Global Telco's Technical Requirements

Global Telco wants to achieve the following:

• Users’ passwords for Windows systems must be synchronized with their Directory Server passwords.

• Users must be able to change passwords using native mechanisms made in either system, through the Change Password option in the Task Manager dialog box on Windows systems, and through a web-based portal for Directory Server.

  Identity Synchronization for Windows supports capturing native password changes in Directory Server and Active Directory. Users can continue to change passwords as they always have.

  ---

  Note –

  Passwords can be set in Directory Server by passing a pre-hashed password value. However, Identity Synchronization for Windows cannot synchronize passwords from Directory Server to Windows if the password is pre-hashed. Even in installations without Identity Synchronization for Windows, avoid using a pre-hashed password value because it circumvents password policy and password history.

  ---

• Existing Identity Manager functionality must be retained and continue to support users on Active Directory and Directory Server.

  Identity Synchronization for Windows requires the users’ Directory Server accounts to be explicitly linked to their Windows accounts. This linking is automatically done when Identity Synchronization for Windows is configured to synchronize creations of new users. However, because Identity Manager is provisioning both Active Directory and Directory Server accounts, Identity Synchronization for Windows will not synchronize new users. Global Telco must either run the idsync resync command periodically to link newly created users, or Identity Manager must be configured to set the necessary linking attributes when a new Directory Server entry is created.

• Support must be added for propagating native password changes made in Directory Server to all systems managed by Identity Manager.

  Identity Manager supports synchronizing Active Directory password changes to many other systems because Identity Synchronization for Windows can synchronize password changes from Directory Server to Active Directory. Integrate Identity Manager with Identity Synchronization for Windows to synchronize password changes made in Directory Server to any system that Identity Manager supports.

• High availability for failover redundancy of all services is required in the European office.

  Identity Synchronization for Windows is very robust. After all components are running, it synchronizes data without losing changes. By default, Identity Synchronization for Windows provides some high availability options, such as failover to a secondary Directory Server, and performing on-demand password synchronization against any Active Directory domain controller. It also includes a Watchdog that restarts failed processes.

  However, if the machine that runs Identity Synchronization for Windows Core or Connector experiences a hardware failure, Identity Synchronization for Windows will not synchronize users until it is reinstalled on different hardware.

  This case study addresses Global Telco's HA requirement by installing a completely separate instance of Identity Synchronization for Windows at the European office.

• All communication must use SSL and trusted certificates where possible.

  Identity Synchronization for Windows supports SSL communication for all over-the-wire communication. By default, it does not require trusted certificates for SSL communication between connectors and directory sources, but it can be configured to require trusted certificates.