Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Setting Up Identity Manager 5.0 SP2

Starting with Identity Manager 5.0 SP2, a new form property was introduced that prevents the Directory Server resource from being shown as a resource where passwords can be changed. Identity Manager 5.0 SP2 also introduced a new system configuration property that can be used to prevent pwsync from propagating password changes to the Directory Server resource.

Configuring the Form Property

You must ensure that Identity Manager does not propagate user password changes to Directory Server, but only to Active Directory. You must also ensure that Identity Managerrelies on Identity Synchronization for Windows to propagate the password changes to Directory Server.

To prevent a resource from being displayed in the table of resources where password changes occur, add the following form property to any form that is used for changing a user's password.

   <Property name='Exclude'\>
         /<new class='com.waveset.object.AttributeCondition'\>

The resource can be excluded by id (as shown in the form), by name (a string), or by type (also a string). The forms to which this property must be included are as follows:

If some of these forms already include the form property, only the new attribute condition needs to be added (from the XML fragment in this procedure).

Note –

In multiple attribute condition scenarios, the forms are and'ed together (they cannot be or'ed). For example, if the Change My Password Form and Change Password Form already include an attribute condition to exclude disabled resources, and the id condition is added, a resource will only be excluded if it meets both conditions, that is, it is disabled and has the ID you entered.

If a form does not already include the Exclude property, add it by copying the full XML fragment in this procedure or add the <Property name=Exclude\>, if a <Properties\> block already exists.

Configuring pwsync to Not Propagate Passwords to Directory Server

The passwordSyncExcludeList system configuration attribute lists resources that should not be updated when the Active Directory pwsync DLL detects a password change. In an Identity Manager and Identity Synchronization for Windows environment, this attribute should include Directory Servers that are being synchronized, to prevent unwanted interaction between Identity Manager and Identity Synchronization for Windows.

  1. Go to the /debug page, for example, http://applicationserverhost:port/idm/debug)

  2. List objects of type Configuration

  3. Add the following attributes to the system configuration file:

    <Attribute name='passwordSyncExcludeList' value='Directory Server Resource'/\>

    where Directory Server Resource is the name of the resource to be excluded during a pwsync password change. If you need to exclude more than one resource, use a comma-separated list.)