Sun Identity Manager 8.1 Resources Reference

Configuring Identity Manager for LDAP Password Synchronization

Before an LDAP adapter can be used to synchronize LDAP passwords, you must perform the following tasks:

Step 1: Configure the LDAP Resource Adapter

Use the following steps to configure the LDAP resource adapter to support password synchronization.

ProcedureConfiguring the LDAP Resource Adapter to Support Password Synchronization

  1. Import the LDAP Password ActiveSync Form into Identity Manager. This form is defined in $WSHOME/sample/forms/LDAPPasswordActiveSyncForm.xml.

  2. In the Active Sync wizard for the resource, set the input form to LDAP Password ActiveSync Form.

Step 2: Enable Password Synchronization Features

To enable password synchronization in the LDAP resource adapter, Identity Manager provides a custom JSP page that allows the administrator to

The LDIF file contains 3 entries:

Use the following steps to implement these features.

ProcedureImplementing Password Synchronization Features

  1. Open the Identity Manager Configure Password Synchronization page, which is located at http://PathToIdentityManager/configure/passwordsync.jsp .

  2. Select the LDAP resource that will be used to synchronize passwords from the Resource menu.

  3. Select Enable Password Synchronization from the Action menu.

  4. Click OK. The page refreshes to display a new item in the Action menu.

  5. Select Download plug-in configuration LDIF from the Action menu.

  6. Click OK. The page refreshes to display several new options.

  7. Select a version from the Directory Server version menu.

  8. Select the resource’s operating system from the Operating System Type menu.

  9. In the Plugin Installation Directory field, enter the directory on the host where the plug-in will be installed.

  10. Click OK to generate and download the LDIF file. If necessary, you may now regenerate an encryption key.

  11. Select Regenerate encryption key from the Action menu.

  12. Click OK. The encryption parameters are updated.

    Note –

    If your Directory Server users do not have the default objectclasses (person, organizationalPerson or inetorgperson), then you must edit the LDIF file created when you selected Download plugin configuration LDIF. You must replace the default value assigned in the idm-objectclass attribute with an objectclass implemented in your environment so that the plug-in can capture the password change.

    For example, if your users are defined with the account, posixaccount and shadowaccount objectclasses, replace the default value assigned in the idm-objectclass attribute with one or more of these classes.

    For example:

    idm-objectclass: account
          idm-objectclass:  posixaccount

    Note that multivalued attributes should not be represented as comma-separated strings. Each value for the idm-objectclass that you want to match must be entered on a separate line on the LDIF configuration. Passwords are captured for entries that match any of the idm-objectclass values.

    After password synchronization is enabled, the following attributes on the Resource Specific Settings page on Active Sync wizard parameters page of the resource will be displayed.

    • Enable password synchronization

    • Password encryption key

    • Password encryption salt

    Only the Enable password synchronization field may be changed on this page. The encryption attributes should only be updated using the JSP page.