6.0 Checking the Password Synchronization Status for a User

You can determine whether the Distribution password for a specific user is the same as the password in the connected system.

  1. In iManager, click String builder page to display the Identity Manager Administration page.

  2. In the Passwords list, > click Check Password Status.

  3. Browse to and select a user.

The Check Password Status task causes the driver to perform a Check Object Password action.

Not all drivers support password check. Those that do must contain a password-check capability in the driver's manifest. iManager does not allow password check operations to be sent to drivers that do not contain this capability in the manifest.

The Check Object Password action checks the Distribution password. If the Distribution password is not being updated, Check Object Password might report that passwords are not synchronized.

The Distribution password is not updated if either of the following occurs:

NOTE:Keep in mind that for the Identity Vault, the Check Password Status action checks the NDS Password instead of the Universal password. Therefore, if the user's password policy does not specify to synchronize the NDS password with the Universal password, the passwords are always reported as being not synchronized. In fact, the Distribution password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS password and the Distribution password are synchronized with the Universal password.

Granting Check Password Status for Non - administrator Users

For the "Check Password Status” task, the following rights are necessary for a non-administrator to perform Identity Manager related tasks:

  • Browse rights with inheritance, to the Entry Rights of the Driver Set object to the non-administrator user

  • Read and Write access, with inheritance, to the DirXML-AccessCheckObjectPassword attribute of the Driver Set object to the non-administrator user

  • Read, Compare and Write access, with inheritance, to the DirXML-ConfigManifest attribute of the Driver Set object to the non-administrator user

  • Read, Compare and Write access, with inheritance, to the DirXML-ConfigValues attribute of the Driver Set object to the non-administrator user

  • Read and Compare access, with inheritance, to the DirXML-ServerList attribute of the Driver Set object to the non-administrator user

  • Read rights with inheritance,to the DirXML-Policies of the Driver Set object to the non-administrator user

  • Browse rights of the dirXML associations of User Container to the non-administrator user

  • Allow the non-administrator user to retrieve the passwords by adding them in the password policy. To do so, browse to iManager -> Passwords (role) -> Password Policies -> Sample Password policy -> Universal Password tab -> Configuration Options. Select “Allow the following to retrieve passwords” check-box to add this non-administrator user under the rule.

Understanding DirXML-PasswordSyncStatus Attribute

When a password synchronization operation is triggered on a user, the user's DirXML-PasswordSyncStatus attribute gets updated with the status of the <modify-password> operation. The value looks like:

39DB7DED8436EE4DF38039DB7DED843620140325141422721000000000001Code(-8032) Operation vetoed by policy
  • The first 32 bytes represent the GUID of the driver the user is associated with.

  • The next 17 bytes represent the password sync time in yyyyMMddHHmmssSSS format

  • The next 8 bytes are 00000000

  • The next 4 bytes indicate any one of the following status codes:

    • 0000: ERROR

    • 0001: WARNING

    • 0002: RETRY

    • 0003: FATAL

    • 0004: SUCCESS

  • The next string is the status message, if any.