Sun Identity Manager 8.1 Resources Reference

Chapter 51 Synchronizing LDAP Passwords

This chapter describes the Identity Manager product enhancements to support password synchronization from the Sun JavaTM System Directory Server (formerly known as Sun ONE Directory Server and iPlanet Directory Server) to the Identity Manager system.


Directory Server allows password changes to be processed by third parties through its public plug-in API. A custom plug-in, Password Capture plug-in, was developed to capture password changes in Directory Server.

The responsibilities of the Password Capture plug-in include:

The Directory Server Retro Changelog plug-in must be installed on the directory server before the Password Capture plug-in can be implemented. The Retro Changelog plug-in records changes to the idmpasswd attribute in the changelog database after the operation is executed by the directory server core.

The LDAP resource adapter with Active Sync enabled polls the changelog database at regular intervals, parses relevant changes, and feeds these changes into Identity Manager. The LDAP adapter parses the idmpasswd attribute, decrypts the password using the shared secret, and makes the real password available to the rest of the system.

Password Capturing Process

The Password Capture plug-in is invoked by the Directory Server core each time the server is about to process an LDAP ADD or an LDAP MODIFY operation. The plug-in inspects the changes, and if there is a password change, it inserts the idmpasswd attribute/value pair, where the value is the encrypted password.

Passwords captured by the Password Capture plug-in are encrypted using a shared key. (The same shared key is used by the configured LDAP Resource Adapter to decrypt the password.)

If the change is accepted by the server, then the Retro Changelog plug-in logs the changes, including the new value for the idmpasswd attribute, into the Retro-Changelog database. The LDAP resource adapter processes the change to the idmpasswd attribute and makes the value available to other components inside Identity Manager in the form of an encrypted string.

The idmpasswd attribute does not appear in the Directory Server’s regular database when the user changes password.

Passwords in the Retro-Changelog Database

The encrypted password is recorded in the Retro-Changelog database. The Retro-Changelog plug-in can be configured to remove entries from the Retro-Changelog database periodically. The correct setting of the database trimming depends on the target environment. Too frequent trimming may not allow room for small network outages, or other service disruptions and the LDAP resource adapter may miss certain changes. On the other hand, allowing the database to grow too large may increase the security risk associated with having encrypted passwords in the database.

Note that the plug-in does not pick up hashed passwords.

Access to the contents of the Retro Changelog Database suffix (cn=changelog) should be limited. Therefore, allow read access to the LDAP resource adapter only.

Schema Changes

The idmpasswd attribute is defined as an operational attribute. Operational attributes do not require any changes to the objectclass definitions of the target entry. As a result, existing or new users in Directory Server do not need to be modified to use the password synchronization feature.

The idmpasswd attribute is defined in the schema as follows:

attributeTypes: ( idmpasswd-oid NAME ’idmpasswd’ DESC ’IdM Password’ 
SYNTAX{128} USAGE directoryOperation X-ORIGIN ’
Identity Manager’ )

Plug-in Log Levels

The plug in supports the following log levels: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, and FINEST. SEVERE provides the least amount of detail, and FINEST provides the most detailed logging. The INFO log level is the default level.

Configuring Identity Manager for LDAP Password Synchronization

Before an LDAP adapter can be used to synchronize LDAP passwords, you must perform the following tasks:

Step 1: Configure the LDAP Resource Adapter

Use the following steps to configure the LDAP resource adapter to support password synchronization.

ProcedureConfiguring the LDAP Resource Adapter to Support Password Synchronization

  1. Import the LDAP Password ActiveSync Form into Identity Manager. This form is defined in $WSHOME/sample/forms/LDAPPasswordActiveSyncForm.xml.

  2. In the Active Sync wizard for the resource, set the input form to LDAP Password ActiveSync Form.

Step 2: Enable Password Synchronization Features

To enable password synchronization in the LDAP resource adapter, Identity Manager provides a custom JSP page that allows the administrator to

The LDIF file contains 3 entries:

Use the following steps to implement these features.

ProcedureImplementing Password Synchronization Features

  1. Open the Identity Manager Configure Password Synchronization page, which is located at http://PathToIdentityManager/configure/passwordsync.jsp .

  2. Select the LDAP resource that will be used to synchronize passwords from the Resource menu.

  3. Select Enable Password Synchronization from the Action menu.

  4. Click OK. The page refreshes to display a new item in the Action menu.

  5. Select Download plug-in configuration LDIF from the Action menu.

  6. Click OK. The page refreshes to display several new options.

  7. Select a version from the Directory Server version menu.

  8. Select the resource’s operating system from the Operating System Type menu.

  9. In the Plugin Installation Directory field, enter the directory on the host where the plug-in will be installed.

  10. Click OK to generate and download the LDIF file. If necessary, you may now regenerate an encryption key.

  11. Select Regenerate encryption key from the Action menu.

  12. Click OK. The encryption parameters are updated.

    Note –

    If your Directory Server users do not have the default objectclasses (person, organizationalPerson or inetorgperson), then you must edit the LDIF file created when you selected Download plugin configuration LDIF. You must replace the default value assigned in the idm-objectclass attribute with an objectclass implemented in your environment so that the plug-in can capture the password change.

    For example, if your users are defined with the account, posixaccount and shadowaccount objectclasses, replace the default value assigned in the idm-objectclass attribute with one or more of these classes.

    For example:

    idm-objectclass: account
          idm-objectclass:  posixaccount

    Note that multivalued attributes should not be represented as comma-separated strings. Each value for the idm-objectclass that you want to match must be entered on a separate line on the LDIF configuration. Passwords are captured for entries that match any of the idm-objectclass values.

    After password synchronization is enabled, the following attributes on the Resource Specific Settings page on Active Sync wizard parameters page of the resource will be displayed.

    • Enable password synchronization

    • Password encryption key

    • Password encryption salt

    Only the Enable password synchronization field may be changed on this page. The encryption attributes should only be updated using the JSP page.

Installing and Configuring the Password Capture Plug-in

Before starting the plug-in installation, make sure you completed the resource configuration. See Configuring Identity Manager for LDAP Password Synchronization for more information.

Note –

If the Directory Server instances are set up in a multi-master replicated environment, then the plug-in must be installed and configured on each master replica.

To install the Password Capture plug-in, you must perform the following general steps. See the product documentation for detailed information about performing these tasks.

ProcedureOverview of Installing the Password Capture Plug-In

  1. Upload the configuration LDIF file into the target Directory Server. You can use the LDAP command line utilities bundled with the Directory Server. For example,

    /opt/iPlanet/shared/bin/ldapmodify -p 1389 -D "cn=directory manager" -w 
    secret -c -f /tmp/pluginconfig.ldif
  2. For Directory Server versions 5.2 P4 and earlier only, place the plug-in binary ( on the host where the Directory Server is running. In this example, /opt/SUNWidm/plugin. Make sure that the user running the directory server is able to read the plug-in library. Otherwise, the Directory Server will fail to start.

  3. Restart the Directory Server. (For example, /opt/iPlanet/slapd-examplehost/restart-slapd). The Password Capture plug-in is not loaded after Directory Server is restarted.

    Note –
    • In a multi-master replicated environment, new plug-in configuration must be generated for each installation (unless the operating system type and the plug-in installation directory are the same on each host). In this type of environment, repeat the procedure described in Step 2: Enable Password Synchronization Features on each installation.

    • Directory Server must be restarted whenever you make changes to the plug-in configuration.

    After the Password Capture plug-in is enabled, clients must have the MODIFY right to both the userPassword and the idmpasswd attribute to make password changes. Adjust the access control information settings in your directory tree accordingly. This is usually necessary if administrators other than the directory manager have the ability to update the password of other users.