A.2 Scenario 2: Using Universal Password to Synchronize Passwords

With Identity Manager, you can synchronize a connected system password with the Universal password in the Identity Vault.

When the Universal password is updated, the NDS password, Distribution password, or Simple Password can also be updated, depending on your settings in the NMAS password policy.

Figure A-3 Using Universal Password to Synchronize Passwords

Scenario 2

  1. Passwords come in through Identity Manager.

  2. Identity Manager goes through NMAS to directly update the Universal password.

  3. NMAS synchronizes the Universal password with the Distribution password and other passwords according to the NMAS password policy settings.

  4. Identity Manager retrieves the Distribution password to distribute to connected systems that are set to accept passwords.

Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.

The following sections provide information and instructions for this scenario:

A.2.1 Advantages and Disadvantages of Scenario 2

Table A-2 Synchronizing by Using Universal Password

Advantages

Disadvantages

Allows synchronization of passwords to and from the Identity Vault and the connected system.

Allows passwords to be validated against the NMAS password policy.

Allows e-mail notifications for failed password operations, such as when a password coming from a connected system does not comply with Password.

Supports the Check Password Status task in iManager, if the Universal password is being synchronized with the Distribution password and if the connected system supports checking passwords.

NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled. If a password coming from a connected system does not comply, an error is generated, and an e-mail notification is sent if you have specified that option.

If you don't want password policy rules enforced, you can deselect Enable Advanced Password Rules in the NMAS password policy.

By design, resetting passwords in the connected system is not supported with this method because the Distribution password and Universal passwords might not be the same, depending on your settings in the password policies.

A.2.2 Setting Up Scenario 2

Use the information in the following sections to help complete the tasks in the Password Management Checklist.

Password Policy Configuration

Make sure that an NMAS password policy is assigned to the parts of the Identity Vault that you want to have this kind of password synchronization.

  1. In iManager, select Passwords > Password Policies.

  2. Select a policy, then click Edit.

  3. Browse to and select the object where you want password synchronization to occur.

    You can assign the policy to the entire tree structure (by browsing to and selecting the Login Policy object in the Security container), a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.

  4. In the password policy, make sure that the following are selected:

    Password Policy settings for Scenario 2

    • Enable Universal Password

    • Synchronize NDS Password when setting Universal Password

    • Synchronize Distribution Password when setting Universal Password

      Because Identity Manager retrieves the Distribution password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.

  5. Complete your password policy as desired.

    NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled. If you don't want password policy rules enforced, deselect Enable the Advanced Password Rules.

    If you are using Advanced Password Rules, make sure they don't conflict with the password policies on any connected systems that are subscribing to passwords.

Password Synchronization Settings

  1. In iManager, select Passwords > Password Synchronization.

  2. Search for drivers for the connected systems, then select a driver.

  3. Create settings for the driver for the connected system.

    Make sure that the following are selected:

    • Identity Manager accepts passwords (Publisher Channel)

      A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in a the driver configuration using a policy.

    • Application accepts passwords (Subscriber Channel)

      If the connected system does not support accepting passwords, the option is dimmed.

    These settings allow for bidirectional password synchronization if it is supported by the connected system.

    You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only Application accepts passwords (Subscriber Channel).

  4. Make sure that Use Distribution Password for password synchronization is not selected.

    In this scenario, Identity Manager directly updates the Universal password. The Distribution password is still used to distribute passwords to connected systems, but is updated from the Universal password by NMAS instead of by Identity Manager.

  5. (Optional) Select the following if desired:

    • Notify the user of password synchronization failure via e-mail

      Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory User object to be populated.

      E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.

Driver Configuration

  1. Set the driver filter correctly for nspmDistributionPassword attribute:

    • For the Publisher channel, set the driver filter to Ignore for the nspmDistributionPassword attribute for all object classes.

    • For the Subscriber channel, set the driver filter to Notify for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.

    Filter settings for nspmDistributionPassword

  2. For all objects that have Notify set for the nspmDistributionPassword attribute, set both the Public Key and Private Key attributes to Ignore.

    Private Key and Public Key set to Ignore in the filter

  3. To ensure password security, make sure that you control who has rights to Identity Manager objects.

A.2.3 Troubleshooting Scenario 2

Also see the tips in Section 7.0, Troubleshooting Password Synchronization.

Flowchart for Scenario 2

Figure A-4 illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to the Universal password in this scenario. NMAS decides how to handle the password based on the following:

  • Whether Universal Password is enabled in the NMAS password policy.

  • Whether Advanced Password Rules are enabled that incoming passwords must comply with.

  • What the other settings are in the password policy for synchronizing the Universal password with the other passwords.

Figure A-4 How NMAS Handles the Password It Receives from Identity Manager

Flowchart for Scenario 2

Trouble Logging in to the Identity Vault

  • Turn on the +AUTH, +DXML, and +DVRS settings in DSTrace.

    Figure A-5 DSTrace Commands

  • Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify that they are being passed, watch the trace screen with those options turned on.

  • Verify that the password is valid according to the rules of the password policy.

  • Check the NMAS password policy configuration and assignment. Try assigning the policy directly to a user to make sure the correct policy is being used.

  • On the Password Synchronization page for the driver, make sure that Identity Manager accepts passwords is selected.

  • In the password policy, make sure that Synchronize Distribution Password when setting Universal Password is selected.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting cases where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see Identity Manager rule processing

  • Set the Identity Manager trace level for the driver to 3.

  • Make sure the Password Synchronization Identity Manager Accepts Passwords option is selected.

  • Check the driver filter to make sure the nspmDistributionPassword attribute is set correctly, as explained in Step 1.

  • Verify that the <password> for an Add or <modify-password> element is being sent to the connected system. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first items.

  • Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section B.0, Driver Configuration Policies.

  • Compare the NMAS password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

E-Mail Not Generated on Password Failure

  • Turn on the +DXML setting in DSTrace to see Identity Manager rule processing.

  • Set the Identity Manager trace level for the driver to 3.

  • Verify that the rule to generate e-mail is selected.

  • Verify that the Identity Vault object contains the correct user e-mail address in the Internet EMail Address attribute.

  • In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured correctly. See Section 5.0, Configuring E-Mail Notification.

Error When Using Check the Object Password

The Check Password Status task in iManager causes the driver to check object password action. If you have problems, review the following:

  • If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter for the correct settings for the nspmDistributionPassword attributes. Also, make sure that the password policy has Synchronize Distribution Password when Setting Universal Password selected.

  • If the Check Object Password returns Not Synchronized, verify that the driver configuration contains the appropriate Password Synchronization policies.

  • Compare the NMAS password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

  • Check Object Password operates from the Distribution password. If the Distribution password is not being updated, Check Object Password might not report that passwords are synchronized.

  • Keep in mind that for the Identity Manager driver only, Check Password Status is checking the NDS password instead of the Distribution password.

Helpful DSTrace Commands

+DXML: To view Identity Manager rule processing and potential error messages.

+DVRS: To view Identity Manager driver messages.

+AUTH: To view NDS password modifications.