Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

To Demonstrate That User Changes Flow to the Reciprocal Environment

Both Windows and the LDAP store (if so configured) use a one-way hash when storing passwords. This configuration prevents true replication of password data between the two systems, but does not prevent the password synchronization.

For an environment that is participating in bidirectional password synchronization, any existing user’s entry being tracked in both environments must be in one of the following states:

Note –

This situation can lead to a very tedious process as you might have to examine every user entry.

If you created a user called George Washington on a Solaris system that operates as a PAM client, and then use the idsync resync command to push the entry to Windows, you can verify that Identity Synchronization for Windows has also created the entry on Windows as explained in the following procedure.

ProcedureTo Verify Entries on Windows

  1. From the Windows Start menu, go to Control Panel -> Administrative Tools -> Active Directory User and Computers.

  2. When the Active Directory User and Computers window is displayed, go the Active Directory Users pane (on the left) and click Users.

    Verifying entities
  3. Right-click the George Washington entry, and choose Properties.

    When the George Washington Properties dialog box is displayed, look at the Account options section. It shows that the User Must Change Password at Next Logon check box is selected, which means that George Washington will be required to change his password the next time that he logs in.

    Displaying properties for the selected entity
  4. Log in as George Washington.

    Windows is correctly tracking the entry because the log-in attempt displays the Logon Message dialog box stating, “Your password has expired and must be changed.”

  5. Click OK to close the Logon Message dialog box and to display the Change Password dialog box to provide a new password.

  6. Type and confirm a new password, but do not provide a value for the Old Password field.

    This is first time the user has logged in (since being created over protocol), so supplying an old password value will cause an error message and Windows will ask you to enter the new password again.

  7. Click OK to save the new password and close the Change Password dialog box.

    If Windows accepts the new password, a message is displayed stating that the new password has been accepted.

    At this point, the George Washington entry has moved from where the Windows entry is stale and the LDAP store is current to where Windows is current and the LDAP store entry is stale.

    George Washington's entry will maintain this condition until the next time that it binds to the LDAP store. At that time, the entry will move to where the entry is current on both Windows and the LDAP store.