For each user whose password has been intercepted, the LDAP Password Store maintains an LDAP entry in the storage LDAP directory (the container where the storage entries are added and modified is specified by the suffix property of the LDAP Password Store).
The entry kept in the storage directory always contains the passwords currently used by the original user on the Target System. To achieve this, the LDAP Password Store updates the state of the entry in the storage directory whenever the LDAP Password Store receives notification for password update from the Password Synchronizer.
The LDAP Password Store receives the following data from the Password Synchronizer:
User Identifier
The user identifier is used for the relative distinguished name of the entry stored in the LDAP directory. For example, if the user identifier is "john" and the suffix property value is "dc=somedc,o=ibm,c=us", then the distinguished name of the entry stored is "ibm-diUserId=john, dc=somedc,o=ibm,c=us".
Special attention is necessary when the LDAP Password Store is used with the IBM Tivoli Directory Server Password Synchronizer or with the Sun Directory Server Password Synchronizer.
The Password Synchronizer reports the LDAP distinguished name of the user for which the password has been changed. For example, "cn=john,o=somecompany,c=us". The LDAP Password Store takes the first element of the distinguished name ("john") to construct the distinguished name of the entry on the storage LDAP directory, for example, "ibm-diUserId=john, dc=somedc,o=ibm,c=us". Therefore the context information (department, company, country, and so forth) is lost. If there are two individuals on the Target System with equal names but in different departments, for example, "cn=Kyle Nguyen,ou=dept_1,o=ibm,c=us" and "cn=Kyle Nguyen,ou=dept_2,o=ibm,c=us", they are indistinguishable for the Password Store, and the Password Store acts as if they represent the same person.
Type of password modification and List of password values
The type of password modification indicates whether the password values have been replaced, or new values have been added, or certain values have been deleted. Using this information and the list of passwords representing the change, the Password Store duplicates the change on the entry in the storage directory.
The type of password modification makes sense only when the password can have multiple values (IBM Tivoli Directory Server, Sun Directory Server). When the passwords on the Target System are single-valued (Windows), the password modification type is always replace.
When the password (with all its values) is deleted from the Target System, the entry in the storage directory is modified so that it does not have value for the LDAP attribute used to store the passwords.
Possible password retrieval from IBM TDI
Here is a possible mechanism for retrieving passwords stored in an LDAP Server by the LDAP Password Store:
A Changelog Connector is configured to listen for changes in the LDAP Directory used for storage. Whenever the Connector detects that an entry has been added or modified in the Password Store container, it starts an AssemblyLine, passing it identification of the modified entry. The AssemblyLine uses an LDAP Connector to read the modified entry, then decrypts the updated password values and propagates the values to systems that must be kept synchronized.