Synchronizing Passwords with Active Directory
The default password policy on Windows 2000 was changed on Windows 2003 to enforce strict passwords by default.
Identity Synchronization for Windows services must occasionally create entries that do not have passwords (for example, during a resync -c from Directory Server to Active Directory). Consequently, if you have password policies enabled on Active Directory (on Windows 2000 or 2003) or on Directory Server, user creation errors can result.
Although you do not have to disable password policies on Active Directory or Directory Server, you should understand the issues associated with enforcing password policies on the different systems.
The following installation information is important if you will be synchronizing passwords with Active Directory on Windows 2003 Server Standard or Enterprise Edition:
-
If you are installing on Windows, you can install the Active Directory Connector on Solaris, Linux, or Windows.
Note –Active Directory Connectors will work with Active Directory on both Windows 2000 and Windows 2003 Server.
-
You use the same procedures to create directory sources, global catalogs, and Synchronization User Lists for Windows 2003 Server that you used for Active Directory on Windows 2000.
-
On Windows 2003 Server, the default password policy enforces strict passwords, which is not the default password policy on Windows 2000.
Enforcing Password Policies
This section explains how the password policies for Active Directory on Windows 2003 Server, Windows 2000, and Sun Java System Directory Server 6.0 can affect synchronization results.
The information is organized as follows:
Overview
If you create users on Active Directory (or Directory Server) that meet the required password policies for that system, the users may be created and synchronized properly between the two systems. If you have password policies enabled on both systems, the passwords must meet the policies of both systems or the synchronized user creations will fail.
-
If you enable the password policy features on Active Directory, you should enable a similarly configured or matched password policy on Directory Server.
-
If you cannot create a consistent password policy on both Active Directory and Directory Server, you should enable password policies on the side that you consider the authoritative source for passwords and user creations. However, there are some cases in which user creations will not work as expected because of certain password policy configurations.
Important Notes
The following sections provide important information about password policies:
Directory Server Password Policies
If you create users in Active Directory with passwords that violate the Directory Server password policy, those users will be created and synchronized in Directory Server, but the entries will be created without a password. The password will not be set until the new user logs into Directory Server, which triggers on-demand password synchronization. At this time the login will fail because the password violates the Directory Server password policy.
There are several ways to recover from this situation:
-
Force the user to change their password the next time they log on to Active Directory
-
Change the user password on Active Directory, and be sure the new password meets Directory Server password policy requirements
You may want to review whether the password policy set on Active Directory and on Directory Server are equivalent (or as similar as possible).
Active Directory Password Policies
If you create users on Active Directory that do not match the Active Directory password policy, those users will be created on Directory Server.
-
Active Directory actually creates users “temporarily” and then deletes the entries if the password does not meet the password policy requirements. Consequently, the Active Directory Connector sees this temporary ADD and creates users on the Directory Server side. The users will not have a password in Directory Server, so no one will be able to log in as the user. In addition, these entries will not be linked to a valid entry in Active Directory. If deletions are synchronized from Active Directory to Directory Server, then the temporarily created users will be deleted automatically.
-
Users are created without a password on Directory Server. Directory Server does not enforce the password policy for user creations unless the entries contain a password.
There are several ways to recover from this situation. The preferred method is to synchronize deletions from Active Directory to Directory Server. Alternatively, you can remove the user from Directory Server and then add them to Active Directory with a valid password for the Active Directory password policies. This method ensures that the users are created on Directory Server and linked properly. Users on Directory Server will have their password invalidated when they log into Active Directory for the first time and change their passwords.
-
If you do not delete the user from Directory Server, and then try to add the Active Directory user again with a new password, the ADD to Directory Server will fail because the user already exists on Directory Server. The entries will not be linked together and you will have to run a idsync resync command to link the two separate accounts.
-
If you run the idsync resync command, you must be sure to reset the passwords for the accounts on Active Directory that were linked to entries on Directory Server. Resetting the passwords invalidates those passwords on Directory Server, which then forces on-demand synchronization to update the Directory Server password the next time the user authenticates to Directory Server with their new Active Directory password.
Creating Accounts Without Passwords
In certain circumstances, such as resynchronization, Identity Synchronization for Windows must create accounts without passwords.
Directory Server
WhenIdentity Synchronization for Windows creates entries in the Directory Server, without a password, it sets the userpassword attribute to {PSWSYNC}*INVALID*PASSWORD*. The user will not be able to log into Directory Server until you reset the password. One exception to this is when you run resync with the -i NEW_USERS or NEW_LINKED_USERS option. In this case, resync will invalidate the new user’s password triggering on-demand password synchronization the next time the user logs in.
Active Directory
When Identity Synchronization for Windows creates entries in the Active Directory, without a password, it sets the user’s password to a randomly chosen, strong password that meets Active Directory password policy requirements. In this case, a warning message is logged and the user will not be able to log into Active Directory until you reset the password.
The following tables describe some different scenarios you might encounter as you work with Identity Synchronization for Windows:
This section describes how password policies affect synchronization and resynchronization.
Use this information as a guideline to help ensure that passwords will remain synchronized. (These tables do not attempt to describe all possible configuration scenarios because system configurations differ.)
Table 4–3 How Password Policies Affect Synchronization Behavior|
Scenario |
Results |
||||
|---|---|---|---|---|---|
|
User Originally Created In |
User Meets Password Policy In |
User Created In |
|||
|
Directory Server |
Active Directory |
Directory Server |
Active Directory |
Comments |
|
|
Active Directory |
Yes |
Yes |
Yes |
Yes | |
|
Yes |
No |
Yes (see Comments) |
No |
Users will be created in Directory Server. However, if deletes are synchronized from Active Directory to Directory Server then this user will be deleted immediately. See Active Directory Password Policies information. |
|
|
No |
Yes |
Yes |
Yes |
See Important Notes for more information. |
|
|
No |
No |
Yes (see Comments) |
No |
Users are created in Directory Server. However, if deletes are synchronized from Active Directory to Directory Server then this user will be deleted immediately. See Active Directory Password Policies information. |
|
|
Directory Server |
Yes |
Yes |
Yes |
Yes | |
|
Yes |
No |
Yes |
No | ||
|
No |
Yes |
No |
No | ||
|
No |
No |
No |
No | ||
Table 4–4 How Password Policies Affect Resynchronization Behavior
|
Scenario |
Result |
||
|---|---|---|---|
|
Resync Command |
User Meets Password Policy In |
||
|
Directory Server |
Active Directory |
||
|
resync -c -o Sun |
N/A |
Yes |
User will be created in Active Directory but will not be able to log in. |
|
N/A |
No |
User will be created in Active Directory but will not be able to log in. |
|
|
resync -c -i NEW_USERS | NEW_LINKED_USERS |
Yes |
N/A |
User will be created in Directory Server and their password will be set when the user first logs in. |
|
No |
N/A |
User will be created in Directory Server but they cannot log in because their password violates the Directory Server password policy. See Important Notes and Creating Accounts Without Passwords more information. |
|
|
resync -c |
Yes |
N/A |
User will be created in Directory Server but they cannot log on until a new password value is set in Active Directory or Directory Server. |
|
No |
N/A |
User will be created in Directory Server but they cannot log on until a new password value is set in Active Directory or Directory Server. |
|
Example Password Policies
This section describes different scenarios for Active Directory and Directory Server password policy examples using the following specifications:
For Active Directory:
-
Enforce Password History: 20 days
-
Max Password Age: 30 days
-
Min Password Age: 0 days
-
Min Password Length: 7 characters
-
Passwords must meet complexity requirements: Enabled
For Directory Server:
-
User must change password after reset
-
User May Change Password
-
Keep 20 passwords in history
-
Password expires in 30 days
-
Send warning 5 days before password expires
-
Check password syntax: Password min length is 7 characters
Error Messages
Check the central logger audit.log file on the Core system for the following error message:
Unable to update password on DS due to password policy during on-demand synchronization: |
WARNING 125 CNN100 hostname "DS Plugin (SUBC100): unable to update password of entry ’cn=John Doe,ou=people,o=sun’, reason: possible conflict with local password policy" |
Note –
For more information about password policies for Windows 2003, see http://www.microsoft.com/resources/documentation/WindowsServ/2003/
For more information about Directory Server password policies, see Chapter 7, Directory Server Password Policy, in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide
- © 2010, Oracle Corporation and/or its affiliates