Sun Java logo     Previous      Contents      Next     

Sun logo
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 


Synchronizing LDAP Passwords

This chapter describes the Identity Manager product enhancements to support password synchronization from the Sun Java™ System Directory Server (formerly known as Sun ONE Directory Server and iPlanet Directory Server) to the Identity Manager system.


Directory Server allows password changes to be processed by third parties through its public plugin API. A custom plugin, Password Capture plugin, was developed to capture password changes in Directory Server.

The responsibilities of the Password Capture plugin include:

The Directory Server Retro Changelog plugin must be installed on the directory server before the Password Capture plugin can be implemented. The Retro Changelog plugin records changes to the idmpasswd attribute in the changelog database after the operation is executed by the Directory Server core.

The LDAP resource adapter with Active Sync enabled polls the changelog database at regular intervals, parses relevant changes, and feeds these changes into Identity Manager. The LDAP adapter parses the idmpasswd attribute, decrypts the password using the shared secret, and makes the real password available to the rest of the system.

Password Capturing Process

The Password Capture plugin is invoked by the Directory Server core each time the server is about to process an LDAP ADD or an LDAP MODIFY operation. The plugin inspects the changes, and if there is a password change, it inserts the idmpasswd attribute/value pair, where the value is the encrypted password.

Passwords captured by the Password Capture plugin are encrypted using a shared key. (The same shared key is used by the configured LDAP Resource Adapter to decrypt the password).

If the change is accepted by the server, then the Retro Changelog plugin logs the changes, including the new value for the idmpasswd attribute, into the Retro-Changelog database. The LDAP resource adapter processes the change to the idmpasswd attribute and makes the value available to other components inside Identity Manager in the form of an encrypted string.

The idmpasswd attribute does not appear in the Directory Server's regular database when the user changes password.

Passwords in the Retro-Changelog Database

The encrypted password is recorded in the Retro-Changelog database. The Retro Changelog plugin can be configured to remove entries from the Retro Changelog database periodically. The correct setting of the database trimming depends on the target environment. Too frequent trimming may not allow room for small network outages, or other service disruptions and the LDAP resource adapter may miss certain changes. On the other hand, allowing the database to grow too large may increase the security risk associated with having encrypted passwords in the database.

Access to the contents of the Retro Changelog Database suffix (cn=changelog) should be limited. It is therefore recommended to allow read access to the LDAP resource adapter only.

Schema Changes

The idmpasswd attribute is defined as an operational attribute. Operational attributes do not require any changes to the objectclass definitions of the target entry. As a result, existing or new users in Directory Server do not need to be modified to use the password synchronization feature.

The idmpasswd attribute is defined in the schema as follows

attributeTypes: ( idmpasswd-oid NAME 'idmpasswd' DESC 'IdM Password' SYNTAX{128} USAGE directoryOperation X- ORIGIN 'Identity Manager' )

Configuring Identity Manager for LDAP Password Synchronization

Before an LDAP adapter can be used to synchronize LDAP passwords, you must perform the following tasks:

Step 1: Configure the LDAP Resource Adapter

Use the following steps to configure the LDAP resource adapter to support password synchronization.

  1. Import the LDAP Password ActiveSync Form into Identity Manager. This form is defined in $WSHOME/sample/forms/LDAPPasswordActiveSyncForm.xml.
  2. In the Active Sync wizard for the resource, set the input form to LDAP Password ActiveSync Form.

Step 2: Enable Password Synchronization Features

To enable password synchronization in the LDAP resource adapter, Identity Manager provides a custom JSP page that allows the administrator to

The LDIF file contains 3 entries:

Use the following steps to implement these features.

  1. Open the Identity Manager Configure Password Synchronization page, which is located at http://PathToIdentityManager/configure/passwordsync.jsp .
  2. Select the LDAP resource that will be used to synchronize passwords from the Resource menu.
  3. Select Enable Password Synchronization from the Action menu.
  4. Click OK. The page refreshes to display a new item in the Action menu.
  5. Select Download plugin configuration LDIF from the Action menu.
  6. Click OK. The page refreshes to display several new options.
  7. Select the resource’s operating system from the Operating System Type menu.
  8. In the Plugin Installation Directory field, enter the directory on the host where the plugin will be installed.
  9. Click OK to generate and download the LDIF file. If necessary, you may now regenerate an encryption key.
  10. Select Regenerate encryption key from the Action menu.
  11. Click OK. The encryption parameters are updated.

After password synchronization is enabled, the following attributes on the Resource Specific Settings page on Active Sync wizard parameters page of the resource will be displayed.

Only the Enable password synchronization field should be editable. The encryption attributes should only be updated using the JSP page.

Installing the Password Capture Plugin

Before starting the plugin installation, make sure you completed the resource configuration. See Configuring Identity Manager for LDAP Password Synchronization on page 4-3 for more information.

Note  If the Directory Server instances are set up in a multi-master replicated environment, then the plugin must be installed on each master replica. For example, iPlanet Directory Server 5.1 allows up to two master replicas, while Sun ONE Directory Server 5.2 and later allows four master replicas to be defined.

To install the Password Capture plugin, you must perform the following general steps. See the product documentation for detailed information about performing these tasks.

  1. Upload the configuration LDIF file into the target Directory Server. You can use the LDAP command line utilities bundled with the Directory Server. For example,
  2. /opt/iPlanet/shared/bin/ldapmodify -p 1389 -D "cn=directory manager" -w secret -c -f /tmp/pluginconfig.ldif

  3. Place the plugin binary ( on the host where the Directory Server is running. In this example, /opt/SUNWidm/plugin. Make sure that the user running the directory server is able to read the plugin library. Otherwise, the Directory Server will fail to start.
  4. Restart the Directory Server. (For example, /opt/iPlanet/slapd-examplehost/restart-slapd). The Password Capture plugin is not loaded after Directory Server is restarted.

  5. Note  In a multi-master replicated environment, new plugin configuration must be generated for each installation (unless the operating system type and the plugin installation directory are the same on each host). In this type of environment, repeat the procedure described in Step 2: Enable Password Synchronization Features on each installation.

Previous      Contents      Next     

Copyright 2006 Sun Microsystems, Inc. All rights reserved.