The Password Synchronization functionality provided in Identity Manager enables you to implement several different scenarios. This section outlines basic scenarios, to help you understand how the settings in Identity Manager Password Synchronization and NMAS password policies affect the way passwords are synchronized. You can use one or more of the scenarios to meet the needs of your environment.
Section 5.8.1, Overview of Identity Manager’s Relationship to NMAS
Section 5.8.2, Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults
Section 5.8.3, Scenario 2: Using Universal Password to Synchronize Passwords
Scenario 5: Synchronizing Application Passwords to the Simple Password
Utilities such as iManager and the Novell Client communicate with NMAS rather than directly updating a specific password. NMAS is the entity that determines which passwords are updated.
NMAS synchronizes passwords within an Identity Vault, based on your settings in NMAS password policies.
Legacy utilities that are not Universal Password-enabled update the NDS password directly, instead of communicating with NMAS and letting NMAS determine which passwords are updated. Be aware of how users and help desk administrators use legacy utilities in your environment. Because legacy utilities update the NDS password directly instead of going through NMAS, password drift (Universal Password and NDS password get out of sync) can occur if you are using Universal Password and NMAS 2.3.
For example, to ensure support of Universal Password, make sure that users upgrade to the Novell Client, and make sure that help desk users use ConsoleOne only with the latest Novell Client or NetWare release.
Figure 5-5 Using NMAS to Synchronize Passwords
Identity Manager controls the “entry point” (updating either Universal or Distribution Password directly). NMAS controls the flow of synchronizing passwords inside the Identity Vault.
In Scenario 1, the Identity Manager Driver for eDirectory can be used to update the NDS password directly. This scenario is basically the same as the one provided in DirXML 1.x.
In Scenario 2, Scenario 3, and Scenario 4, Identity Manager is used to update either Universal Password or Distribution Password. Identity Manager goes through NMAS to make password changes. This allows NMAS to update other Identity Vault passwords as determined by NMAS password policy settings, and allows NMAS to enforce Advanced Password Rules from NMAS password policies for passwords being synchronized with connected systems. In these scenarios, the password that Identity Manager distributes to connected systems is always the Distribution Password.
The difference between Scenario 2, Scenario 3, and Scenario 4 lies in the different combinations of NMAS password policy settings and Identity Manager Password Synchronization settings for each connected system driver.
As in Password Synchronization 1.0, you can synchronize NDS Password between two Identity Vaults by using the eDirectory driver. This scenario does not require Universal Password to be implemented, and can be used with eDirectory 8.6.2 or later. Another name for this kind of password synchronization is synchronizing the public/private key pair.
This method should be used only to synchronize passwords from Identity Vault to Identity Vault. It does not use NMAS and therefore cannot be used to synchronize passwords to connected applications.
Table 5-11 Advantages: eDirectory to eDirectory Password Synchronization Using NDS Password
The following diagram shows that, as in DirXML 1.x, the Identity Manager Driver for eDirectory can be used to synchronize the NDS password between two Identity Vaults. This scenario does not go through NMAS.
Figure 5-6 Using NDS Password to Synchronize between Two Identity Vaults
To set up this kind of password synchronization, configure the driver.
Not necessary.
None.
None. The settings on the Password Synchronization page for a driver have no effect on this method of synchronizing NDS Password.
Remove the Password Synchronization policies listed in Section 5.3.4, Policies Required in the Driver Configuration. Those policies are intended to support Universal Password and Distribution Password. NDS Password is synchronized by using Public Key and Private Key attributes instead of these policies.
Make sure that the driver filter for both Identity Vault drivers is synchronizing the Public Key and Private Key attributes for all object classes for which passwords should be synchronized. The following figure shows an example.
Figure 5-7 Synchronizing the Private and Public Key Attributes
Turn on the DSTrace option.
Check the driver Filter to make sure the Public Key and Private Key attributes are being synchronized, not ignored.
See also the tips in Section 5.13, Troubleshooting Password Synchronization.
With Identity Manager, you can synchronize a connected system password with the Universal Password in the Identity Vault.
When Universal Password is updated, the NDS Password, Distribution Password, or Simple Password can also be updated, depending on your settings in the NMAS password policy.
Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Section 5.2, Connected System Support for Password Synchronization.
Table 5-12 Advantages: Synchronizing by Using Universal Password
Figure 5-8 illustrates the following flow for this scenario:
Passwords come in through Identity Manager.
Identity Manager goes through NMAS to directly update Universal Password.
NMAS synchronizes the Universal Password with the Distribution Password and other passwords according to the NMAS password policy settings.
Identity Manager retrieves the Distribution Password to distribute to connected systems that are set to accept passwords.
Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.
Figure 5-8 Using Universal Password to Synchronize Passwords
To set up this kind of password synchronization:
Make sure your environment is ready to use Universal Password. See Section 5.4, Preparing to Use Identity Manager Password Synchronization and Universal Password.
Make sure that an NMAS password policy is assigned to the parts of the Identity Vault that you want to have this kind of password synchronization.
In iManager, select
> .Select a policy, then click
.Browse to and select the object where you want password synchronization to occur.
You can assign the policy to the entire tree structure (by browsing to and selecting the Login Policy object in the Security container), a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.
In the password policy, make sure that the following are selected:
Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.
Complete your password policy as desired.
NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled. If you don't want password policy rules enforced, deselect
.If you are using Advanced Password Rules, make sure they don't conflict with the password policies on any connected systems that are subscribing to passwords.
In iManager, select
> .Search for drivers for the connected systems, then select a driver.
Create settings for the driver for the connected system.
Make sure that the following are selected:
A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in a the driver configuration using a policy.
If the connected system does not support accepting passwords, the option is dimmed.
These settings allow for bidirectional password synchronization if it is supported by the connected system.
You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only
.Make sure that
is not selected.In this scenario, Identity Manager updates the Universal Password directly. The Distribution Password is still used to distribute passwords to connected systems, but is updated from the Universal Password by NMAS instead of by Identity Manager.
(Optional) Select the following if desired:
Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory User object to be populated.
E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.
Make sure that the required Identity Manager script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization.
The policies must be in the correct location and the correct order in the driver configuration. For the list of policies, see Section 5.3.4, Policies Required in the Driver Configuration.
The Identity Manager sample configurations already contain the policies. If you are upgrading an existing driver, you can add the policies by using the instructions in Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.
Set the filter correctly for nspmDistributionPassword attribute:
For the Publisher channel, set the driver filter to
attribute for all object classes.For the Subscriber channel, set the driver filter to
attribute for all object classes that should subscribe to password changes.For all objects that have
set for the nspmDistributionPassword attribute, set both the Public Key and Private Key attributes to .To ensure password security, make sure that you control who has rights to Identity Manager objects.
Also see the tips in Section 5.13, Troubleshooting Password Synchronization.
Figure 5-9 illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to Universal Password in this scenario. NMAS decides how to handle the password based on the following:
Whether Universal Password is enabled in the NMAS password policy.
Whether Advanced Password Rules are enabled that incoming passwords must comply with.
What the other settings are in the password policy for synchronizing Universal Password with the other passwords.
Figure 5-9 How NMAS Handles the Password It Receives from Identity Manager
Turn on the
, , and settings in DSTrace.Figure 5-10 DSTrace Commands
Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify that they are being passed, watch the trace screen with those options turned on.
Verify that the password is valid according to the rules of the password policy.
Check the NMAS password policy configuration and assignment. Try assigning the policy directly to a user to make sure the correct policy is being used.
On the Password Synchronization page for the driver, make sure that
is selected.In the password policy, make sure that
is selected.This section is for troubleshooting cases where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.
Turn on the
L and settings in DSTrace to see Identity Manager rule processingSet the Identity Manager trace level for the driver to
.Make sure the Password Synchronization
option is selected.Check the driver filter to make sure the nspmDistributionPassword attribute is set correctly, as explained in Step 2.
Verify that the <password> for an Add or <modify-password> element is being sent to the connected system. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first items.
Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section 5.3.4, Policies Required in the Driver Configuration.
Compare the NMAS password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.
Turn on the
setting in DSTrace to see Identity Manager rule processing.Set the Identity Manager trace level for the driver to
.Verify that the rule to generate e-mail is selected.
Verify that the Identity Vault object contains the correct user e-mail address in the Internet EMail Address attribute.
In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured correctly. See Section 5.12, Configuring E-Mail Notification.
The Check Password Status task in iManager causes the driver to check object password action. If you have problems, review the following:
If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter for the correct settings for the nspmDistributionPassword attributes. Also, make sure that the password policy has
selected.If the Check Object Password returns Not Synchronized, verify that the driver configuration contains the appropriate Password Synchronization policies.
Compare the NMAS password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.
Check Object Password operates from the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized.
Keep in mind that for the Identity Manager driver only, Check Password Status is checking the NDS Password instead of the Distribution Password.
: To view Identity Manager rule processing and potential error message
: To view Identity Manager driver messages
: To view NDS password modifications
In this scenario, Identity Manager updates the Distribution Password directly, and allows NMAS to determine how the other Identity Vault passwords are synchronized.
Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Section 5.2, Connected System Support for Password Synchronization.
Table 5-13 Advantages: Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password
The figure in this scenario illustrates the following flow:
Passwords come in through Identity Manager.
Identity Manager goes through NMAS to directly update Distribution Password
Identity Manager also uses the Distribution Password to distribute to connected systems that you have specified should accept passwords
NMAS synchronizes Universal Password with the Distribution Password, and with other passwords according to the password policy settings.
Although multiple connected systems are shown as connecting to Identity Manager in Figure 5-11, keep in mind that you individually create the settings for each connected system driver.
Figure 5-11 Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password
To set up this kind of password synchronization:
Make sure that your environment is ready to use Universal Password. See Section 5.4, Preparing to Use Identity Manager Password Synchronization and Universal Password.
In iManager, select
> .Make sure a password policy is assigned to the parts of the Identity Vault tree that you want to have this kind of password synchronization. You can assign it to the entire tree structure, a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.
In the password policy, make sure the following are selected:
S
Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.
If you are using Advanced Password Rules, make sure that they don't conflict with the password policies on any connected systems that are subscribing to passwords.
In iManager, select
> .Search for drivers for the connected systems, then select a driver.
Create settings for the driver for the connected system.
Make sure that the following are selected:
A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in the driver configuration using a policy.
These settings allow for bidirectional password synchronization if it is supported by the connected system.
You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only
.Specify whether you want NMAS password policies to be enforced or ignored, using the options under
.(Conditional) If you have specified that you want password policies to be enforced, also specify whether you want Identity Manager to reset the connected system password if it does not comply.
(Optional) Select the following if desired:
Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory user object to be populated.
E-mail notifications are noninvasive. They do not affect the processing of the XML document that triggered the email. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.
Make sure that the required Identity Manager script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization.
The policies must be in the correct location and the correct order in the driver configuration. For the list of policies, see Section 5.3.4, Policies Required in the Driver Configuration.
The Identity Manager sample configurations already contain the policies. If you are upgrading an existing driver, you can add the policies using the instructions in Section 5.7, Upgrading Existing Driver Configurations to Support Password Synchronization.
Set the filter correctly for nspmDistributionPassword attribute:
For the Publisher channel, set the driver filter to
for the nspmDistributionPassword attribute for all object classes.For the Subscriber channel, set the driver filter to
for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.For all objects that have
set for the nspmDistributionPassword attribute, set both the Public Key and Private Key attributes in the driver filter to .To ensure password security, make sure that you control who has rights to Identity Manager objects.
Also see the tips in Section 5.13, Troubleshooting Password Synchronization.
Figure 5-12 illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to the Distribution Password in this scenario, and NMAS decides the following:
How to handle the password based on whether you have specified that incoming passwords should be validated against password policy rules (if Universal Password and Advanced Password Rules are enabled).
What the other settings are in the password policy for synchronizing Universal Password with the other passwords.
Figure 5-12 Password from Identity Manager is Synchronized to the Distribution Password
Turn on the
, , and settings in DSTraceFigure 5-13 DSTrace commands
Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify, watch the DSTtrace screen or file with the trace options turned on as noted in the first item.
Verify that the password is valid according to the rules of the NMAS password policy.
Check the NMAS password policy configuration and assignment. Try assigning the policy directly to the user to make sure the correct policy is being used.
On the Password Synchronization page for the driver, make sure that
is selected.In the NMAS password policy, make sure that
is selected.In the NMAS password policy, make sure that
is selected, if this is desired.If users are logging in through the Novell Client or ConsoleOne, check the version. Legacy Novell Clients and ConsoleOne might not be able to log in to the Identity Vault if the Universal Password is not synchronized with the NDS Password.
Versions of the Novell Client and ConsoleOne that are aware of the Universal Password are available. See the NMAS 3.0 Administration Guide.
Some legacy utilities authenticate by using the NDS Password, and also cannot log in to the Identity Vault if the Universal Password is not synchronized with the NDS Password. If you don't want to use the NDS Password for most users, but you have administrator or help desk users who need to authenticate with legacy utilities, try using a different password policy for help desk users so you can specify different Universal Password synchronization options for them.
This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.
Turn on the
and settings in DSTrace to see Identity Manager rule processing and potential errorsSet the Identity Manager trace level for the driver to
.Make sure that the
option is selected in the Password Synchronization page.In the password policy, make sure that
is not selected.Identity Manager uses the Distribution Password to synchronize passwords to connected systems. Universal Password must be synchronized with the Distribution Password for this synchronization method.
Check the driver filter for the nspmDistributionPassword attribute.
Verify that the <password> element for an Add or a <modify-password> element has been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the options turned on as noted in the first item.
Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section 5.3.4, Policies Required in the Driver Configuration.
Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.
Turn on the
setting in DSTrace to see Identity Manager rule processingSet the Identity Manager trace level for the driver to
.Verify that the rule to generate e-mail is selected.
Verify that the Identity Vault object contains the correct value in the Internet EMail Address attribute.
In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured. See Section 5.12, Configuring E-Mail Notification.
E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.
The Check Password Status task in iManager causes the driver to perform a check object password action.
Make sure the connected system supports checking passwords. See Section 5.2, Connected System Support for Password Synchronization.
If the driver manifest does not indicate that the connected system supports password-check capability, this operation is not available through iManager.
If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter, and the
option within the password policy.If the Check Object Password returns Not Synchronized, verify that the driver configuration contains the appropriate Identity Manager Password Synchronization policies.
Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.
checks the Distribution Password. If the Distribution Password is not being updated, might not report that passwords are synchronized
Keep in mind that for the Identity Vault,
checks the NDS Password instead of the Universal Password. This means that if the user's password policy does not specify to synchronize the NDS Password with the Universal Password, the passwords are always reported as being not synchronized. In fact, the Distribution Password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS Password and the Distribution Password are synchronized with the Universal Password.: To view Identity Manager rule processing and potential error message.
: To view Identity Manager driver messages.
To view NDS password modifications.
Identity Manager enables you to synchronize passwords among connected systems while keeping the Identity Vault password separate. This is referred to as “tunneling.”
In this scenario, Identity Manager updates the Distribution Password directly. This scenario is almost the same as Section 5.8.4, Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password. The difference is that you make sure the Universal Password and the Distribution Password are not being synchronized. You do this either by not using NMAS password policies, or by using password policies with the option disabled for .
Table 5-14 Advantages of Tunneling
Figure 5-14 illustrates the following flow:
Passwords come in through Identity Manager.
Identity Manager goes through NMAS to directly update the Distribution Password.
Identity Manager also uses the Distribution Password to distribute passwords to connected systems that you have specified should accept passwords.
The key to this scenario is that in the NMAS password policy,
is disabled. Because the Distribution Password is not synchronized with the Universal Password, Identity Manager synchronizes passwords among connected systems without affecting passwords in the Identity Vault.Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.
Figure 5-14 Tunneling, with Identity Manager Updating the Distribution Password
To set up this kind of password synchronization, configure the following:
Although you don't need to have password policies with Universal Password enabled, your environment must still must be using eDirectory 8.7.3, which supports Universal Password. See Section 5.4, Preparing to Use Identity Manager Password Synchronization and Universal Password.
Review your password policy to confirm the following:
Make sure
is not selected.This is the key to tunneling passwords without the Identity Vault password being affected. By not synchronizing the Universal Password with the Distribution Password, you keep the Distribution Password separate, for use only by Identity Manager for connected systems. Identity Manager acts as a conduit, distributing passwords to and from other connected systems, without affecting the Identity Vault password.
Complete the other password policy settings as desired.
The other password settings in the password policy are optional.
Use the same settings as Password Synchronization Settings in Section 5.8.4, Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password.
Use the same settings as Driver Configuration in Section 5.8.4, Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password.
If password synchronization is set up for tunneling, the Distribution Password is different than the Universal Password and the NDS Password.
See also the tips in Section 5.13, Troubleshooting Password Synchronization.
This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.
Turn on the
L and + settings in DSTrace to see Identity Manager rule processing and potential errors.Set the Identity Manager trace level for the driver to
.Make sure that the
option is selected on the Password Synchronization page.In the password policy, make sure that
is not selected.Identity Manager uses the Distribution Password to synchronize passwords to connected systems. The Universal Password must be synchronized with the Distribution Password for this synchronization method.
Make sure the driver filter has the correct settings for the nspmDistributionPassword attribute.
Verify that the <password> element for an Add and a <modify-password> element have been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first item.
Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section 5.3.4, Policies Required in the Driver Configuration.
Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.
Turn on the
setting in DSTrace to see Identity Manager rule processing.Set the Identity Manager trace level for driver to
.Verify that the rule to generate e-mail is selected.
Verify that the Identity Vault object contains the correct value in the Internet EMail Address attribute.
In the Notification Configuration task, check the SMTP server and the e-mail template. See Section 5.12, Configuring E-Mail Notification.
E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.
The Check Password Status task in iManager causes the driver to be perform a Check Object Password action.
Make sure that the connected system supports checking passwords. See Section 5.2, Connected System Support for Password Synchronization.
This operation is not available through iManager if the driver manifest does not indicate that the connected system supports password-check capability.
If the Check Object Password action returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the Identity Manager attribute filter, and the
option within the password policy.If the Check Object Password action returns Not Synchronized, verify that the driver configuration contains the appropriate Identity Manager password synchronization policies.
Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.
The Check Object Password action checks the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized
: To view Identity Manager rule processing and potential error messages.
: To view Identity Manager driver messages.
: To view NDS password modifications.
: To view NDS DCLient messages.
This scenario is a specialized use of password synchronization features. Using Identity Manager and NMAS, you can take a password from a connected system and synchronize it directly to the Identity Vault Simple Password. If the connected system provides only hashed passwords, you can synchronize them to the Simple Password without reversing the hash. Then, other applications can authenticate to the Identity Vault by using the same clear text or hashed password through LDAP or the Novell Client, with NMAS components configured to use the Simple Password as the login method.
If the password in the connected system is in clear text, it can be published as it is from the connected system into the Identity Vault Simple Password store.
If the connected system provides only hashed passwords (MD5, SHA, SHA1,or UNIX Crypt are supported), you must publish them to the Simple Password with an indication of the kind of hash, such as {MD5}.
For another application to authenticate with the same password, you need to customize the other application to take the user's password and authenticate to the Simple Password using LDAP.
NMAS compares the password value from the application with the value in the Simple Password. If the password stored in the Simple Password is a hash value, NMAS first uses the password value from the application to create the correct type of hash value, before comparing. If the password from the application and the Simple Password are the same, NMAS authenticates the user.
In this scenario, Universal Password cannot be used.
Table 5-15 Advantages of Synchronizing to the NDS Password
Figure 5-15 Synchronizing to the NDS Password
No password policy is required for users for this scenario. Universal Password cannot be used.
For this scenario, you use Identity Manager Script to directly modify the SAS:Login Configuration attribute. This means that the Password Synchronization global configuration values (GCVs), which are set by using the Password Synchronization page in iManager, have no effect.
Make sure that the SAS:Login Configuration attribute in the filter has the setting of
for both Publisher and Subscriber channels.Configure the driver policies to publish the password from the connected system.
For hashed passwords, configure the driver policies to prepend the type of hash (if it is not already provided by the application):
{MD5}hashed_password
This password is Base64 encoded.
{SHA}hashed_password
This password is Base64 encoded.
{CRYPT}hashed_password
Clear text passwords and Unix Crypt password hashes are not Base64 encoded.
To place the password into the Simple Password, configure the driver policies to modify the SAS:Login Configuration attribute.
The following example illustrates how to use a modify-attr element within a modify operation to change the Simple Password to an MD5 hashed password:
<modify-attr attr-name="SAS:Login Configuration> <add-value> <value>{MD5}2tEgXrIHtAnGHOzH3ENslg==</value> </add-value> </modify-attr>
For clear text passwords, follow this example.
<modify-attr attr-name="SAS:Login Configuration> <add-value> <value>clearpwd</value> </add-value> </modify-attr>
For add operations, the add-attr element would contain one of the following:
<add-attr attr-name="SAS:Login Configuration> <value>{MD5}2tEgXrIHtAnGHOzH3ENslg==</value> </add-attr>
or
<add-attr attr-name="SAS:Login Configuration> <value>clearpwd</value> </add-attr>