| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
Part I Installing Identity Synchronization for Windows
Preparing the Directory Server
Installing Connectors and Configuring Directory Server Plug-In
Attributes and Attribute Mapping
Parameterized Attribute Default Values
Synchronizing Passwords With Active Directory
Directory Server Password Policies
Active Directory Password Policies
Configuring Windows for SSL Operation
Installation and Configuration Decisions
Connector Installation and Configuring the Directory Server Plug-In
Using the Command-Line Utilities
6. Synchronizing Existing Users and User Groups
9. Understanding Audit and Error Files
Part II Identity Synchronization for Windows Appendixes
A. Using the Identity Synchronization for Windows Command Line Utilities
B. Identity Synchronization for Windows LinkUsers XML Document Sample
C. Running Identity Synchronization for Windows Services as Non-Root on Solaris
D. Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
E. Identity Synchronization for Windows Installation Notes for Replicated Environments
The default password policy on Windows 2000 was changed on Windows 2003 to enforce strict passwords by default.
Identity Synchronization for Windows services must occasionally create entries that do not have passwords, for example, during a resync -c from Directory Server to Active Directory. Consequently, if password policies are enabled on Active Directory (on Windows 2000 or 2003) or on Directory Server, user creation errors can result.
Although you do not have to disable password policies on Active Directory or Directory Server, you need to understand the issues associated with enforcing their password policies.
The following installation information is important if you will be synchronizing passwords with Active Directory on Windows 2003 Server Standard or Enterprise Edition:
If you are installing on Windows, you can install the Active Directory Connector on the Solaris OS, Red Hat Linux, or Windows.
Note - Active Directory Connectors will work with Active Directory on both Windows 2000 and Windows 2003 Server.
You use the same procedures to create directory sources, global catalogs, and Synchronization User Lists for Windows 2003 Server that you used for Active Directory on Windows 2000.
On Windows 2003 Server, the default password policy enforces strict passwords, which is not the default password policy on Windows 2000.
This section explains how the password policies for Active Directory on Windows 2000, Windows 2003 Server, and Sun Java System Directory Server can affect synchronization results.
If you create users on Active Directory (or Directory Server) that meet the required password policies for that topology, the users may be created and synchronized properly between the two systems. If you have password policies enabled on both directory sources, the passwords must meet the policies of both directory sources or the synchronized user creations will fail.
If you enable the password policy features on Active Directory, you should enable a similarly configured or matched password policy on Directory Server.
If you cannot create a consistent password policy in both Active Directory and Directory Server, you should enable password policies in the directory source that you consider to be the authoritative source for passwords and user creations. However, user creations will not work as expected in some cases because of certain password policy configurations.
Note - Identity Synchronization for Windows does not synchronize password expiration.
This section discusses the following:
If you create users in Active Directory with passwords that violate the Directory Server password policy, those users will be created and synchronized in Directory Server, but the entries will be created without a password. The password will not be set until the new user logs in to Directory Server, which triggers on-demand password synchronization. At this time the login will fail because the password violates the Directory Server password policy.
To recover from this situation, do one of the following:
Force users to change their password the next time they log in to Active Directory.
Change the user password in Active Directory, making sure that the new password meets Directory Server password policy requirements.
If you create users in Active Directory that do not match the Active Directory password policy, those users will be created in Directory Server.
Active Directory actually creates users “temporarily” and then deletes the entries if the password does not meet the password policy requirements. Consequently, the Active Directory Connector sees this temporary ADD and creates users in Directory Server. The users will not have a password in Directory Server, so no one will be able to log in as those users. In addition, these entries will not be linked to a valid entry in Active Directory. If deletions are synchronized from Active Directory to Directory Server, the temporarily created users will be deleted automatically.
Users are created without a password in Directory Server. Directory Server does not enforce the password policy for user creations unless the entries contain a password.
The preferred method from recovering this situation is to synchronize deletions from Active Directory to Directory Server. Alternatively, you can remove the users from Directory Server and then add them to Active Directory with a password that follows Active Directory password policies. This method ensures that the users are created in Directory Server and are properly linked. Directory Server users will have their password invalidated when they log in to Active Directory for the first time and change it.
If you do not delete the user from Directory Server, and then try to add the Active Directory user again with a new password, the ADD to Directory Server will fail because the user already exists in Directory Server. The entries will not be linked, and you will have to run the idsync resync command to link the two separate accounts.
If you run the idsync resync command, you must reset the passwords for the accounts in Active Directory that were linked to entries in Directory Server. Resetting the passwords invalidates those passwords in Directory Server, which then forces on-demand synchronization to update the Directory Server passwords the next time users authenticate to Directory Server with their new Active Directory password.
In certain circumstances, such as resynchronization, Identity Synchronization for Windows must create accounts without passwords.
When Identity Synchronization for Windows creates entries in Directory Server without a password, it sets the userpassword attribute to {PSWSYNC}*INVALID*PASSWORD*. The user will not be able to log in to Directory Server until you reset the password. One exception is when you run resync with the -i NEW_USERS or NEW_LINKED_USERS option. In this case, resync will invalidate the new user’s password, triggering on-demand password synchronization the next time the user logs in.
When Identity Synchronization for Windows creates entries in Active Directory without a password, it sets the user’s password to a randomly chosen, strong password that meets Active Directory password policies. In this case, a warning message is logged, and the user will not be able to log in to Active Directory until you reset the password.
The following tables show some scenarios that you might encounter as you work with Identity Synchronization for Windows.
This section describes how password policies affect synchronization and resynchronization.
These tables do not attempt to describe all possible configuration scenarios because system configurations differ. Use this information as a guideline to help ensure that passwords will remain synchronized.
Table 2-3 How Password Policies Affect Synchronization Behavior
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Table 2-4 How Password Policies Affect Resynchronization Behavior
| ||||||||||||||||||||||||||||||||||
This section states example password policies for Active Directory and Directory Server.
User must change password after reset
User may change password
Keep 20 passwords in history
Password expires in 30 days
Send warning 5 days before password expires
Check password syntax: Password minimum length is 7 characters
Enforce Password History: 20 days
Maximum Password Age: 30 days
Minimum Password Age: 0 days
Minimum Password Length: 7 characters
Passwords must meet complexity requirements: Enabled
Check the central logger audit.log file on the Core system for the following error message:
Unable to update password on DS due to password policy during on-demand synchronization:
WARNING 125 CNN100 hostname "DS Plugin (SUBC100): unable to update password of entry ’cn=John Doe,ou=people,o=sun’, reason: possible conflict with local password policy"
Note - For more information about password policies for Windows 2003, see http://technet.microsoft.com/en-us/library/cc782657(WS.10).aspx
For more information about password policies for Sun Java System Directory Server , see Chapter 7, Directory Server Password Policy, in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
|