The LDAP driver supports password synchronization on the Subscriber channel, meaning that you can send passwords from the Identity Vault to any connected LDAP directory.
Password synchronization on the Publisher channel (LDAP directory to Identity Vault) is supported only with Sun Java System Directory Server Enterprise Edition version 6.3.x. It requires you to install an Identity Manager plug-in to the Sun Java System Directory.
The following sections provide information to help you use the plug-in:
The plug-in is a post-operation plug-in. Sun Java System Directory notifies the plug-in whenever a password is set or changed. The plug-in then encrypts the password by using the Advanced Encryption Standard (AES) and stores the encrypted password on the novellDistPassword attribute. The LDAP driver can then synchronize the encrypted password to NetIQ Identity Manager. The LDAP driver decrypts the password and uses it to set the Identity Manager distribution password.
IMPORTANT:Only passwords that are set or modified after the plug-in is installed can be synchronized.
The plug-in is located in the Identity Manager iso for the Windows and Linux platforms.
Table 2-1 Plug-In Location
|
iso |
Location |
Filename |
|---|---|---|
|
Identity_Manager_4.7_Windows.iso |
products\IDM\windows\setup\utilities\sun_password_plugins\win32\ |
novl-idm-pswd.dll |
|
Identity_Manager_4.7_Linux.iso |
/mnt/IDM/utilities/sun_password_plugins/linux/ |
novl-idm-pswd.so |
Locate the correct plug-in file. See Where to Find the Plug-In for information.
Copy the binary plug-in file to the lib directory in your Sun Java System Directory installation location.
For example, on Windows the default installation location for Sun Java System Directory is C:\Program Files\Sun\MPS and inside that directory is a lib directory. Place novl-idm-pswd.dll in the lib directory.
On other platforms, the default installation location is often /var/Sun/mps. You need to locate the Sun Java System Directory installation location on your system, and put the plug-in file inside the lib directory.
On Solaris SPARC computers, the Sun Java System Directory installation includes two versions of most libraries: a 32-bit version and a 64-bit version. By default, the 32-bit version is found at /var/Sun/mps/lib. The 64-bit version is found at /var/Sun/mps/lib/64.
Both a 32-bit and a 64-bit version of the plug-in are provided. Copy both versions to their respective locations on your Solaris installation. At runtime, the Sun Java System Directory determines which version is the appropriate version to load.
Locate and edit the novl-idm-pswd.ldif or novl-idm-pswd-win32.ldif file. The file is located in the sun_password_plugins directory on your DVD image.
The .ldif file contains plug-in configuration information that you apply to the directory. It also contains two schema definitions:
One definition is for the novellDistPassword attribute that stores the encrypted password.
The other definition is for the novellDistPasswordUser auxiliary class that is applied to your users to allow the use of the novellDistPassword attribute.
As a convenience, the .ldif file also contains an instruction to turn on the Retro Changelog Plugin, which most customers want turned on to enable Publisher channel operations with the Identity Manager LDAP driver. If you know that the changelog is already enabled, or if you don't want to enable the changelog, you can remove the Retro Changelog Plugin section from the .ldif file.
Most users need to edit only two items in the .ldif file:
The nsslapd-pluginPath attribute
The nsslapd-pluginarg0 attribute
Ensure that the value of nsslapd-pluginPath is the path where you installed the plug-in. For example, if you installed the plug-in in the /var/Sun/mps/lib directory, the value should be /var/Sun/mps/lib/novl-idm-pswd.so. Set the value of nsslapd-pluginarg0 to a password that will be used to generate an AES key used to encrypt user passwords. When you create the LDAP driver, you will configure the driver with this same encryption password.
Solaris users should set the value of nsslapd-pluginPath to the path of the 32-bit version of the plug-in, even if the operating system is 64-bit. (See Step 2.) At runtime, the directory determines whether to load the 32-bit or the 64-bit version of the plug-in.
Apply the novl-idm-pswd.ldif or novl-idm-pswd-win32.ldif file to the Sun directory.
To complete this step, you need to know the configuration administrator's DN and password. Typically, the DN will be "uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot". However, the password will vary. You also need to know the LDAP port used by your Sun directory.
The ldapmodify command line utility that was installed with your Sun Java System Directories can be used to apply the .ldif file. Use a command similar to the following:
ldapmodify -h localhost -p 389 -D "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w password -f novl-idm-pswd.ldif
Restart Sun Java System Directory so that your changes take affect and the plug-in starts.
For troubleshooting, note any errors that might appear on the console.