Novell IDENTITY MANAGER Password Management Guide
Novell®
www.novell.com
Password Management Guide
Identity Manager
novdocx (en) 13 May 2009
AUTHORIZED DOCUMENTATION
3.6.1
June 05, 2009
Identity Manager 3.6.1 Password Management Guide
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
Please refer to the International Trade Services (http://www.novell.com/company/policies/trade_services) for more
information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary
export approvals.
novdocx (en) 13 May 2009
Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 13 May 2009
novdocx (en) 13 May 2009
4 Identity Manager 3.6.1 Password Management Guide
Contents
About This Guide 7
1Overview 9
1.1 Universal Password and Distribution Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2 Password Synchronization Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3 Password Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4 Password Policy Enforcement Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.5 Password Policy Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.6 Password Synchronization Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.7 Password Self-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2 Password Management Checklist 13
2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Synchronizing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Password Self-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
novdocx (en) 13 May 2009
3 Connected System Support for Password Synchronization 15
3.1 Systems That Support Bidirectional Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Systems That Accept Passwords from Identity Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Systems That Don’t Accept or Provide Passwords By Default . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 Systems That Don’t Support Password Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4 Configuring Password Flow 19
4.1 Verifying Password Synchronization Settings in iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Verifying Password Synchronization Settings in Designer. . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5 Configuring E-Mail Notification 25
5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2 Setting Up the SMTP Server to Send E-Mail Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.3 Setting Up E-Mail Templates for Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.4 Providing SMTP Authentication Information in Driver Policies. . . . . . . . . . . . . . . . . . . . . . . . . 28
5.5 Adding Your Own Replacement Tags to E-Mail Notification Templates . . . . . . . . . . . . . . . . . 30
5.5.1 Adding Replacement Tags to Password Synchronization E-Mail Notification
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.5.2 Adding Replacement Tags to Forgotten Password E-Mail Notification Templates . . 36
5.6 Sending E-Mail Notifications to the Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.7 Localizing E-Mail Notification Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Contents 5
6 Checking the Password Synchronization Status for a User 39
7 Troubleshooting Password Synchronization 41
A Password Synchronization Scenarios 43
A.1 Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults . . . . . . . . . . . 43
A.1.1 Advantages and Disadvantages of Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
A.1.2 Setting Up Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
A.1.3 Troubleshooting Scenario 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
A.2 Scenario 2: Using Universal Password to Synchronize Passwords. . . . . . . . . . . . . . . . . . . . . 45
A.2.1 Advantages and Disadvantages of Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
A.2.2 Setting Up Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
A.2.3 Troubleshooting Scenario 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
A.3 Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager
Updating the Distribution Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
A.3.1 Advantages and Disadvantages of Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.3.2 Setting Up Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.3.3 Troubleshooting Scenario 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
A.4 Scenario 4: Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
A.4.1 Advantages and Disadvantages of Scenario 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
A.4.2 Setting Up Scenario 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
A.4.3 Troubleshooting Scenario 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
A.5 Scenario 5: Synchronizing Application Passwords to the Simple Password . . . . . . . . . . . . . . 68
A.5.1 Advantages and Disadvantages of Scenario 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
A.5.2 Setting Up Scenario 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
novdocx (en) 13 May 2009
B Driver Configuration Policies 73
B.1 Policies Required in the Publisher Command Transformation Set . . . . . . . . . . . . . . . . . . . . . 73
B.2 Policies Required in the Publisher Input Transformation Policy Set . . . . . . . . . . . . . . . . . . . . 75
B.3 Policies Required in the Subscriber Command Transformation Policy Set . . . . . . . . . . . . . . . 75
B.4 Policies Required in the Subscriber Output Transformation Policy Set . . . . . . . . . . . . . . . . . . 76
6 Identity Manager 3.6.1 Password Management Guide
About This Guide
This guide provides information about managing passwords through Identity Manager. The guide is
organized as follows:
Chapter 2, “Password Management Checklist,” on page 13
Chapter 1, “Overview,” on page 9
Chapter 3, “Connected System Support for Password Synchronization,” on page 15
Chapter 4, “Configuring Password Flow,” on page 19
Chapter 5, “Configuring E-Mail Notification,” on page 25
Chapter 6, “Checking the Password Synchronization Status for a User,” on page 39
Chapter 7, “Troubleshooting Password Synchronization,” on page 41
Appendix A, “Password Synchronization Scenarios,” on page 43
Appendix B, “Driver Configuration Policies,” on page 73
novdocx (en) 13 May 2009
Audience
This guide is intended for administrators, consultants, and network engineers who require a highlevel introduction to Identity Manager business solutions, technologies, and tools.
Documentation Updates
For the most recent version of this document, see the Identity Manager Documentation Web site
(http://www.novell.com/documentation/idm36/index.html).
Additional Documentation
For additional Identity Manager documentation, see the Identity Manager Documentation Web site
(http://www.novell.com/documentation/idm36/index.html).
Documentation Conventions
In Novell
items in a cross-reference path.
A trademark symbol (
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
®
documentation, a greater-than symbol (>) is used to separate actions within a step and
®
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide 7
novdocx (en) 13 May 2009
8 Identity Manager 3.6.1 Password Management Guide
1
Driver
Driver
Password
Policies
Password Sync
Entitlements
Metadirectory
Engine
Metadirectory
Server
Domain Controller
or Member Server
Identity
Vault
LDAP
Active
Director y
Remote
Loader
iPlanet Server
User Application
Server
Password
Self-service
Active Directory
Server
Overview
Identity Manager helps you manage user passwords across multiple accounts. You can synchronize
passwords among systems, allow users to change their passwords, and enable users to recover from
forgotten passwords.
In the following diagram, the Identity Manager system is configured to synchronize passwords for
users who have Active Directory* and iPlanet* accounts. In addition, password self-service is
enabled through the Identity Manager User Application so that users can change their passwords
and, if necessary, recover from forgotten passwords.
Figure 1-1 Password Management with Identity Manager
novdocx (en) 13 May 2009
1
Identity Manager provides synchronization of passwords between the Identity Vault and connected
systems. It also supports password self-service, which is the ability for users to change their own
passwords and recover from forgotten passwords.
The following sections introduce you to the concepts you need to understand to successfully
implement password synchronization and password self-service:
Section 1.1, “Universal Password and Distribution Password,” on page 10
Overview
9
Section 1.2, “Password Synchronization Flow,” on page 10
Section 1.3, “Password Policy Enforcement,” on page 11
Section 1.4, “Password Policy Enforcement Notifications,” on page 11
Section 1.5, “Password Policy Assignments,” on page 11
Section 1.6, “Password Synchronization Status,” on page 12
Section 1.7, “Password Self-Service,” on page 12
1.1 Universal Password and Distribution Password
novdocx (en) 13 May 2009
Identity Manager requires Universal Password for both password synchronization and password
self-service. Universal Password synchronizes the various passwords (Universal, NDS
and Distribution) stored in the Identity Vault and provides password policies that define the rules for
creating and replacing passwords in the Identity Vault.
Universal Password is explained in detail in the Novell Password Management 3.2 Administration
Guide (http://www.novell.com/documentation/password_management32).
To control password synchronization between the Identity Vault and connected systems, Identity
Manager uses the Distribution password. When a password is received from a connected system, it
is stored as the Distribution password. When a password is sent to a connected system, the
Distribution password is sent.
You can choose to synchronize the Distribution and Universal passwords or not synchronize them. If
you synchronize the passwords, your Identity Vault passwords and connected system passwords will
be the same. If you don’t synchronize the passwords, your Identity Vault passwords will be different
than your connected system passwords; in essence, you are “tunneling” passwords among connected
systems without affecting the passwords (Universal, NDS, or Simple) in your Identity Vault.
®
, Simple,
1.2 Password Synchronization Flow
Identity Manager supports the following levels of password synchronization:
Bidirectional: Identity Manager accepts passwords from a connected system and distributes
passwords to the connected system. Users can change their passwords in the connected system
or in the Identity Vault.
Some connected systems can’t provide the user’s actual password, which means they don’t
support full bidirectional password synchronization. However, they can provide data (first
name, last name, and so forth) that the connected system’s driver policies use to create an initial
password. After the initial password is created from connected system data, no more password
information is sent from the connected system. Passwords flow only from the Identity Vault to
the connected system.
To the connected system: Identity Manager distributes passwords from the Identity Vault to
the connected system only.
To the Identity Vault: Identity Manager distributes passwords from the connected system to
the Identity Vault only.
10 Identity Manager 3.6.1 Password Management Guide
novdocx (en) 13 May 2009
The connected system determines the level of support for password synchronization. Some systems,
such as Microsoft Active Directory and Novell eDirectory
Other systems support synchronization in one direction only. See Chapter 3, “Connected System
Support for Password Synchronization,” on page 15 for details.
TM
, support bidirectional synchronization.
1.3 Password Policy Enforcement
Identity Manager can enforce password policies on incoming passwords from connected systems
and on passwords set or changed through the User Application password self-service. If the new
password does not comply, you can specify that Identity Manager not accept the password. This also
means that passwords that don't comply with your policies are not distributed to other connected
systems.
In addition, Identity Manager can enforce password policies on connected systems. If the password
being published to the Identity Vault does not comply with rules in a policy, you can specify that
Identity Manager not only does not accept the password for distribution, but actually resets the
noncompliant password on the connected system by using the current Distribution password in the
Identity Vault.
For example, you want to require passwords to include at least one numeric character. However, the
connected system does not have the ability to enforce such a policy. You specify that Identity
Manager resets passwords that flow from the connected system but do not comply with rules in the
policy.
1.4 Password Policy Enforcement Notifications
Identity Manager enables you to automatically notify users via e-mail when a password change was
not successful.
For example, you set Identity Manager to not accept incoming passwords from Active Directory
when they don’t comply with your password policy. One policy rule specifies that the company
name can’t be used as a password. A user changes his or her Active Directory password to include
the company name. Identity Manager rejects the password and sends the user an e-mail message
stating that the password change was not synchronized.
The User Application password self-service console lets you display the password policy rules so
that users know how to create a compliant password. However, if you allow users to change their
password through a connected system, the connected system is not able to display the policy.
If you want to avoid notifications caused by non-compliant passwords, you should require users to
change the password only in the User Application, or at least make sure that the policy rules are well
publicized.
1.5 Password Policy Assignments
Password policies are assigned with a tree-centric perspective, meaning that you assign them to the
Identity Vault containers that hold the users to whom you want the policies applied. In contrast,
password synchronization is set up per driver. Drivers are installed on a per-server basis and can
manage only those users who are in a master or read/write replica on the server.
Overview 11
To get the results you expect from password synchronization, make sure that the user containers that
have password policies required by a driver for password synchronization are in a master or read/
write replica on the driver’s server. Assigning a password policy to a partition root container ensures
that all users in that container and subcontainers are assigned the password policy.
1.6 Password Synchronization Status
Identity Manager enables you to query connected systems to check a user’s password
synchronization status. If the connected system supports the check password feature, you can find
out whether passwords are synchronizing successfully.
For information on how to check passwords, see “Checking the Password Synchronization Status
for a User” on page 39.
For a list of which systems support checking passwords, see “Connected System Support for
Password Synchronization” on page 15.
1.7 Password Self-Service
novdocx (en) 13 May 2009
Password self-service is provided through the Identity Manager User Application. The User
Application Identity Self-Service lets users manage their passwords, including resetting and
recovering from forgotten passwords.
Identity Manager also includes a Client Login Extension that can be used with the Novell Client and
the Microsoft login GINA to facilitate password self-service. When users click the Forgot Password
link in their client login, the Client Login Extension launches a restricted browser to access the User
Application Identity Self-Service feature. For more information about the Client Login Extension,
see the Identity Manager 3.6.1 Client Login Extension Guide.
12 Identity Manager 3.6.1 Password Management Guide
2
Password Management Checklist
The following sections provide checklists for setting up password synchronization and password
self-service. The prerequisites apply to both scenarios.
Section 2.1, “Prerequisites,” on page 13
Section 2.2, “Synchronizing Passwords,” on page 13
Section 2.3, “Password Self-Service,” on page 14
2.1 Prerequisites
The following prerequisites must be met before starting the tasks in Section 2.2, “Synchronizing
Passwords,” on page 13 or Section 2.3, “Password Self-Service,” on page 14.
Make sure you have a functioning Identity Manager system in place. To do so, complete the
tasks in the “Basic Identity Manager System Checklist” found in the Identity Manager 3.6.1
Installation Guide.
Make sure you have reviewed Chapter 1, “Overview,” on page 9 and understand the concepts
associated with password synchronization and password self-service.
Deploy Universal Password. Universal Password coordinates the different types of Identity
Vault passwords (simple, NDS
connected systems, and supports password self-service.
For information about deploying Universal Password, see “Deploying Universal Password”
(http://www.novell.com/documentation/password_management32/pwm_administration/
index.html?page=/documentation/password_management32/pwm_administration/data/
allq21t.html) in the Novell Password Management 3.2 Administration Guide.
®
, enhanced), enables synchronization of the passwords with
novdocx (en) 13 May 2009
2
2.2 Synchronizing Passwords
Complete the following tasks to set up password synchronization between the Identity Vault and a
connected system. Repeat the tasks for each connected system with which you want to synchronize
passwords.
Verify that the driver supports password synchronization. For a list of supported drivers, see
Chapter 3, “Connected System Support for Password Synchronization,” on page 15.
Make sure the driver is already installed and works with the connected system (except for
password synchronization). For instructions, refer to the driver’s Implementation Guide on the
Identity Manager 3.6.1 Drivers documentation site (http://www.novell.com/documentation/
idm36drivers).
(Conditional) If you are using the Active* Directory driver, install the password filters required
to synchronize passwords. For instructions, see “Setting Up Password Synchronization Filters”
in the Identity Manager 3.6.1 Driver for Active Directory Implementation Guide.
(Conditional) If you are using the Linux and UNIX driver, install the password filters required
to synchronize passwords. For instructions, see “Installing the PAM or LAM Module” (http://
www.novell.com/documentation/idm36drivers/bi_impl_nx/data/b3xfnmq.html) in the Identity
Manager 3.6.1 Driver for Linux and UNIX Implementation Guide.
Password Management Checklist
13
Create a password policy that defines your business criteria for creating and replacing
passwords. Assign the policy to the Identity Vault containers that hold the users to whom you
want the policy applied. You can have more than one password policy if needed. For
instructions, see “Managing Passwords by Using Password Policies” (http://www.novell.com/
documentation/password_management32/pwm_administration/data/ampxjj0.html) in the
Novell Password Management 3.2 Administration Guide.
Make sure the driver’s password synchronization settings support the correct flow of
passwords between the Identity Vault and the connected system. For instructions, see
Chapter 4, “Configuring Password Flow,” on page 19.
Set up e-mail notification so that users receive messages if their passwords are not successfully
synchronized. For instructions, see Chapter 5, “Configuring E-Mail Notification,” on page 25.
2.3 Password Self-Service
Complete the following tasks to set up password self-service.
Install the User Application by following the installation checklist. For instructions, see
“Installation Checklist” (http://www.novell.com/documentation/idmrbpm361/install/data/
bf8up4w.html) in the Identity Manager Roles Based Provisioning Module 3.6.1 User
Application Installation Guide.
(Conditional) By default, password self-service is available only within your firewall. If you
want to make it available outside your firewall, you must set up a separate forgotten-password
management
IDMPedMgt.WAR
Forgotten Password Self-Service” (http://www.novell.com/documentation/idmrbpm36/agpro/
data/b8q7ezv.html) in the Identity Manager Roles Based Provisioning Module User
Application Administration Guide.
Set up the password self-service features (challenge response, forgotten password, password
hints, and so forth). For instructions, see “Password Management Configuration” (http://
www.novell.com/documentation/idmrbpm361/agpro/data/b6mixux.html) in the Identity
Manager Roles Based Provisioning Module User Application Administration Guide.
file and deploy it. For more information, see “Configuring
novdocx (en) 13 May 2009
(Conditional) If you want to use the Client Login Extension to facilitate password self-service
through the Novell Client
TM
and Microsoft* login GINA, see the Identity Manager 3.6.1 Client
Login Extension Guide
14 Identity Manager 3.6.1 Password Management Guide
3
Connected System Support for
novdocx (en) 13 May 2009
Password Synchronization
The level of support for password synchronization varies depending on the connected system. The
following sections provide support information:
Section 3.1, “Systems That Support Bidirectional Password Synchronization,” on page 15
Section 3.2, “Systems That Accept Passwords from Identity Manager,” on page 15
Section 3.3, “Systems That Don’t Accept or Provide Passwords By Default,” on page 16
Section 3.4, “Systems That Don’t Support Password Synchronization,” on page 17
3.1 Systems That Support Bidirectional Password Synchronization
The following connected systems support bidirectional password synchronization. Bidirectional
synchronization means that the connected system can provide the user’s actual password to Identity
Manager and can accept password changes from Identity Manager. This allows the password to be
changed in either the Identity Vault or the connected system and then synchronized as needed.
Table 3-1 Systems that Support Bidirectional Password Synchronization
3
Subscriber Channel Subscriber Channel
Connected System
Driver
Active Directory Yes Yes Yes Yes
1
eDirectory
Linux and UNIX
(NIS)
1
Between Identity Vault trees, you can have bidirectional password synchronization for users even if
Universal Password is not enabled for those users. See Section A.1, “Scenario 1: Using NDS
Password to Synchronize between Two Identity Vaults,” on page 43.
TM
Application Can
Accept Setting of
Initial Password
Yes Yes Yes Yes
Yes Yes Yes Yes
Application Can
Accept Modification
of Password
Subscriber
Channel
Application
Supports Check
Password
Publisher Channel
Application Can
Provide (sync)
Password
3.2 Systems That Accept Passwords from Identity Manager
The following connected systems can accept passwords from Identity Manager to some degree but
cannot provide a user’s actual password to Identity Manager.
Connected System Support for Password Synchronization
15
Although they can’t provide the user’s actual password, they can be configured to create a password
in the Identity Vault by using a policy on the Publisher channel. The password would be based on
other user data in the connected system. The basic driver configurations provided for the connected
systems include a default password based on the surname.
Table 3-2 Systems That Accept Passwords from Identity Manager
novdocx (en) 13 May 2009
Subscriber Channel Subscriber Channel
Connected System
Driver
Groupwise
JDBC Yes
LDAP Yes
Lotus Notes* Yes Yes
SAP* User
Management
1
GroupWise supports two authentication methods:
®
Application Can
Accept Setting of
Initial Password
Yes Yes No No
2
5
Yes Yes No No
Application Can
Accept Modification
of Password
3
No
Yes
5
6
Subscriber
Channel
Application
Supports Check
Password
No No
Yes N o
7
Yes
Publisher Channel
Application Can
Provide (Sync)
Password
No
1
4
GroupWise provides its own authentication and maintains user passwords.
GroupWise authenticates against eDirectory by using LDAP and does not maintain passwords.
When you use this option, GroupWise ignores driver-synchronized passwords.
2
The ability to set an initial password is available on all databases where the OS user account is
distinct from the database user account, such as Oracle*, MS SQL, MySQL*, and Sybase*.
3
The Identity Manager Driver for JDBC* can be used to modify a password on the connected
system, but that feature is not demonstrated in the sample driver configuration.
4
Passwords can be synchronized as data when stored in a table.
5
If the target LDAP server allows setting the userpassword attribute.
6
The Notes driver can accept a password modification and check passwords only for the
HTTPPassword field in Lotus Notes.
3.3 Systems That Don’t Accept or Provide Passwords By Default
The following connected systems can’t accept passwords from Identity Manager or provide a user’s
password to Identity Manager when using the basic driver configuration.
Although they can’t provide the user’s actual password, they can be configured to create a password
in the Identity Vault by using a policy on the Publisher channel. The password would be based on
other user data in the connected system. The basic driver configurations provided for the connected
systems include a default password based on the surname.
16 Identity Manager 3.6.1 Password Management Guide
Table 3-3 Systems That Don’t Accept or Provide Passwords
novdocx (en) 13 May 2009
Subscriber
Channel
Application
Supports Check
Password
Publisher Channel
Application Can
Provide (Sync)
Password
Connected System
Driver
Delimited Text
1
Subscriber Channel Subscriber Channel
Application Can
Accept Setting of
Initial Password
Application Can
Accept Modification
of Password
No No No No
PeopleSoft 5.2 No No No No
SAP HR No No No No
1
The Identity Manager Driver for Delimited Text does not have features in the driver shim that
directly support Password Synchronization. However, the driver can be configured to handle
passwords, depending on the connected system you are synchronizing with.
3.4 Systems That Don’t Support Password Synchronization
The following connected systems are not intended to participate in password synchronization.
Table 3-4 Systems That Don’t Support Password Synchronization
Subscriber
Channel
Application
Supports Check
Password
Publisher Channel
Application Can
Provide (sync)
Password
Connected System
Driver
Subscriber Channel Subscriber Channel
Application Can
Accept Setting of
Initial Password
Application Can
Accept Modification
of Password
Avaya* PBX No No No No
Entitlements Service No No No No
LoopBack Service No No No No
Manual Task Service No No No No
Null Service No No No No
WorkOrder No No No No
Connected System Support for Password Synchronization 17
novdocx (en) 13 May 2009
18 Identity Manager 3.6.1 Password Management Guide
4
Configuring Password Flow
To ensure that passwords flow between the Identity Vault and the connected system the way you
expect them to, you should verify the password synchronization settings for the connected system’s
driver are configured properly.
Section 4.1, “Verifying Password Synchronization Settings in iManager,” on page 19
Section 4.2, “Verifying Password Synchronization Settings in Designer,” on page 21
4.1 Verifying Password Synchronization Settings in iManager
1 In iManager, open the properties page for the driver whose password settings you want to
check:
1a Click to display the Identity Manager Administration page.
1b In the Administration list, click Identity Manager Overview.
1c On the Driver Sets tab, locate the driver set that contains the driver whose settings you
want to check. If the driver set is not listed on the Driver Sets tab, use the Search In field
to search for and display the driver set.
1d Click the driver set to open the Driver Set Overview page.
novdocx (en) 13 May 2009
4
1e Click the driver to display the Driver Overview page.
1f Click the upper right corner of the driver to display the Actions menu, then click Edit
properties.
2 One the properties page, click the Server Variables tab to display the Password Synchronization
page.
Configuring Password Flow
19
The settings that are enabled and disabled vary depending on the driver. Only those settings for
features supported by the driver are available (not dimmed).
3 Verify that the settings are configured properly.
Identity Manager accepts passwords (Publisher Channel): If this option is enabled, Identity
Manager allows passwords to flow from the connected system into the Identity Vault. Disabling
this option means that no
<password>
elements are allowed to flow to Identity Manager. They
are stripped out of the XML by a password synchronization policy on the Publisher channel.
This setting applies to user passwords that are provided by the connected system itself, and
password values that are created by a policy on the Publisher channel.
If this option is enabled but the Distribution Password option below it is disabled, a
<password>
value coming from the connected system is written directly to the Universal
password in the Identity Vault. If the user’s password policy does not enable Universal
Password, the password is written to the NDS password.
Use Distribution Password for password synchronization: This setting is available only if
the Identity Manager accepts passwords (Publisher Channel) setting is enabled.
If this option is enabled, a password value coming from the connected system is written to the
Distribution password. The Distribution password is reversible, which means that it can be
retrieved from the Identity Vault data store for password synchronization. It is used by Identity
Manager for bidirectional password synchronization with connected systems. For Identity
Manager to distribute passwords from this system to other systems, this option must be
enabled.
novdocx (en) 13 May 2009
Accept password only if it complies with user’s Password Policy: This setting is available
only if the Use Distribution Password for password synchronization setting is enabled.
If this option is selected, Identity Manager does not write a password from this connected
system to the Distribution password in the Identity Vault or publish it to connected systems
unless the password complies with the user’s password policy.
If a password does not comply, enable the Reset the user’s password to the Distribution
Password setting to reset the user’s password on the connected system. This allows you to
enforce the password policy on the connected system as well as in your Identity Vault. If you
do not select this option, user passwords can become out-of-sync on connected systems.
However, you need to consider the connected system’s password policies when deciding
whether to use this option. Some connected systems might not allow the reset because they
don't allow you to repeat passwords.
By using the Notify the user of password synchronization failure via e-mail setting, you can
inform users when a password fails to be set or reset. Notification is especially helpful for this
option. If the user changes to a password that is allowed by the connected system but rejected
by Identity Manager because of the password policy, the user won't know that the password has
been reset until the user receives a notification or tries to log in to the connected system with
the old password.
Always accept password; ignore Password Policies: This setting is available only if the Use
Distribution Password for password synchronization setting is enabled.
If you select this option, Identity Manager does not enforce the user’s password policy for this
connected system. Identity Manager writes the password from this connected system to the
Distribution password in the Identity Vault and distributes it to other connected systems
regardless of password policy compliance.
20 Identity Manager 3.6.1 Password Management Guide
Application accepts passwords (Subscriber Channel): If you enable this option, the driver
sends passwords from the Identity Vault to this connected system. This also means that if a user
changes the password on a different connected system that is publishing passwords to the
Distribution password in the Identity Vault, the password is changed on this connected system.
By default, the Distribution password is the same as the Universal password in the Identity
Vault, so changes to the Universal password made in the Identity Vault are also sent to the
connected system.
Notify the user of password synchronization failure via e-mail: If you enable this option, email is sent to the user if a password is not synchronized, set, or reset. The e-mail that is sent to
the user is based on an e-mail template. This template is provided by the Password
Synchronization application. However, for the template to work, you must customize it and
specify an e-mail server to send the notification messages. For instructions, see Chapter 5,
“Configuring E-Mail Notification,” on page 25.
4 When you are finished, click OK to save your changes.
The settings are saved as Global Configuration Values. You can view them on the Identity
Manager > Global Config Values page.
novdocx (en) 13 May 2009
4.2 Verifying Password Synchronization Settings in Designer
1 In Designer, open your project.
2 In the Modeler, right-click the icon for the driver whose settings you want to check, then
click Password Synchronization to display the Password Synchronization Options dialog box.
Configuring Password Flow 21
The settings that are enabled and disabled vary depending on the driver. Only those settings for
features supported by the driver are available (not dimmed).
3 Verify that the settings are configured properly.
Identity Manager accepts passwords (Publisher Channel): If this option is enabled, Identity
Manager allows passwords to flow from the connected system into the Identity Vault. Disabling
this option means that no
<password>
elements are allowed to flow to Identity Manager. They
are stripped out of the XML by a password synchronization policy on the Publisher channel.
This setting applies to user passwords that are provided by the connected system itself, and
password values that are created by a policy on the Publisher channel.
If this option is enabled but the Distribution Password option below it is disabled, a
<password>
value coming from the connected system is written directly to the Universal
password in the Identity Vault. If the user’s password policy does not enable Universal
Password, the password is written to the NDS password.
Use Distribution Password for password synchronization: This setting is available only if
the Identity Manager accepts passwords (Publisher Channel) setting is enabled.
If this option is enabled, a password value coming from the connected system is written to the
Distribution password. The Distribution password is reversible, which means that it can be
retrieved from the Identity Vault data store for password synchronization. It is used by Identity
Manager for bidirectional password synchronization with connected systems. For Identity
Manager to distribute passwords from this system to other systems, this option must be
enabled.
novdocx (en) 13 May 2009
Accept password only if it complies with user’s Password Policy: This setting is available
only if the Use Distribution Password for password synchronization setting is enabled.
If this option is selected, Identity Manager does not write a password from this connected
system to the Distribution password in the Identity Vault or publish it to connected systems
unless the password complies with the user’s password policy.
If a password does not comply, enable the Reset the user’s password to the Distribution
Password setting to reset the user’s password on the connected system. This allows you to
enforce the password policy on the connected system as well as in your Identity Vault. If you
do not select this option, user passwords can become out-of-sync on connected systems.
However, you need to consider the connected system’s password policies when deciding
whether to use this option. Some connected systems might not allow the reset because they
don't allow you to repeat passwords.
By using the Notify the user of password synchronization failure via e-mail setting, you can
inform users when a password fails to be set or reset. Notification is especially helpful for this
option. If the user changes to a password that is allowed by the connected system but rejected
by Identity Manager because of the password policy, the user won't know that the password has
been reset until the user receives a notification or tries to log in to the connected system with
the old password.
Always accept password; ignore Password Policies: This setting is available only if the Use
Distribution Password for password synchronization setting is enabled.
If you select this option, Identity Manager does not enforce the user’s password policy for this
connected system. Identity Manager writes the password from this connected system to the
Distribution password in the Identity Vault and distributes it to other connected systems
regardless of password policy compliance.
22 Identity Manager 3.6.1 Password Management Guide
The application accepts passwords (Subscriber Channel): If you enable this option, the
driver sends passwords from the Identity Vault to this connected system. This also means that if
a user changes the password on a different connected system that is publishing passwords to the
Distribution password in the Identity Vault, the password is changed on this connected system.
By default, the Distribution password is the same as the Universal password in the Identity
Vault, so changes to the Universal password made in the Identity Vault are also sent to the
connected system.
Notify the user of password synchronization failure via e-mail: If you enable this option, email is sent to the user if a password is not synchronized, set, or reset. The e-mail that is sent to
the user is based on an e-mail template. This template is provided by the Password
Synchronization application. However, for the template to work, you must customize it and
specify an e-mail server to send the notification messages. For instructions, see Chapter 5,
“Configuring E-Mail Notification,” on page 25.
4 When you are finished, click OK to save your changes.
The settings are saved as Global Configuration Values. You can view them on the Identity
Manager > Global Config Values page.
novdocx (en) 13 May 2009
Configuring Password Flow 23
novdocx (en) 13 May 2009
24 Identity Manager 3.6.1 Password Management Guide
Loading...