Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide

Synchronizing Passwords With Active Directory

The default password policy on Windows 2000 was changed on Windows 2003 to enforce strict passwords by default.

Identity Synchronization for Windows services must occasionally create entries that do not have passwords, for example, during a resync -c from Directory Server to Active Directory. Consequently, if password policies are enabled on Active Directory (on Windows 2000 or 2003) or on Directory Server, user creation errors can result.

Although you do not have to disable password policies on Active Directory or Directory Server, you need to understand the issues associated with enforcing their password policies.

The following installation information is important if you will be synchronizing passwords with Active Directory on Windows 2003 Server Standard or Enterprise Edition:

Enforcing Password Policies

This section explains how the password policies for Active Directory on Windows 2000, Windows 2003 Server, and Sun Java System Directory Server can affect synchronization results.

If you create users on Active Directory (or Directory Server) that meet the required password policies for that topology, the users may be created and synchronized properly between the two systems. If you have password policies enabled on both directory sources, the passwords must meet the policies of both directory sources or the synchronized user creations will fail.

This section discusses the following:

Directory Server Password Policies

If you create users in Active Directory with passwords that violate the Directory Server password policy, those users will be created and synchronized in Directory Server, but the entries will be created without a password. The password will not be set until the new user logs in to Directory Server, which triggers on-demand password synchronization. At this time the login will fail because the password violates the Directory Server password policy.

To recover from this situation, do one of the following:

Active Directory Password Policies

If you create users in Active Directory that do not match the Active Directory password policy, those users will be created in Directory Server.

Creating Accounts Without Passwords

In certain circumstances, such as resynchronization, Identity Synchronization for Windows must create accounts without passwords.

Directory Server

When Identity Synchronization for Windows creates entries in Directory Server without a password, it sets the userpassword attribute to {PSWSYNC}*INVALID*PASSWORD*. The user will not be able to log in to Directory Server until you reset the password. One exception is when you run resync with the -i NEW_USERS or NEW_LINKED_USERS option. In this case, resync will invalidate the new user’s password, triggering on-demand password synchronization the next time the user logs in.

Active Directory

When Identity Synchronization for Windows creates entries in Active Directory without a password, it sets the user’s password to a randomly chosen, strong password that meets Active Directory password policies. In this case, a warning message is logged, and the user will not be able to log in to Active Directory until you reset the password.

The following tables show some scenarios that you might encounter as you work with Identity Synchronization for Windows.

This section describes how password policies affect synchronization and resynchronization.

These tables do not attempt to describe all possible configuration scenarios because system configurations differ. Use this information as a guideline to help ensure that passwords will remain synchronized.

Table 2–3 How Password Policies Affect Synchronization Behavior

Scenario 

Results 

User Originally Created In

User Meets Password Policy In

User Created In

 

Directory Server

Active Directory

Directory Server

Active Directory

Comments

Active Directory 

Yes 

Yes 

Yes 

Yes 

 
 

Yes 

No 

Yes (see Comments)

No 

User will be created in Directory Server. However, if deletions are synchronized from Active Directory to Directory Server, this user will be deleted immediately. 

See Active Directory Password Policies information.

 

No 

Yes 

Yes

Yes 

See Active Directory Password Policies information.

 

No 

No 

Yes (see Comments)

No 

Users will be created in Directory Server. However, if deletions are synchronized from Active Directory to Directory Server, this user will be deleted immediately. 

See Active Directory Password Policies information.

Directory Server 

Yes 

Yes 

Yes 

Yes 

 
 

Yes 

No 

Yes 

No 

 
 

No 

Yes 

No 

No 

 
 

No 

No 

No 

No 

 

Table 2–4 How Password Policies Affect Resynchronization Behavior

Scenario 

Result

Resync Command

User Meets Password Policy In

 

Directory Server

Active Directory

resync -c -o Sun

N/A 

Yes 

User will be created in Active Directory but will not be able to log in. 

See Creating Accounts Without Passwords.

 

N/A 

No 

User will be created in Active Directory but will not be able to log in. 

See Creating Accounts Without Passwords.

resync -c -i NEW_USERS | NEW_LINKED_USERS

Yes 

N/A 

User will be created in Directory Server, and the user's passwords will be set when the user first logs in. 

See Creating Accounts Without Passwords.

 

No 

N/A 

User will be created in Directory Server but cannot log in because the password violates the Directory Server password policy. 

See Creating Accounts Without Passwords.

resync -c

Yes 

N/A 

User will be created in Directory Server but cannot log in until a new password value is set in Active Directory or Directory Server. 

See Creating Accounts Without Passwords.

 

No 

N/A 

User will be created in Directory Server but cannot log in until a new password value is set in Active Directory or Directory Server. 

See Creating Accounts Without Passwords.

Example Password Policies

This section states example password policies for Active Directory and Directory Server.

Directory Server Password Policies

Active Directory Password Policies

Error Messages

Check the central logger audit.log file on the Core system for the following error message:


Unable to update password on DS due to password policy during 
on-demand synchronization:

WARNING 125 CNN100 hostname "DS Plugin (SUBC100):
unable to update password of entry ’cn=John Doe,ou=people,o=sun’,
reason: possible conflict with local password policy"

Note –

For more information about password policies for Windows 2003, see http://technet.microsoft.com/en-us/library/cc782657(WS.10).aspx

For more information about password policies for Sun Java System Directory Server , see Chapter 7, Directory Server Password Policy, in Sun Directory Server Enterprise Edition 7.0 Administration Guide.