Identity Manager requires Universal Password for both password synchronization and password self-service. Universal Password synchronizes the various passwords (Universal, NDS, Simple, and Distribution) stored in the Identity Vault and provides password policies that define the rules for creating and replacing passwords in the Identity Vault.
Universal Password is explained in detail in the Novell Password Management 3.3 Administration Guide.
To control password synchronization between the Identity Vault and connected systems, Identity Manager uses the Distribution password. When a password is received from a connected system, it is stored as the Distribution password. When a password is sent to a connected system, the Distribution password is sent.
You can choose to synchronize the Distribution and Universal passwords or not synchronize them. If you synchronize the passwords, your Identity Vault passwords and connected system passwords will be the same. If you don’t synchronize the passwords, your Identity Vault passwords will be different than your connected system passwords; in essence, you are “tunneling” passwords among connected systems without affecting the passwords (Universal, NDS, or Simple) in your Identity Vault.