LDAP Password Store

The LDAP Password Store stores the intercepted user passwords in an LDAP Directory Server.

Supported directories

The LDAP Password Store is available on the following directories:

• Security Directory Server
• Microsoft Active Directory
• Sun Directory Server

Installation of LDAP Password Store

The SDI LDAP Password Store provides the function necessary to store the intercepted user passwords in an LDAP Directory Server (repository or data source).

We can create the LDAP Password Store component to support a number of SDI plug-ins that intercept password changes for various products or platforms.

The following Password Synchronizers are available to intercept password change request from a user:

SDI Password Synchronizer for Windows

Intercepts the Windows login password change.

IBM Security Directory Server Password Synchronizer for Windows, UNIX, and Linux

Intercepts the IBM Security Directory Server password change.

Sun Directory Server Password Synchronizer for Windows, UNIX, and Linux

Intercepts the Sun Directory Server password change.

Domino® Password Synchronizer for Windows, UNIX, and Linux

Intercepts changes of the HTTP password for Lotus® Notes® users.

SDI Password Synchronizer for UNIX, and Linux

Intercepts changes of the UNIX and Linux user passwords.

All the plug-ins use the LDAP Password Store function for secure propagation of the change to another LDAP Server. In the LDAP Server, the password change is manipulated by the SDI AssemblyLine. We can configure the LDAP Password Store by using the properties files that enable:

• Specification of keystore files, certificates, and credentials for SSL connections.
• Asymmetric encryption of password data.

The property files also accommodate control of trace log and limited control of attributes that are used to store the captured passwords.

Prerequisites

• The LDAP Password Store requires a minimum JRE 1.5. The SDI v7.2 bundles Java 7.0.4 JRE.
• Use the SDI product installer to install the password synchronization plug-ins.

• Set up the LDAP Server
  We can use the IBM Security Directory Server to set up a sample environment. To set up, identify a container where the object class with user ID and password is found or created.
• Modifying the schema of zLDAP
  You must use a Technical Database Management (TDBM) server when you configure the LDAP Server on z/OS® to facilitate loading of the required LDIF files.
• Modifying the schema of Sun Directory Server and Active Directory
  You must modify the schema of the Sun Directory Server and the Active Directory with necessary configuration before you install the LDAP Password Store.
• Configuration of LDAP Password Store
  You must set the properties of LDAP Password Store in the pwsync.props configuration file.
• Password Store usage
  For each user, whose password is intercepted, the LDAP Password Store maintains an LDAP entry in the storage LDAP directory. The directory is the container where the storage entries are added and modified and is specified by the suffix property of the LDAP Password Store.