Setting Up Identity Manager 5.0 SP2 and Later (Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide)

Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Setting Up Identity Manager 5.0 SP2 and Later

Identity Manager 5.0 SP2 introduced a new form property that prevents the Directory Server resource from being shown as a resource where passwords can be changed. Identity Manager 5.0 SP2 also introduced a new system configuration property that can be used to prevent pwsync from reflecting password changes to the Directory Server resource.

Configuring the Form Property

To ensure that Identity Manager does not propagate user password changes to Directory Server but instead only propagates them to Active Directory, and then relies on Identity Synchronization for Windows to propagate them to Directory Server, the following form property can be added to any form used for changing a user's password. This will prevent a resource from being displayed in the table of resources where password changes occur.

<Properties\>
   <Property name='Exclude'\>
      <list\>
         /<new class='com.waveset.object.AttributeCondition'\>
            <s\>id</s\>
            <s\>equals</s\>
            <s\>#ID#50D9481DC6C43026:3BB34:FFB73A9286:-7FC0</s\>
         </new\>/
       </list\>
   </Property\>
</Properties\>

The resource can be excluded by id as shown in the form above, name (a string), or by type (also a string). The forms to which this property must be included are:

Change User Password Form
Change My Password Form
Change Password Form
Expired Login Form
Reset User Password Form
Tabbed User Form

Note –

Some of the forms above already include the form property. In such scenarios, only the new attribute condition needs to be added from the XML fragment above.

In multiple attribute condition scenarios, the forms are and'ed together (they cannot be or'ed). For example, if the Change My Password form and Change Password form already include an attribute condition to exclude disabled resources, and the condition above is added, a resource will only be excluded if it meets both conditions, that is, it is disabled and has the ID you entered.

If a form does not already include the Exclude property, it can be added by copying the full XML fragment above, or by adding the <Property name=Exclude\>, if a <Properties\> block already exists.

Configuring pwsync to Not Propagate Passwords to Directory Server

The passwordSyncExcludeList System Configuration attribute lists resources that should not be updated when the Active Directory pwsync Plugin detects a password change. In an Identity Manager-Identity Synchronization for Windows environment, this attribute should include Directory Servers that are being synchronized, to prevent unwanted interaction between Identity Manager and Identity Synchronization for Windows. This attribute can be added to the system configuration object by going to the /debug page (for example, http://applicationserverhost:port/idm/debug), listing objects of type Configuration, and editing the System Configuration to include the following

<Attribute name='passwordSyncExcludeList' value='Directory Server Resource'/\>

where Directory Server Resource is the name of the resource to be excluded during a pwsync password change. (If there is more than one resource to exclude, use a comma-separated list.)