The Tivoli Identity Manager Integration for the Password Sychronizers allows synchronized passwords to be verified by a Tivoli Identity Manager Server's Password Strength Servlet prior to synchronization. This allows Password Synchronization to incorporate password complexity checking via Tivoli Identity Manager Password Policies.
The Tivoli Identity Manager Integration is enabled by utilizing one of the Tivoli Identity Manager Decorator Password Synchronizer classes:
The com.ibm.di.plugin.pwstore.log.LogPasswordStoreITIMDecorator password store logs both usernames and passwords in the Java Proxy's log file. This password store should be used only for testing purposes, for example during the plug-ins deployment testing.
The Tivoli Identity Manager Password Synchronizer Decorator classes are supported by the following Password Synchronizers:
The Domino HTTP Password Synchronizer does not support integration with ITIM. Custom Password Policies can be created on the Domino Server. Using those Password Policies the passwords can be validated before they are stored.
External applications that wish to request a password strength validation from ITIM server must create an XML request, and send via HTTPS a servlet hosted by the ITIM server. A sample XML request for password strength validation is shown below:
<PSWD_REQ_MSG> <CREDENTIALS principal="",pswd="" /> <REQUEST op="check", srcDN="", userDN="", pswd="" /> </PSWD_REQ_MSG>
The credentials represent the user name and password of an ITIM principal. The principal and pswd values are used to enable a client (that is, password store decorator) to authenticate with the ITIM server. The principal must exist in ITIM server, and be given authority to perform the password "check". These credential values will be given to the TDI client component via configuration properties.
The element attributes are described below. (This content is taken from "Access Manager 5.1 Password Synchronization between TAM 5.1 and ITIM 4.5"):
erservicename=Test,ou=IT,o=Acme,ou=Acme,dc=comou=Acme,dc=com is the physical dn of the tenant, or the root branch of the directory server in a single-tenant deployment.