Usage of the Password Synchronizer
The Domino® HTTP Password Synchronizer modifies the names.nsf database and the admin4.nsf database to manage the password retrieval and the password change administration requests.
The Domino HTTP Password Synchronizer modifies the names.nsf database, adding custom Java agents and custom code in certain hooks.
The code in the hooks is run by the Domino when a Person document is saved in names.nsf. The code retrieves the HTTP password before it is hashed and sends the value to the Password Synchronizer proxy process by using the custom Java code.
The Domino HTTP Password Synchronizer modifies the admin4.nsf database by adding a custom Java agent. The agent is configured as a scheduled agent that is triggered after documents are created or modified in the administration requests database admin4.nsf. The agent is not triggered immediately after a document is created or modified in theadmin4.nsfdatabase, but after a 5- minutes to 30- minutes interval, depending on the decision of the Agent Manager process in Domino. When triggered, the agent searches the admin request for successfully processed Change HTTP password in Domino Directoryadministration requests. The agent retrieves the new passwords from the requests and sends the password data to the Password Synchronizer proxy process.
The proxy process starts a Password Store component to encrypt and store the password data so that it can be retrieved by the Security Directory Integrator.
Password change mechanisms
When you use the Domino HTTP Password Synchronizer, only the following password change mechanisms are intercepted by:
- Editing the Person document through the Lotus® Domino Administrator
- Editing the Person document through the web browser
- Using the Change Password web form from domcfg.nsf
- Using iNotes®
Note: Password changes that are achieved through any other interfaces are not intercepted. For example, if passwords are changed through LDAP or iNotes with password synchronization enabled, the Domino HTTP Password Synchronizer is not triggered. And also, the password changes are not synchronized.
Secure password transfer
Secure communication is achieved by enabling SSL for the web-based mechanisms for the password change. We can edit the Person documents through the browser by using the Change Password web form or the iNotes.
When you edit the Person documents through the Lotus Domino Administrator client, communication is secured by enabling port encryption in the Domino.
For instructions on how to configure port encryption for the Domino, see Deployment on a single Domino Server.
- Solution workflow
You must configure the proxy process, which starts when you start the Domino Server, to instantiate a Password Store such as LDAP and JMS. The proxy process accepts the TCP/IP connections, receives user ID and password data, and starts the Password Store to store data.
Parent topic:
Domino HTTP Password Synchronizer