IBM Tivoli Directory Integrator
The Sun Directory Server Password Synchronizer intercepts changes
to LDAP passwords in Sun Directory Server.
In many cases, it may be possible to build a solution
that synchronizes passwords, but without using this plug-in;
see Building the solution for more information.
The Sun Directory Password Synchronizer consists of the following
parts:
- Sun Directory Server plug-in
- The plug-in is a native binary, which uses the Plug-in API of
the Sun Directory Server. It runs in the process of the Sun Directory Server.
- Java proxy
- This is a separate Java process, which is launched/stopped by
the server plug-in. Its main purpose is to host the Password Storage
component and communicate with the plug-in part. For more information
on the Java Proxy, see Password Synchronization Architecture and Workflow.
- Password Storage component
- This is a Java component, which runs inside the process of the
Java proxy and puts passwords into a particular Password Store (LDAP
directory, message queue). For more information on Password Storage
components see Available specialized components.
Passwords in Sun Directory Server are stored in the userPassword LDAP attribute. The Password
Synchronizer intercepts updates of the userPassword LDAP
attribute.
The Sun Directory Server Password Synchronizer intercepts modifications
of the userPassword attribute of entries
of any object class.
Password updates are intercepted for the following types of entry
modifications:
- When a new entry is added in the directory and the entry contains
the userPassword attribute.
- When an existing entry is modified and one of the modified attributes
is the userPassword attribute. This includes
the following cases:
- The userPassword attribute is added
(for example, the entry did not have a userPassword attribute
before)
- The userPassword attribute is modified
(for example, the entry had this attribute and its value is now changed)
- The userPassword attribute is deleted
from the entry
Notes:
- Deletion of entries is not intercepted by the Sun Directory Server
Password Synchronizer even when the entry contains the userPassword attribute.
- The userPassword attribute in Sun
Directory Server is multiple-valued. Users might have several passwords.
The Sun Directory Server Password Synchronizer intercepts and reports
any change of any of the password values.
Hashed Passwords
The Password Synchronizer ignores hashed password values. This
means that only plaintext passwords will be synchronized. The Password
Synchronizer receives hashed passwords in the following cases:
- If an LDAP client sends a password value which is already hashed, the directory server will accept it. However, the Password Synchronizer
would not be able to obtain a plaintext password from it and will
ignore it. For example, if an LDAP client sends "{SHA}5yfRRkrhJDbomacm2lsvEdg4GyY="
instead of "mypass", the Password Synchronizer will not send anything
to the Password Store.
- If password encryption is set to one-way transformation (for example, "crypt", "MD5", "SHA-1") passwords are stored in hashed form in the
directory. Consequently replication operations work with hashed password
values. This means that Password Synchronizers on replication consumers
will receive already hashed password values.