Solution building
You must configure and deploy the ready-to-use components such as Password Synchronizers, Password Stores, and Connectors to implement the password synchronization solution. The solution intercepts the passwords and makes them accessible from Security Directory Integrator.
Implement a custom AssemblyLine for the solution, which consolidates passwords that are intercepted from different sources and feeds them into the systems to be synchronized. Design of the AssemblyLine depends on the custom environment and the specific solution requirements. The SDI does not include these customized AssemblyLines. You must implement the AssemblyLines.
Password synchronization AssemblyLine uses the Iterator Connector to retrieve the passwords from the password stores. Then, the AssemblyLine uses other standard SDI connectors to set these passwords into other systems. If the synchronized systems have custom requirements to set the passwords, address these requirements in the AssemblyLine and in the connectors that set these passwords. Such customization requires you to set certain connector parameters. For example, you must turn on the Auto Map AD Password option in the LDAP Connector to set user passwords in the Active Directory. For more complex cases, scripting is necessary. To automate the synchronization process, the password synchronization solution includes the SDI AssemblyLines with connectors in Server Mode. For example:
- An AssemblyLine listens for changes in the repository where a password store component stores the intercepted passwords. The AssemblyLine triggers the synchronization AssemblyLine whenever a new password is intercepted.
- Using an AssemblyLine with a Timer loop that starts the synchronization AssemblyLine on a schedule.
Each of the components of Password Synchronizer provides interfaces that we can use to tune the behavior. We can also combine various components with each other to create the custom solutions. These key features provide flexibility to build solutions that meet custom requirements and limitations. The password synchronization suite consists of specialized components that intercept the passwords and make them accessible for SDI. The SDI can access the intercepted passwords through its connectors. We can use the flexibility and openness of the architecture to organize the password retrieval process and propagation to other systems.
Password Synchronizer deployment limitation
For password synchronization that involves Sun Directory Server Password Synchronizer and IBM Security Directory Server Password Synchronizer, use simpler methods to deploy the synchronizers.
Deploy the Password Synchronizer only if hashed password values are unusable outside the directory. The IBM Security Directory Server and the Sun Directory Server support password encryption where the password values are encrypted before they are stored in the directory. Password encryption uses either a one-way or a two-way cryptographic transformation. One-way transformations, for example, hashing with SHA-1 or MD-5, are not reversible. We cannot obtain the plaintext value from the one-way encrypted password. The Password Synchronizer catches the plaintext password before it is hashed and stored in the directory. If hashed values are used by the destination repository, the synchronization is achieved through LDAP. For example, when both of the source and the destination systems support the same hashing schemes.
You do not require a Password Synchronizer to synchronize the passwords between instances of the IBM Security Directory Server and the Sun Directory Server. Both the products support the same set of hashing algorithms for the passwords. In such cases, you copy the passwords between the two instances through LDAP. Alternatively, if you are required to authenticate against IBM Security Directory Server with the credentials stored in Sun Directory Server, use the pass-through authentication option.
Issues with IBM Security Directory Server replication
In a replication topology, deploy the Password Synchronizers on all the master instances. When you configure the replication, changes are propagated to replication consumers through the LDAP operations. If a Password Synchronizer is deployed on a consumer, it intercepts LDAP operations that are triggered by the replication. If the password synchronizer rejects a password that originates from replication, the replication fails. To avoid such a situation, deploy the Password Synchronizers on all the replication masters to reject passwords before they are saved into the directory.
When passwords are set on the supplier node in a replication topology, the synchronizers on the associated consumer nodes synchronize password value to the Password Store. As a result, the same password is sent to the password store multiple times. To avoid this condition, configure IBM Security Directory Server to use the hashed passwords. Password Synchronizers ignore hashed passwords. Therefore, Password Synchronizers on consumers ignore the already hashed password value, which is received from the replication supplier.
Hashed passwords
Password Synchronizer ignores the hashed password values and only the plaintext passwords are synchronized. The Password Synchronizer receives hashed passwords in the following cases:
- If an LDAP client sends a password value that is already hashed, the IBM Security Directory Server accepts it. However, the Password Synchronizer cannot obtain a plaintext password and ignores it. For example, if an LDAP client sends {SHA}5yfRRkrhJDbomacm2lsvEdg4GyY= instead of mypass, the Password Synchronizer does not send password to the Password Store.
- If the password encryption is set to one-way transformation, for example, crypt, MD5, SHA-1, passwords are stored in hashed form in the directory.
Parent topic:
Introduction to password synchronization plug-ins