IBM Tivoli Directory Integrator
The IBM Tivoli Directory Server Password Synchronizer
intercepts changes to LDAP passwords in IBM Tivoli Directory Server.
In many cases, it may be possible to build a solution
synchronizing passwords, but without using this plug-in; see Building the solution for more information.
The IBM Directory Password Synchronizer consists of the following
parts:
- IBM Directory Server plug-in
- The plug-in is a native binary, which uses the Plug-in API of
the IBM Directory Server. It runs in the process of the IBM Directory Server.
- Java proxy
- This is a separate Java process, which is launched/stopped by
the server plug-in. Its main purpose is to host the Password Storage
component and communicate with the plug-in part. For more information
on the Java Proxy, see Password Synchronization Architecture and Workflow.
- Password Storage component
- This is a Java component, which runs inside the process of the
Java proxy and puts passwords into a particular Password Store (LDAP
directory, message queue). For more information on Password Storage
components see Available specialized components.
Passwords in IBM Tivoli Directory Server are stored in the userPassword LDAP
attribute. The Password Synchronizer intercepts updates of the userPassword LDAP attribute.
The IBM Tivoli Directory Server Password Synchronizer
intercepts modifications of the userPassword attribute
of entries of any object class.
Password updates are intercepted for the following types of entry
modifications:
- When a new entry is added in the directory and the entry contains
the userPassword attribute.
- When an existing entry is modified and one of the modified attributes
is the userPassword attribute. This includes
the following cases:
- The userPassword attribute is added
(for example, the entry did not have a userPassword attribute
before)
- The userPassword attribute is modified
(for example, the entry had this attribute and its value is now changed)
- The userPassword attribute is deleted
from the entry
Notes:
- Deletion of entries (users) is not intercepted by the IBM Tivoli Directory Server Password Synchronizer even when the entry contains the userPassword attribute.
- The userPassword attribute in IBM Tivoli Directory Server is multiple-valued. Users can have several passwords. The IBM Tivoli Directory Server Password Synchronizer intercepts and reports any change of
any of the password values.