Before an LDAP adapter can be used to synchronize LDAP passwords, you must perform the following tasks:
Configure the LDAP resource adapter.
Enable the password synchronization features.
Use the following steps to configure the LDAP resource adapter to support password synchronization.
Import the LDAP Password ActiveSync Form into Identity Manager. This form is defined in $WSHOME/sample/forms/LDAPPasswordActiveSyncForm.xml.
In the Active Sync wizard for the resource, set the input form to LDAP Password ActiveSync Form.
Enable password synchronization in any LDAP resource adapter
Generate a configuration LDIF file (required for the installation of the Password Capture plug-in)
Re-generate the password encryption key and salt, if desired. This is an optional feature.
The LDIF file contains 3 entries:
Schema change. Updates the Directory Server schema to allow the use of the idmpasswd operational attribute
Plugin definition. Registers the plug-in with the Directory Server and enables the plug-in
Plugin configuration. Provides basic configuration of the plug-in. For example, the obfuscated password encryption key is in the configuration entry.
Use the following steps to implement these features.
Open the Identity Manager Configure Password Synchronization page, which is located at http://PathToIdentityManager/configure/passwordsync.jsp .
Select the LDAP resource that will be used to synchronize passwords from the Resource menu.
Select Enable Password Synchronization from the Action menu.
Click OK. The page refreshes to display a new item in the Action menu.
Select Download plug-in configuration LDIF from the Action menu.
Click OK. The page refreshes to display several new options.
Select a version from the Directory Server version menu.
Select the resource’s operating system from the Operating System Type menu.
In the Plugin Installation Directory field, enter the directory on the host where the plug-in will be installed.
Click OK to generate and download the LDIF file. If necessary, you may now regenerate an encryption key.
Select Regenerate encryption key from the Action menu.
Click OK. The encryption parameters are updated.
If your Directory Server users do not have the default objectclasses (person, organizationalPerson or inetorgperson), then you must edit the LDIF file created when you selected Download plugin configuration LDIF. You must replace the default value assigned in the idm-objectclass attribute with an objectclass implemented in your environment so that the plug-in can capture the password change.
For example, if your users are defined with the account, posixaccount and shadowaccount objectclasses, replace the default value assigned in the idm-objectclass attribute with one or more of these classes.
idm-objectclass: account idm-objectclass: posixaccount
Note that multivalued attributes should not be represented as comma-separated strings. Each value for the idm-objectclass that you want to match must be entered on a separate line on the LDIF configuration. Passwords are captured for entries that match any of the idm-objectclass values.
After password synchronization is enabled, the following attributes on the Resource Specific Settings page on Active Sync wizard parameters page of the resource will be displayed.
Enable password synchronization
Password encryption key
Password encryption salt
Only the Enable password synchronization field may be changed on this page. The encryption attributes should only be updated using the JSP page.