A.3 Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password

In this scenario, Identity Manager directly updates the Distribution password, and allows NMAS to determine how the other Identity Vault passwords are synchronized.

Figure A-6 Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password

Scenario 3

The figure in this scenario illustrates the following flow:

  1. Passwords come in through Identity Manager.

  2. Identity Manager goes through NMAS to directly update the Distribution password

  3. Identity Manager also uses the Distribution password to distribute to connected systems that you have specified should accept passwords

  4. NMAS synchronizes the Universal password with the Distribution password, and with other passwords according to the password policy settings.

Although multiple connected systems are shown as connecting to Identity Manager in Figure A-6, keep in mind that you individually create the settings for each connected system driver.

The following sections provide information and instructions for this scenario:

A.3.1 Advantages and Disadvantages of Scenario 3

Table A-3 Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password

Advantages

Disadvantages

Allows synchronization of passwords between the Identity Vault and connected systems.

Lets you choose whether or not to enforce password policies for passwords coming from connected systems.

You can specify that notification be sent if password synchronization fails.

If you are enforcing password policies, you can choose to reset a password on the connected system to the Distribution password if the password doesn't comply.

 

A.3.2 Setting Up Scenario 3

Use the information in the following sections to help complete the tasks in the Password Management Checklist.

Password Policy Configuration

  1. In iManager, select Passwords > Password Policies.

  2. Make sure a password policy is assigned to the parts of the Identity Vault tree that you want to have this kind of password synchronization. You can assign it to the entire tree structure, a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.

  3. In the password policy, make sure the following are selected:

    Password Policy settings for Scenario 3

    • Enable Universal Password

    • Synchronize NDS Password when setting Universal Password

    • Synchronize Distribution Password when setting Universal Password

      Because Identity Manager retrieves the Distribution password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.

  4. If you are using Advanced Password Rules, make sure that they don't conflict with the password policies on any connected systems that are subscribing to passwords.

Password Synchronization Settings

  1. In iManager, select Passwords > Password Synchronization.

  2. Search for drivers for the connected systems, then select a driver.

  3. Create settings for the driver for the connected system.

    Make sure that the following are selected:

    • Identity Manager accepts passwords (Publisher Channel)

    • Use Distribution Password for password synchronization

      A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in the driver configuration using a policy.

    • Application accepts passwords (Subscriber Channel)

    These settings allow for bidirectional password synchronization if it is supported by the connected system.

    You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only Application accepts passwords (Subscriber Channel).

  4. Specify whether you want NMAS password policies to be enforced or ignored, using the options under Use Distribution Password for password synchronization.

  5. (Conditional) If you have specified that you want password policies to be enforced, also specify whether you want Identity Manager to reset the connected system password if it does not comply.

  6. (Optional) Select the following if desired:

    • Notify the user of password synchronization failure via e-mail

      Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory user object to be populated.

      E-mail notifications are noninvasive. They do not affect the processing of the XML document that triggered the email. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.

Driver Configuration

  1. Set the filter correctly for nspmDistributionPassword attribute:

    • For the Publisher channel, set the driver filter to Ignore for the nspmDistributionPassword attribute for all object classes.

    • For the Subscriber channel, set the driver filter to Notify for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.

    Filter settings for nspmDistributionPassword

  2. For all objects that have Notify set for the nspmDistributionPassword attribute, set both the Public Key and Private Key attributes in the driver filter to Ignore.

    Private Key and Public Key set to Ignore in the filter

  3. To ensure password security, make sure that you control who has rights to Identity Manager objects.

A.3.3 Troubleshooting Scenario 3

Also see the tips in Section 7.0, Troubleshooting Password Synchronization.

Flowchart for Scenario 3

Figure A-7 illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to the Distribution password in this scenario, and NMAS decides the following:

  • How to handle the password based on whether you have specified that incoming passwords should be validated against password policy rules (if Universal Password and Advanced Password Rules are enabled).

  • What the other settings are in the password policy for synchronizing the Universal password with the other passwords.

Figure A-7 Password from Identity Manager is Synchronized to the Distribution Password

Flow chart about how NMAS handles passwords in Scenario 3, synchronizing to Distribution Password

Trouble Logging In to eDirectory

  • Turn on the +AUTH, +DXML, and +DVRS settings in DSTrace

    Figure A-8 DSTrace commands

  • Verify that the <password> or <modify-password> elements are being passed to Identity Manager. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first item.

  • Verify that the password is valid according to the rules of the NMAS password policy.

  • Check the NMAS password policy configuration and assignment. Try assigning the policy directly to the user to make sure the correct policy is being used.

  • On the Password Synchronization page for the driver, make sure that Identity Manager accepts passwords (Publisher Channel) is selected.

  • In the NMAS password policy, make sure that Synchronize Distribution Password when setting Universal Password is selected.

  • In the NMAS password policy, make sure that Synchronize NDS Password when setting Universal Password is selected, if this is desired.

  • If users are logging in through the Novell Client or ConsoleOne, check the version. Legacy Novell Clients and ConsoleOne might not be able to log in to the Identity Vault if the Universal password is not synchronized with the NDS password.

    Versions of the Novell Client and ConsoleOne that are aware of the Universal password are available. See the Novell Modular Authentication Services (NMAS) 3.3.3 Administration Guide.

  • Some legacy utilities authenticate by using the NDS password, and also cannot log in to the Identity Vault if the Universal password is not synchronized with the NDS password. If you don't want to use the NDS password for most users, but you have administrator or help desk users who need to authenticate with legacy utilities, try using a different password policy for help desk users so you can specify different Universal password synchronization options for them.

Trouble Logging In to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see Identity Manager rule processing and potential errors

  • Set the Identity Manager trace level for the driver to 3.

  • Make sure that the Identity Manager accepts passwords (Publisher Channel) option is selected in the Password Synchronization page.

  • In the password policy, make sure that Synchronize Distribution Password when setting Universal Password is not selected.

    Identity Manager uses the Distribution password to synchronize passwords to connected systems. The Universal password must be synchronized with the Distribution password for this synchronization method.

  • Check the driver filter for the nspmDistributionPassword attribute.

  • Verify that the <password> element for an Add or a <modify-password> element has been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the options turned on as noted in the first item.

  • Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section B.0, Driver Configuration Policies.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

E-Mail Not Generated on Password Failure

  • Turn on the +DXML setting in DSTrace to see Identity Manager rule processing

  • Set the Identity Manager trace level for the driver to 3.

  • Verify that the rule to generate e-mail is selected.

  • Verify that the Identity Vault object contains the correct value in the Internet EMail Address attribute.

  • In the Notification Configuration task, make sure the SMTP server and the e-mail template are configured. See Section 5.0, Configuring E-Mail Notification.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.

Error When Using Check Password Status

The Check Password Status task in iManager causes the driver to perform a check object password action.

  • Make sure the connected system supports checking passwords. See Section 3.0, Connected System Support for Password Synchronization.

    If the driver manifest does not indicate that the connected system supports password-check capability, this operation is not available through iManager.

  • If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter, and the Synchronize Universal to Distribution option within the password policy.

  • If the Check Object Password returns Not Synchronized, verify that the driver configuration contains the appropriate Identity Manager Password Synchronization policies.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

  • Check Object Password checks the Distribution password. If the Distribution password is not being updated, Check Object Password might not report that passwords are synchronized

  • Keep in mind that for the Identity Vault, Check Password Status checks the NDS password instead of the Universal password. This means that if the user's password policy does not specify to synchronize the NDS password with the Universal password, the passwords are always reported as being not synchronized. In fact, the Distribution password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS password and the Distribution password are synchronized with the Universal password.

Helpful DSTrace Commands

+DXML: To view Identity Manager rule processing and potential error message.

+DVRS: To view Identity Manager driver messages.

+AUTH: To view NDS password modifications.