synchronization Capabilities in the Driver Manifest

The driver manifest declares whether a connected system supports the following password synchronization functions:

Publishing the user's actual password to Identity Manager
Accepting a password from Identity Manager

The manifest does not distinguish between accepting the creation of an initial password versus accepting password modifications.
Letting Identity Manager check the password on the connected system, to determine the password synchronization status of a user

NOTE:The driver manifest is written by the driver developer or the Identity Manager expert who creates the driver configuration. It is not meant to be edited by a network administrator. The driver manifest represents the true capabilities of the driver shim and configuration. Changing the manifest alone does not change functionality. To add functionality, the driver shim, connected system, or driver configuration might be enhanced.

The sample driver configurations delivered with Identity Manager contain driver manifest entries. To add them to an existing driver, see Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.

5.3.3 Using Global Configuration Values to Control Password Synchronization

Global configuration values enable you to set a constant value that you can reference in a policy. Global configuration values are sometimes called server variables, because they are held in an attribute that is per replica.

For Password Synchronization, global configuration values enable you to create settings for the flow of passwords to and from Identity Manager. Because the Identity Manager password synchronization policies in the driver configuration are written to behave differently based on your settings in the global configuration value, it's easy to change the flow of passwords without having to edit policies.

By using global configuration values, you control the following settings separately for each connected system:

Table 5-6 Settings for Connected Systems

Setting	Description
Whether Identity Manager accepts passwords from the connected system	This setting applies to a password provided by the connected system, as well as a password that could be created by Identity Manager policies in the driver configuration on the Publisher channel. If you disable this setting, both kinds of passwords are stripped out so that they don't reach Identity Manager.
Whether Identity Manager updates Universal Password directly, or updates Distribution Password directly	Identity Manager controls the entry point (that password Identity Manager updates). NMAS controls the flow of passwords between each different kind of password, based on what you have set in the NMAS password policy. To view an NMAS password policy: In iManager, select Passwords > Password Policies. Select a policy in the Password Policy List. Click Edit. Select an option from the drop-down list or tab (depending on which version of iManager you are using). See Section 5.8, “Implementing Password Synchronization” for scenarios that use these methods.
Whether NMAS password policies are enforced on passwords coming in to Identity Manager from a connected system	If these policies are enforced, noncompliant passwords coming in are not written to the Identity Manager data store.
Whether Identity Manager uses the Identity Manager password to enforce NMAS password policies on a connected system, by resetting passwords that don't comply with the policy rules	This option is dimmed in the NMAS interface if the connected system doesn't support it (as declared in the driver manifest). The password is reset only after a password operation fails on the Publisher channel.
Whether the connected system accepts passwords	This setting applies to both a password distributed by Identity Manager and a password that could be created by Identity Manager policies in the driver configuration on the Subscriber channel. If you disable this setting, both kinds of passwords are stripped out so that they don't reach the connected system. This option is dimmed in the interface if the connected system doesn't support it (as declared in the driver manifest).
Whether users are notified by e-mail when a password is not synchronized	Automatically sends e-mails to affected users.

The driver configurations delivered with Identity Manager contain driver manifest entries. To add them to an existing driver, see Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.

To edit global configuration values:

In iManager, select Passwords > Password Synchronization.
Search for a driver.

After you specify where you want to search for connected system drivers, iManager displays an overview of the password flow settings for all the connected system drivers it finds.
To view settings, click a driver name.

The Modify Driver page displays the global configuration values for Password Synchronization.

If an option on this page is dimmed, the driver manifest shows that the connected system does not support that option.
Make changes, then click OK.

NOTE:You can set global configuration values on each driver separately. Global configuration values on a driver override those on the driver set. Setting the values on a specific driver gives you more granular control. This page displays only the global configuration values that are present on the individual driver.

If you set global configuration values on the Driver Set object, those values are inherited by a driver in that driver set if the driver does not have values of its own. If a driver has no settings of its own and inherits the global configuration values from the driver set, iManager does not display them. Although iManager does not display inherited global configuration values, they are still honored by the password synchronization policies.

5.3.4 Policies Required in the Driver Configuration

Identity Manager policies on the Publisher and Subscriber channels for each driver govern the password flow, based on your settings in the global configuration variables explained above. These policies are included in the driver configurations in Identity Manager.

If you are upgrading an existing driver configuration instead of replacing it, you must add certain policies to the configuration. (See Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.) These policies must be in your driver configuration in the correct location for password synchronization to work.

Policies Required in the Publisher Command Transformation Set

The policies listed in the Password Synchronization Policy Name column must be present in the order listed. Also, they must be the last policies in the Publisher Command Transformation policy set.

Table 5-7 Policies Required in the Publisher Command Transformation Set

Location in the Driver Configuration	Password Synchronization Policy Name	What the Policy Does
Publisher Command Transformation	Password(Pub)-Default Password Policy	Adds a default password to an Add object if the Add object does not already contain a password. This policy and the Password(Sub)-Default Password Policy are the only policies that you can modify or remove. For password synchronization functionality to work properly, the other policies should be used without changes.
	Password(Pub)-Check Password GCV	Checks the GCV to determine whether you have specified that Identity Manager accepts passwords from this connected system. If not, it strips out all password elements. The name of the GCV is enable-password-publish, and the display name is Identity Manager accepts passwords from application.
	Password(Pub)-Publish Distribution Password	Transforms the <password> element to the form that allows it to update Universal Password. This policy references the following GCVs: publish-password-to-dp enforce-password-policy
	Password(Pub)-Publish NDS Password	Allows the <password> element to go through if you have specified that the NDS password should be updated. If not, it strips out the <password> element. This policy references the GCV named publish-password-to-nds.
	Password(Pub)-Add Password Payload	Puts in payload data that is passed around in the engine for purposes of e-mail notification.
	Password(Sub)-Add Password Payload	Puts in payload data that is passed around in the engine for purposes of e-mail notification.

Policies Required in the Publisher Input Transformation Policy Set

We recommend that the Password(Pub)-Sub Email Notifications policy be listed last if there are multiple policies in the Input Transformation.

Table 5-8 Policies Required in the Publisher Input Transformation Policy Set

Location in the Driver Configuration	Password Synchronization Policy Name	What the Policy Does
Publisher Input Transformation	Password(Pub)-Sub Email Notifications	If the password payload information comes through, and the status shows a problem, it sends e-mail to the user. It uses the e-mail address indicated in the Internet EMail Address attribute in eDirectory. This policy references the GCV named notify-user-on-password-dist-failure to determine whether to send notification e-mails.

Location in the Driver Configuration

Password Synchronization Policy Name

What the Policy Does

Publisher Input Transformation

Password(Pub)-Sub Email Notifications

If the password payload information comes through, and the status shows a problem, it sends e-mail to the user. It uses the e-mail address indicated in the Internet EMail Address attribute in eDirectory.

This policy references the GCV named notify-user-on-password-dist-failure to determine whether to send notification e-mails.

Policies Required in the Subscriber Command Transformation Policy Set

The policies listed in the Password Synchronization Policy Name column must be present in the order listed. Also, they must be the last policies in the Subscriber Command Transformation policy set.

Table 5-9 Policies Required in the Subscriber Command Transformation Policy Set

Location in the Driver Configuration	Password Synchronization Policy Name	What the Policy Does
Subscriber Command Transformation	Password(Sub)-Transform Distribution Password	Transforms the Universal Password to a <password> element.
	Password(Sub)-Default Password Policy	Adds a default password to an Add object if the Add object does not already contain a password. This policy and the Password(Pub)-Default Password Policy are the only policies that you can modify or remove. For password synchronization functionality to work properly, the other policies should be used without changes,.
	Password(Sub)-Check Password GCV	Checks the GCV to determine whether you have specified that the connected system accepts passwords. If not, it strips out all password elements. The name of the GCV is enable-password-subscribe, and the display name is Application accepts passwords from Identity Manager data store.
	Password(Sub)-Add Password Payload	Puts in password payload data that is passed around in the engine for purposes of e-mail notification.

Policies Required in the Subscriber Output Transformation Policy Set

We recommend that the Password(Sub)-Pub Email Notifications policy be listed last if there are multiple policies in the Output Transformation.

Table 5-10 Policies Required in the Subscriber Output Transformation Policy Set

Location in the Driver Configuration	Password Synchronization Policy Name	What the Policy Does
Subscriber Output Transformation	Password(Sub)-Pub Email Notifications	If the password payload information comes through, and the status shows a problem, it sends e-mail to the user. This policy references the GCV named notify-user-on-password-dist-failure to determine whether to send notification e-mails.

Location in the Driver Configuration

Password Synchronization Policy Name

What the Policy Does

Subscriber Output Transformation

Password(Sub)-Pub Email Notifications

If the password payload information comes through, and the status shows a problem, it sends e-mail to the user.

This policy references the GCV named notify-user-on-password-dist-failure to determine whether to send notification e-mails.

5.3.5 Filters You Install on the Connected System to Capture Passwords

For AD, NT Domain, and NIS, filters must be installed to capture the user's password.

See Section 5.9, Setting Up Password Filters.

5.3.6 NMAS Password Policies You Create for Users

Although you can use some features of Password Synchronization without Universal Password, NMAS password policies must be used to enable Universal Password for your users. The password policy also lets you specify Advanced Password Rules, and specify whether users’ existing passwords are checked for compliance with the rules.

To use Identity Manager Password Synchronization, you must understand password policies. Password policies are explained in “Managing Passwords by Using Password Policies” in the Password Management Administration Guide.

5.3.7 NMAS Login Methods

For some situations, you must have the NMAS Simple Password Login Method in place to be able to do password functions. For example, LDAP requires it.

For information about login methods, see the Novell Modular Authentication Services ( NMAS) 3.0 Administration Guide.