IBM Security Identity Manager integration
The Security Identity Manager integration for the Password Synchronizer allows verification of synchronized passwords by the Password Strength servlet of the IBM Security Identity Manager Server.
Overview
The Password Synchronization incorporates password complexity checking by using the IBM Security Identity Manager Password Policies. We can use one of the following IBM Security Identity Manager Decorator Password Synchronizer classes to enable the IBM Security Identity Manager Integration:
- com.ibm.di.plugin.pwstore.ldap.LDAPPasswordSynchronizerITIMDecorator
- com.ibm.di.plugin.pwstore.jms.MQePasswordStoreITIMDecorator
- com.ibm.di.plugin.pwstore.log.LogPasswordStoreITIMDecoratorNote: The com.ibm.di.plugin.pwstore.log.LogPasswordStoreITIMDecorator Password Store logs the user name and the password in the log file of Java proxy. Use this password store only for testing purposes. For example, during deployment testing of the plug-ins.
Supported synchronizers
The IBM Security Identity Manager Password Synchronizer Decorator classes are supported by the following Password Synchronizers:
- Password Synchronizer for Windows
- Password Synchronizer for IBM Security Directory Server Synchronizer
- Password Synchronizer for Sun Directory Server
- Password Synchronizer for UNIX and Linux
Note: The Domino® HTTP Password Synchronizer does not support integration with the IBM Security Identity Manager. Custom Password Policies can be created on the Domino Server. Using those Password Policies, we can validate the passwords before they are stored.
IBM Security Identity Manager password strength validation communication
External applications must create an XML request for a password strength validation from the IBM Security Identity Manager Server. The request is sent through HTTPS, a servlet hosted by the IBM Security Identity Manager Server. The following sample shows an XML request for password strength validation:
<PSWD_REQ_MSG> <CREDENTIALS principal="",pswd="" /> <REQUEST op="check", srcDN="", userDN="", pswd="" /> </PSWD_REQ_MSG>
Credentials tag
The credentials represent the user name and password of an IBM Security Identity Manager Principal. The principal and the password values are used to enable a client, that is, Password Store decorator, to authenticate the IBM Security Identity Manager Server. The IBM Security Identity Manager Principal must exist in the IBM Security Identity Manager Server, and the authority must be provided to run the password check. These credential values are passed to the SDI client component through the configuration properties.
Request tag
The element attributes are:
- op – the operation to be run. The default value is check. However, we can use the value synch to synchronize the password with the IBM Security Identity Manager.
- srcDN - holds the pseudo distinguished name of the service (resource), which is the source of the password strength check. The distinguished name is in the &<service RDN®>,<bu RDN>,<org RDN>,<tenant DN> format. An RDN is in the attribute=value format. The service RDN uniquely identifies a service within a section of the organization chart. The bu RDN uniquely identifies a container in the organization chart within another section of the organization chart. There might be zero or several bu RDN depending on the org-chart structure. The org RDN uniquely identifies the organization within a tenant. The tenant DN is the physical distinguished name of the tenant. The following distinguished name identifies a service named Test within the IT organizational unit within the Acme organization:
erservicename=Test,ou=IT,o=Acme,ou=Acme,dc=comou=Acme, dc=com is the physical DN of the tenant, or the root section of the Directory Server in a single-tenant deployment.- userDN – holds the distinguished name of the user account within the scope of the source service. For example, the distinguished name of the UNIX user with user ID jdoe is eruid=jdoe.
- pswd – holds the password value to check the strength.
- Configuration of Password Synchronizers for IBM Security Identity Manager integration
You must set the syncClass property value in thepwsync.props configuration file to configure the Password Synchronizers for the IBM Security Identity Manager integration.