You can synchronize the NDS password between two Identity Vaults by using the eDirectory driver. This scenario does not require Universal Password to be implemented, and can be used with eDirectory 8.6.x or later. Another name for this kind of password synchronization is synchronizing the public/private key pair.
Figure A-1 Using NDS Password to Synchronize between Two Identity Vaults
This method should be used only to synchronize passwords from Identity Vault to Identity Vault. It does not use NMAS and therefore cannot be used to synchronize passwords to connected applications.
Table A-1 eDirectory to eDirectory Password Synchronization Using NDS Password
Advantages |
Disadvantages |
---|---|
Simple configuration. Just include the correct attributes in the driver filter. If you are deploying Identity Manager and eDirectory 8.x in stages, this method can help you deploy gradually.
Enforces the basic password restrictions you can set for the NDS password. |
This method synchronizes passwords between Identity Vaults. Passwords cannot be synchronized to other connected systems. Does not update the Universal and Distribution passwords. Because this method does not use NMAS, you can't validate passwords against Advanced Password Rules in password policies for passwords coming from another Identity Vault. Because this method does not use NMAS, you can't reset passwords on the connected Identity Vault if the passwords don't comply with the NMAS password policy. E-mail notifications are not provided for password synchronization failures. Check Password Status operations from the iManager task are not supported. (The Distribution password is required for this feature.) |
To set up this kind of password synchronization, configure the driver.
Not necessary.
None.
None. The settings on the Password Synchronization page for a driver have no effect on this method of synchronizing the NDS password.
Make the following changes in the eDirectory driver’s filter. This must be done for both eDirectory drivers involved in the synchronization.
Remove the nspmDistributionPassword attribute from the User class in the filter.
Add the Public Key and Private Key attributes for all object classes (typically, the User class) for which passwords should be synchronized. The following figure shows an example.
Figure A-2 Synchronizing the Private and Public Key Attributes
Turn on the DSTrace option.
Check the driver Filter to make sure the Public Key and Private Key attributes are being synchronized, not ignored.
See also the tips in Section 7.0, Troubleshooting Password Synchronization.