NetIQ Documentation: Identity Manager 3.6.1 Password Management Guide - Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults

A.1 Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults

You can synchronize the NDS password between two Identity Vaults by using the eDirectory driver. This scenario does not require Universal Password to be implemented, and can be used with eDirectory 8.6.2 or later. Another name for this kind of password synchronization is synchronizing the public/private key pair.

Figure A-1 Using NDS Password to Synchronize between Two Identity Vaults

This method should be used only to synchronize passwords from Identity Vault to Identity Vault. It does not use NMAS™ and therefore cannot be used to synchronize passwords to connected applications.

A.1.1 Advantages and Disadvantages of Scenario 1

Table A-1 eDirectory to eDirectory Password Synchronization Using NDS Password

Advantages	Disadvantages
Simple configuration. Just include the correct attributes in the driver filter. If you are deploying Identity Manager and eDirectory 8.7.3 in stages, this method can help you deploy gradually. You don't need to add the new password synchronization policies to driver configurations. Does not require Universal Password to be implemented in the Identity Vault. Can be used with connected vaults running eDirectory 8.6.2 or later. Does not require NMAS Enforces the basic password restrictions you can set for the NDS password.	This method synchronizes passwords between Identity Vaults. Passwords cannot be synchronized to other connected systems. Does not update the Universal and Distribution passwords. Because this method does not use NMAS, you can't validate passwords against Advanced Password Rules in password policies for passwords coming from another Identity Vault. Because this method does not use NMAS, you can't reset passwords on the connected Identity Vault if the passwords don't comply with the NMAS password policy. E-mail notifications are not provided for password synchronization failures. Check Password Status operations from the iManager task are not supported. (The Distribution password is required for this feature.)

Advantages

Disadvantages

Simple configuration. Just include the correct attributes in the driver filter.

If you are deploying Identity Manager and eDirectory 8.7.3 in stages, this method can help you deploy gradually.

You don't need to add the new password synchronization policies to driver configurations.
Does not require Universal Password to be implemented in the Identity Vault.
Can be used with connected vaults running eDirectory 8.6.2 or later.
Does not require NMAS

Enforces the basic password restrictions you can set for the NDS password.

This method synchronizes passwords between Identity Vaults. Passwords cannot be synchronized to other connected systems.

Does not update the Universal and Distribution passwords.

Because this method does not use NMAS, you can't validate passwords against Advanced Password Rules in password policies for passwords coming from another Identity Vault.

Because this method does not use NMAS, you can't reset passwords on the connected Identity Vault if the passwords don't comply with the NMAS password policy.

E-mail notifications are not provided for password synchronization failures.

Check Password Status operations from the iManager task are not supported. (The Distribution password is required for this feature.)

A.1.2 Setting Up Scenario 1

To set up this kind of password synchronization, configure the driver.

Universal Password Deployment

Not necessary.

Password Policy Configuration

None.

Password Synchronization Settings

None. The settings on the Password Synchronization page for a driver have no effect on this method of synchronizing the NDS password.

Driver Configuration

Make the following changes in the eDirectory driver’s filter. This must be done for both eDirectory drivers involved in the synchronization.

Remove the nspmDistributionPassword attribute from the User class in the filter.
Add the Public Key and Private Key attributes for all object classes (typically, the User class) for which passwords should be synchronized. The following figure shows an example.

Figure A-2 Synchronizing the Private and Public Key Attributes

Private Key and Public Key set to Synchronize in the filter

A.1.3 Troubleshooting Scenario 1

Turn on the DSTrace option.
Check the driver Filter to make sure the Public Key and Private Key attributes are being synchronized, not ignored.
See also the tips in Section 7.0, Troubleshooting Password Synchronization.