This section describes the LDAP Password Store installation process, including prerequisites.
IBM Directory Integrator LDAP Password Store provides the function necessary to store the intercepted user passwords in an LDAP directory server (repository or datasource). Supported directories include IBM Directory Server, Microsoft Active Directory and Sun Directory Server.
The LDAP Password Store component of this package was created to support a growing number of IBM Directory Integrator plug-ins which intercept password changes for various products or platforms.
The following password synchronization plug-ins are available to intercept a user's password change request:
These plug-ins all utilize the LDAP Password Store function which facilitates the secure propagation of the change to another LDAP server where it can later be manipulated by an IBM Directory Integrator AssemblyLine.
The ability to tailor the LDAP Password Store is accomplished using properties files which enable the specification of keystore files, certificates and credentials for SSL connections and the asymmetric encryption of password data. The property files also accommodate control of trace logging, and limited control of attributes used for storing captured passwords.
The LDAP Password Store requires as a minimum JRE 1.5; TDI 7.1 bundles a Java™ 6 JRE.
Do the following to set up and install the LDAP Password Store:
The following instructions describe how to set up a sample environment using IBM Directory Server. This involves identifying a container where the object class containing the user ID and password is found or created.
Do the following to set up a sample environment using IBM Directory Server:
The domain and suffix entered must also be included in the pwsync.props file along with the other information (see Configuring the LDAP Password Store for more details).
ldapmodify -c -h LDAP Hostname -D admin DN -w admin PW -f ibm-diPerson_oc.ldif
You may see the following messages:
attribute type '1.3.18.0.2.4.155' already exists, add operation failed.
or
attribute type '0.9.2342.19200300.100.1.1' already exists, add operation failed. You can ignore these messages, they indicate that these secretKey and uid attributes are already defined in your schema.
When configuring the LDAP server on z/OS, the LDAP server must be configured with a TDBM back end (this enables loading of the required LDIF file). Detailed instructions for setup and configuration of the IBM LDAP server on z/OS with a TDBM back end are beyond the scope of this guide. For further information on this issue, please see the document z/OS Integrated Security Services LDAP Server Administration and Use in the IBM z/OS online product library.
Modify the schema of zLDAP as follows
dn:cn=schemaTo this:
dn:cn=schema,o=ibm,c=us
ldapmodify -c -h LDAP Hostname -D admin DN -w admin PW -f ibm-diPersonForSunDS.ldif
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ParametersAdd a REG_DWORD value named Schema Update Allowed with a value of 1 (or any value greater than 0).
ldifde -i -f ibm-diPersonSchemaForAD.ldif
This section describes how to configure the LDAP Password Store.
Properties pertaining to the LDAP Password Store are set in the plug-ins general configuration file: pwsync.props. By default there is one file per each plug-in, for example, TDI_Install_dir/pwd_plugins/tds/pwsync.props (for the IBM Directory Server Password plug-in). The LDAP Password Store is therefore configured in the pwsync.props file of the Password intercept plug-in you are using on that platform..
In the general configuration file, encrypt each password property manually. This can be done using the encryptPasswd utility. Be aware that this utility uses a symmetric algorithm for encryption of the passwords. Make sure that the pwsync.props file is readable only by trusted system users.
The encyptPasswd utility expects that the password is passed as a parameter. The encrypted password is printed on the standard output.
For a complete list of the configuration parameters and their explanation, see Password plug-ins common configuration and utilities.
The class for this password store is: com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStore.
An example of a completed properties file for an SSL connection and password encryption looks like the following:
#IBM Directory Integrator LDAP Password Store Settings with Encoded Passwords #Tue Jul 30 08:21:20 EDT 2002 ldap.hostname=gbdthst1 ldap.port=636 ldap.waitForStore=true ldap.admindn=cn=root ldap.password=0c0bf0e3146b ldap.ssl=true ldap.suffix=dc=carnd11,o=ibm,c=us encrypt=true encryptKeyStoreFilePath=c:\sync\cryptokeys.jks encryptKeyStoreFilePassword=0c0bf0e3146b encryptKeyStoreCertificate=cryptoCertName encryptKeyPassword=0c0bf0e3146b
Notes:
Encryption of password values is supported by both the LDAP Password Store and the JMS Password Store.
By default encryption is disabled. To turn it on, set the encrypt property to true.
When encryption is used, encryptKeyStoreFilePath, encryptKeyStoreFilePassword, encryptKeyStoreCertifcate and
values must also be set. Additionally the encryptKeyPassword property
must be set if you are using the LDAP Password Store (see the remarks
below for explanation of this requirement). The encryptKeyPassword property
is irrelevant for the rest of the Password Stores. The password encryption
and decryption functions use the RSA algorithm. Below is a reference
of the configuration properties for the encryption functionality:
See the remarks below for discussion of what keys should be present
in the key store.
We can create and manage keystore files and public/private keys
with the keytool and Ikeyman JRE utilities.
Information about keystores and keytools is available from the
following sites:
The java.security file located in
the install_directory/jvm/jre/lib/security directory
has been set up to contain a reference to security provider com.ibm.crypto.provider.IBMJCE .
The following is an example of how the relevant portion of the file
might look:
An example AssemblyLine which demonstrates the decryption of captured
passwords is included in the TDI installation. The AssemblyLine and
a readme file are located in the TDI_install_dir/examples/pwsync_decryption/ directory
where TDI_install_dir is the install directory
of the IBM TDI.
Notes:
encryptKeyStoreFilePath=path to the key store file
encryptKeyStoreFilePassword=password of the key store file; encoded with the "encryptPasswd" tool
encryptKeyStoreCertifcate=the alias of the public key certificate in the key store
encryptKeyPassword=password of the private key; encoded with the "encryptPasswd" tool
:
:
:
# List of providers and their preference orders :
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
:
:
: