This section answers some frequently asked questions about PasswordSync.Question:
Can PasswordSync be implemented without a Java Messaging Service?Answer:
Yes, but doing so eliminates the advantages of using a JMS to track password change events.
To implement PasswordSync without a JMS, launch the configuration application with the following flag:
When the -direct flag is specified, the configuration application displays the User tab.
If you implement PasswordSync without a JMS, you do not need to create a JMS Listener adapter. Therefore, you should omit the procedures listed in Deploying PasswordSync on the Application Server. If you want to set up notifications, you may need to alter the Change User Password workflow.
If you subsequently run the configuration application without specifying the -direct flag, PasswordSync will require a JMS to be configured. Relaunch the application with the -direct flag to bypass the JMS again.
Can PasswordSync be used in conjunction with other Windows password filters that are used to enforce custom password policies?Answer:
Yes, you can use PasswordSync in conjunction with other _WINDOWS_ password filters. It must, however, be the last password filter listed in the Notification Package registry value.
You must use this Registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages (value of type REG_MULTI_SZ)
By default, the installer places the Identity Manager password intercept at the end of the list, but if you installed the custom password filter after the installation, you will be required to move lhpwic to the end of the Notification Packages list.
You can use PasswordSync in conjunction with other Identity Manager password policies. When policies are checked on the Identity Manager server side, all resource password policies must pass in order for the password synchronization to be pushed out to other resources. Consequently, you should make the Windows native password policy as restrictive as the most restrictive password policy defined in Identity Manager.
The password intercept DLL does not enforce any password policies.
Can the PasswordSync servlet be installed on a different application server than Identity Manager?Answer:
Yes. The PasswordSync servlet requires the spml.jar and idmcommon.jar jar files, in addition to any jar files required by the JMS application.Question:
Does the PasswordSync service send passwords over to the lh server in clear text?Answer:
Although best practice is to run PasswordSync over SSL, all sensitive data is encrypted before being sent to the Identity Manager server.
For information, see Configure PasswordSync for SSL.Question:
Why do some password changes result in com.waveset.exception.ItemNotLocked?Answer:
If you enable PasswordSync, a password change (even one initiated from the user interface), will result in a password change on the resource, which causes the resource to contact Identity Manager.
If you configure the passwordSyncThreshold workflow variable correctly, Identity Manager examines the user object and decides that it has already handled the password change. However, if the user or the administrator makes another password change for the same user, at the same time, the user object could be locked.