6 Novell Identity Manager 3.0.1 Administration Guide
novdocx (en) 6 April 2007
3.2.1 Creating a Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2.2 Exporting a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.3 Setting Up Remote Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.3.1 Installing Remote Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.3.2 Configuring Remote Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.4 Configuring the Identity Manager Drivers for Use with Remote Loaders . . . . . . . . . . . . . . . . . 67
3.4.1 Importing and Configuring a New Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.4.2 Configuring an Existing Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.4.3 Creating a Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4 Creating Policies 73
5 Password Synchronization across Connected Systems 75
5.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.1.1 Overview of Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.1.2 What is Bidirectional Password Synchronization? . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
5.1.3 Comparison of Password Synchronization 1.0 and Identity Manager Password
Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.1.4 Features of Identity Manager Password Synchronization . . . . . . . . . . . . . . . . . . . . . 78
5.1.5 Overview Illustrations of Password Synchronization Flow . . . . . . . . . . . . . . . . . . . . . 81
5.1.6 How Figures Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.2 Connected System Support for Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.2.1 Systems that Support Bidirectional Password Synchronization. . . . . . . . . . . . . . . . . 85
5.2.2 Systems that Accept Passwords from Identity Manager . . . . . . . . . . . . . . . . . . . . . . 85
5.2.3 Systems that Don’t Accept or Provide Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.2.4 Systems that Don’t Support Password Synchronization . . . . . . . . . . . . . . . . . . . . . . 87
5.3 Prerequisites for Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.3.1 Support for Universal Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.3.2 Password Synchronization Capabilities Declared in the Driver Manifest . . . . . . . . . . 88
5.3.3 Controlling Password Synchronization by Using Global Configuration Values . . . . . 88
5.3.4 Policies Required in the Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.3.5 Filters You Install on the Connected System to Capture Passwords . . . . . . . . . . . . . 95
5.3.6 NMAS Password Policies You Create for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.3.7 NMAS Login Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.4 Preparing to Use Identity Manager Password Synchronization and Universal Password . . . . 95
5.4.1 Switching Users from NDS Password to Universal Password . . . . . . . . . . . . . . . . . . 96
5.4.2 Helping Users Change Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.4.3 Preparing to Use Universal Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.4.4 Matching Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.4.5 Setting Up E-Mail Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.5 Configuring and Synchronizing a New Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.6 Upgrading Password Synchronization 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.7 Upgrading Existing Driver Configurations to Support Password Synchronization . . . . . . . . . 100
5.7.1 Step 1: Convert the Driver to Identity Manager 3.0.1 Format . . . . . . . . . . . . . . . . . 101
5.7.2 Step 2: Add to the Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.7.3 Step 3: Change Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.7.4 Step 4: Setting Up Password Synchronization Flow . . . . . . . . . . . . . . . . . . . . . . . . 107
5.8 Implementing Password Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.8.1 Overview of Identity Manager Relationship to NMAS . . . . . . . . . . . . . . . . . . . . . . . 108
5.8.2 Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults. . . 110
5.8.3 Scenario 2: Synchronizing by Using Universal Password . . . . . . . . . . . . . . . . . . . . 112
5.8.4 Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity
Manager Updating the Distribution Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
5.8.5 Scenario 4: Tunneling—Synchronizing Connected Systems but not an Identity Vault,
with Identity Manager Updating the Distribution Password . . . . . . . . . . . . . . . . . . . 131