Appendix B Configuring Identity Manager and Identity Synchronization for Windows to Coexist

This appendix describes how Sun Java System Identity Synchronization for Windows 6.0 and Identity Manager 5.0 SP2 coexist in a customer deployment as part of a larger user support strategy, to facilitate native password changes on Directory Server and Active Directory.

This appendix augments the Chapter 3, Case Study: Deploying in a High-Availability Environment Over a WAN Using SSL integration of Identity Synchronization for Windows with Identity Manager, and the changes required in Identity Manager, for coexistence.

This appendix assumes that you have knowledge of the concepts of and deployment experience with Identity Manager.

This appendix covers the following topics:

• Components for Deploying Identity Manager and Identity Synchronization for Windows

• Identity Manager and Identity Synchronization for Windows Functionality

• Password Changes on Active Directory

• Password Changes on Directory Server

• Password Changes and Provisions Originating From Identity Manager Administrator Interface

• Configuring Identity Manager and Identity Synchronization for Windows

Components for Deploying Identity Manager and Identity Synchronization for Windows

This section explains the main components of the Identity Manager and Identity Synchronization for Windows deployment:

• Active Directory domains

• Separate Directory Server deployment

• Any other Identity Manager-managed resource (which does not include the previous two) for example, Oracle RDBMS

The Identity Manager Administrator Interface handles resource administration, such as system-wide password changes and user creations. All password changes between Directory Servers and Active Directory domains are synchronized using Identity Synchronization for Windows. Password changes that occur within an Active Directory Domain are synchronized to Directory Server using Identity Synchronization for Windows, and synchronized to all other Identity Manager resources using pwsync, an Identity Manager Dynamic Link Library (DLL) installed on the Primary Domain Controllers of Windows systems. All password changes originating from the Identity Manager Administrator Interface are subsequently propagated to all Identity Manager resources, except the Sun Java System Directory Server. All user creations originating from the Identity Manager Administrator Interface are propagated to all resources, including Directory Servers. See also Configuring pwsync to Not Propagate Passwords to Directory Server.

Figure B–1 Password Synchronization and User Creation in an Identity Manager and Identity Synchronization for Windows Environment

Identity Manager and Identity Synchronization for Windows Functionality

For Identity Manager and Identity Synchronization for Windows to work effectively, both must be deployed and configured to function as a single system.

Identity Synchronization for Windows functionality includes the following:

• Detection of all the password changes on Active Directory, and synchronization with Directory Server using on-demand synchronization

• Detection of all password changes on Directory Server, and synchronization with Active Directory

Identity Synchronization for Windows does not synchronize these functions:

• User creations

• User deletions

• Non-password attributes

The Identity Manager functionality, coexisting with Identity Synchronization for Windows, includes the following:

• Detection of all password changes on Active Directory using pwsync, and synchronization of the changes to all other Identity Manager-managed resources, except Directory Server resources

• Use of the Identity Manager Administrator Interface to propagate user password changes to Active Directory and all other Identity Manager-managed resources, except Directory Servers

• Use of the Identity Manager Administrator Interface to propagate new users across all Identity Manager-managed resources (including Directory Servers)

Password Changes on Active Directory

Passwords modified on Active Directory are propagated through the Identity Managerand Identity Synchronization for Windows deployment as described here.

1. The user resets the password on Active Directory by using the Change Password option in the Task Manager dialog box of Windows.

2. Identity Synchronization for Windows detects the change and sets a password invalid flag on the corresponding user entry in the Identity Synchronization for Windows-managed Directory Server.

3. The user connects to Directory Server for the password change to be complete (see Using On-Demand Password Synchronization to Obtain Clear-Text Passwords in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide).

4. Identity Manager’s pwsync DLL also detects the password change and propagates it to all other Identity Manager-managed resources, except Directory Servers.

Password Changes on Directory Server

Passwords modified on Directory Servers are propagated through the Identity Managerand Identity Synchronization for Windows deployment as described here:

1. The user changes the password on Directory Server.

2. The password change is detected by Identity Synchronization for Windows and propagated to Active Directory.

3. Identity Manager’s pwsync DLL also detects the password change and propagates it to all other Identity Manager-managed resources, except Directory Servers.

Password Changes and Provisions Originating From Identity Manager Administrator Interface

Password changes that occur through the Identity Manager Administrator Interface are propagated to all Identity Manager-managed resources, except Directory Server. When a password change is detected on Active Directory, Identity Synchronization for Windows synchronizes it with Directory Server.

User creation originating from the Identity Manager Administrator Interface is propagated to all Identity Manager-managed resources, including both Directory Server and Active Directory domains. New users will have to be linked by Identity Synchronization for Windows. For details, see Configuring pwsync to Not Propagate Passwords to Directory Server and Handling Identity Manager-Provisioned Users.

Configuring Identity Manager and Identity Synchronization for Windows

Configuring Identity Manager and Identity Synchronization for Windows can involve the following tasks:

• Setting up Identity Manager 5.0 SP2

• Setting up Identity Manager 5.0 SP1

• Configuring Identity Synchronization for Windows

Setting Up Identity Manager 5.0 SP2

Starting with Identity Manager 5.0 SP2, a new form property was introduced that prevents the Directory Server resource from being shown as a resource where passwords can be changed. Identity Manager 5.0 SP2 also introduced a new system configuration property that can be used to prevent pwsync from propagating password changes to the Directory Server resource.

Configuring the Form Property

You must ensure that Identity Manager does not propagate user password changes to Directory Server, but only to Active Directory. You must also ensure that Identity Managerrelies on Identity Synchronization for Windows to propagate the password changes to Directory Server.

To prevent a resource from being displayed in the table of resources where password changes occur, add the following form property to any form that is used for changing a user's password.

<Properties\>
   <Property name='Exclude'\>
      <list\>
         /<new class='com.waveset.object.AttributeCondition'\>
            <s\>id</s\>
            <s\>equals</s\>
            <s\>#ID#50D9481DC6C43026:3BB34:FFB73A9286:-7FC0</s\>
         </new\>/
       </list\>
   </Property\>
</Properties\>

The resource can be excluded by id (as shown in the form), by name (a string), or by type (also a string). The forms to which this property must be included are as follows:

• Change User Password Form

• Change My Password Form

• Change Password Form

• Expired Login Form

• Reset User Password Form

• Tabbed User Form

If some of these forms already include the form property, only the new attribute condition needs to be added (from the XML fragment in this procedure).

In multiple attribute condition scenarios, the forms are and'ed together (they cannot be or'ed). For example, if the Change My Password Form and Change Password Form already include an attribute condition to exclude disabled resources, and the id condition is added, a resource will only be excluded if it meets both conditions, that is, it is disabled and has the ID you entered.

If a form does not already include the Exclude property, add it by copying the full XML fragment in this procedure or add the <Property name=Exclude\>, if a <Properties\> block already exists.

Configuring pwsync to Not Propagate Passwords to Directory Server

The passwordSyncExcludeList system configuration attribute lists resources that should not be updated when the Active Directory pwsync DLL detects a password change. In an Identity Manager and Identity Synchronization for Windows environment, this attribute should include Directory Servers that are being synchronized, to prevent unwanted interaction between Identity Manager and Identity Synchronization for Windows.

1. Go to the /debug page, for example, http://applicationserverhost:port/idm/debug)

2. List objects of type Configuration

3. Add the following attributes to the system configuration file:

   <Attribute name='passwordSyncExcludeList' value='Directory Server Resource'/\>

   where Directory Server Resource is the name of the resource to be excluded during a pwsync password change. If you need to exclude more than one resource, use a comma-separated list.)

Setting Up Identity Manager 5.0 SP1

Identity Manager installations prior to 5.0 SP2 require a modification to the workflow for coexistence with Identity Synchronization for Windows. These changes facilitate propagation of updates from other Identity Manager resources to Directory Servers (provisioning) and to Active Directory (passwords and provisioning). Administrators must install the Identity Manager component pwsync on all domain controllers where password synchronization is desired with all other Identity Manager-managed resources, except Directory Server.

This workflow change will result in an error during the end-user password change. However, the change is propagated to Directory Server.

To modify the Identity Manager workflow:

1. Install pwsync on all Active Directory domain controllers.

2. Modify the Identity Manager task definition for Change User Password from either the /debug page or the Configuration Editor.

   1. Add a new activity to remove the Directory Server resources that should not have the password reset.

   2. Replace the string NAME DS RESOURCE with the names of these Directory Server resources by adding the following activity:

      <Activity id='1' name='RemoveLDAP'\> <Variable name='userObject'/\> # checkout user # <Action id='0' application='com.waveset.session.WorkflowServices'\> <Argument name='op' value='checkoutObject'/\> <Argument name='type' value='User'/\> <Argument name='name' value='$(accountId)'/\> <Argument name='authorized' value='true'/\> <Return from='object' to='userObject'/\> </Action\> <Action id='1'\> <expression\> <block\> # Get pending changes for Directory Server resource # <defvar name='resourceInfo'\> <invoke name='getResourceInfo'\> <ref\>userObject</ref\> <s\>NAME DS RESOURCE</s\> </invoke\> </defvar\>

      # Clears pending password change # <invoke name='setPassword'\> <ref\>resourceInfo</ref\> <null/\> </invoke\> # Get other pending resource changes # <defvar name='resourceInfoAttributes'\> <invoke name='getAttributes'\> <ref\>resourceInfo</ref\> </invoke\> </defvar\> # removes expire password flag # <invoke name='remove'\> <ref\>resourceInfoAttributes</ref\> <s\>expirePassword</s\> </invoke\> # Set cleared attributes for check in # <invoke name='setAttributes'\> <ref\>resourceInfo</ref\> <ref\>resourceInfoAttributes</ref\> </invoke\> </block\> </expression\> </Action\> # Check in user # <Action id='2' application='com.waveset.session.WorkflowServices'\> <Argument name='op' value='checkinObject'/\> <Argument name='object' value='$(userObject)'/\> </Action\> <Transition to='Reprovision'/\> </Activity\>

Configuring Identity Synchronization for Windows

Identity Synchronization for Windows should be configured as described in Chapter 3, Case Study: Deploying in a High-Availability Environment Over a WAN Using SSL, and not for user creations or any other attribute synchronization.

Handling Identity Manager-Provisioned Users

User creation is not the responsibility of Identity Synchronization for Windows in this deployment. Therefore, new users that are added to Directory Server using Identity Manager will not be linked to the corresponding entries in Active Directory domains, or conversely. To establish this link for new users, an administrator must periodically execute idsync resync so that password changes for the new entries are synchronized.

The frequency with which this operation is executed is the administrator’s decision and the periodic automated execution is performed using a scheduled UNIX cron job. For details, see Periodic idsync resync Operation for Primary Installation.