jlewter Absent Member.
Absent Member.
1119 views

New IDM install password synchronization Edirectory and AD

I am looking at setting up a IDM installation for doing password synchronization between edirectory and active directory. No user account merging or creation, just synching password synchronizatin between the two trees. I am looking for some advice and possibly a document with some information on how the procedure is done. It has been a while since I have messed with IDM so starting all over again. I know basically it uses a AD driver with a remote loader on a AD DC server, but what I am looking for is the install steps. I am also looking for good information on how the drivers are to be configured after the installation. Any help would be appreciated.
Labels (1)
0 Likes
11 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD

Once upon a time I wrote a Cool Solution:

https://www.novell.com/coolsolutions/appnote/19431.html

Not much has changed, other than versions and the use of packages instead
of preconfigs.

On 11/15/2016 02:56 PM, jlewter wrote:
>
> I am looking at setting up a IDM installation for doing password
> synchronization between edirectory and active directory. No user account
> merging or creation, just synching password synchronizatin between the


While you may not want accounts to "merge" meaning merging other
attributes, at some level you'll be going through IDM merging of accounts
as Matching policies find an environment in one enviornment (MAD) based on
events in another (IDV/eDirectory). This is mostly a pedantic note, but
you'll see it at some point and I do not want you to be alarmed when you do.

The following is not meant to scare you... much.

In training I usually point out something that I think is sometimes
overlooked: IDM integrates a bunch of otherwise disparate environments,
meaning that you can make everything work at once, and be in sync all of
the time, which is great; it also means you can break everything at once,
and be wrong-but-in-sync all of the time, which is very bad.

Test environments are not required, but they're highly recommended. Using
third-parties who do this a lot to get going, or to get training, or just
to verify assumption is also not required, but please use them ("them"
could mean consultants like some in here, or other customers like those in
here, or friends in the business). At least search for, and thread
through, forum threads on the topics so you are familiar with the caveats,
what others are trying, how things can explode, etc.

Once done well, and you can do it, it will be wonderful. Doing it badly
can (and has in the past) cost people their jobs, usually because of a
lack of a test environment, and an implementation in production in a way
that did "bad things", sometimes to passwords.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD


The install steps are in the documentation which I suggest you read
regardless. It also explains what rights you need

If you want password sync, then you can pare the default AD driver policies
down to a skeleton.

You only need a few attributes as notify in the filter.

A veto on creation rule in both directions.

Appropriate matching rules also.

Is this bidirectional password sync (last changed source syncs)?

Also. Despite this being achievable as described above. I strongly suggest
you use this as an opportunity to create a proper flat IDVault in between.
That way you will be far better placed to address other requirements that
will likely arise once you have basic password sync in place.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
jlewter Absent Member.
Absent Member.

Re: New IDM install password synchronization Edirectory and

I understand your point about a vault, but the site has stated this is all they want. I have look at the latest build of IDM 4.5 and it appears the latest support pack is 4.5.4. I would assume you do a base install of the IDM engine and all the drivers which come with it on the main SuSE11 box. Then you install the remote loader on the AD box to connect to the main box, which I assume will be running the AD driver. At that point, it is mainly configuring to do what you want. I do have a test environment setup and have looked at the base install of IDM and it appears in the list of components I no longer see the AD driver listed. Is that a separate install? Also, I recall it use to have an option to install the metadirectory server, is that called something else now?
0 Likes
Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD

jlewter <jlewter@no-mx.forums.microfocus.com> wrote:
>

I understand your point about a vault, but the site has stated this is
all they want.

Start small, think big, implement a minimal design that can scale.



> that point, it is mainly configuring to do what you want.


You need password sync filters on all read/write DCs

> base install of IDM and it

appears in the list of components I no longer see the AD driver listed.

AD driver shim is Windows only by design. Won't show up as an option on a
Linux IDM box (engine or remote loader).

> Also, I recall it use to have an option to

install the metadirectory server, is that called something else now?

Still called metadirectory in some places. I prefer to call it the IDVault.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
jlewter Absent Member.
Absent Member.

Re: New IDM install password synchronization Edirectory and

Pardon my ignorance, but what are the password sync filters and how do you go about getting them. So in my testing thus far, I have gotten the base SuSE server installed to hold the engine. When I do the install on the box, it say nothing about a metadirectory server or such. When I run the installer it give options for the following four items:

NetIQ Identity Manager Server
NetIQ Identity Manager Connected System server 32 bit
NetIQ Identity Manager Connected System server 64 bit
NetIQ iManager Plugins for Identity Manager

What part installs the metadirectory server?I thought the AD driver ran on the linux box and you place a remote loader on the DC, but your saying that the ad driver is installed on one of the DC and the remote loader is on the linux main box? When I say main box, I mean the engine server. Now I know that server has to hold a replica of all partitions in the edirectory tree as well.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD

On 11/15/2016 04:36 PM, jlewter wrote:
>
> Pardon my ignorance, but what are the password sync filters and how do
> you go about getting them. So in my testing thus far, I have gotten the
> base SuSE server installed to hold the engine. When I do the install on
> the box, it say nothing about a metadirectory server or such. When I run
> the installer it give options for the following four items:
>
> NetIQ Identity Manager Server


This is the only part you need; it'll install tons of drivers, and that's
fine. You can also remove most of the drivers, but doing so is probably
not worth your time since you're just starting out and the space/time
saved will be negligible compared to the time it'll take you to document
everything you uncheck to customize the install..

> NetIQ Identity Manager Connected System server 32 bit
> NetIQ Identity Manager Connected System server 64 bit


Personally I would install the Connected System 64-bit too, because as
they decide to do almost anything else it may be useful, and it takes
something like 1 Mib additional space.

> NetIQ iManager Plugins for Identity Manager


I always do the plugins manually.

> What part installs the metadirectory server?I thought the AD driver ran


The first part. The MAD driver cannot run on Linux, and that has never
been otherwise. The driver config object (the driver object) runs in the
engine, but the driver (shim) always runs on windows, since it's a pesky
DLL. Insert rant about confusing terms of 'driver', 'driver object',
'driver shim', etc. The 'driver' means the 'shim' which is either a JAR
or a platform-specific SLL, SO, or other library file. The driver object,
or driver config object, is the thing in the engine that is just XML which
tells the driver (shim), upon startup, how to behave.

> on the linux box and you place a remote loader on the DC, but your
> saying that the ad driver is installed on one of the DC and the remote
> loader is on the linux main box? When I say main box, I mean the engine


No, the RL is on the windows DC in your case, because the driver (shim) is
a DLL. Almost every other driver (shim) is a JAR, meaning it can (and
should) run on a Linux box, either with the application (e.g. PostgreSQL
database via the JDBC driver) or the engine box (in a RL that is just to
separate the engine and driver shim code for a variety of
previously-covered reasons).

> server. Now I know that server has to hold a replica of all partitions
> in the edirectory tree as well.


Technically a replica of all partitions that need to have objects
synchronized, plus the Security container, plus whichever partition holds
the DriverSet; the IDM box does not, otherwise, need replicas of the whole
tree, or anything in particular. For those starting out, we just tell
them to have a box with all replicas because it's easier.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
jlewter Absent Member.
Absent Member.

Re: New IDM install password synchronization Edirectory and

That helps allot. So the remote loader and the ad driver will both reside on the DC controller and the engine resides on the engine(linux) box, correct? They can run together on the same box.
0 Likes
Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD

On Wed, 16 Nov 2016 00:16:03 +0000, jlewter wrote:

> That helps allot. So the remote loader and the ad driver will both
> reside on the DC controller and the engine resides on the engine(linux)
> box, correct?


Correct. And once you install the remote loader, you'll also have the
password sync control panel, from which you can install the password
filters on the DCs.


> They can run together on the same box.


"?"


--
David Gersic
Knowledge Partner http://forums.microfocus.com
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD

jlewter <jlewter@no-mx.forums.microfocus.com> wrote:
>

Pardon my ignorance, but what are the password sync filters and how do
you go about getting them.

If you want to sync password changes from AD to eDir you need password sync
filters installed/running on all DCs. This is because in AD password
changes from a client can in theory be processed by any DC that is
read/write. Once the password change is processed by a DC it is only stored
as a non reversible hash. It is this hash that gets replicated to other
DCs. Password sync filter intercepts the clear text password, encrypts it
and forwards to RL. This ensures that the IDM AD driver can see all
password changes across entire domain.

Installing the remote loader components (connected system in the
terminology of the IDM installer) and selecting to install AD driver will
also install (but not configure) the password sync components on your
remote lower box.

You then need to ensure that the same password sync filter is
installed/configured/active on all other read/write DCs. This is usually
done via the Password Sync control panel (also installed on remote loader
box). This will enumerate all the DCs and offer the option to copy the
password sync filter to each and then allow you to optionally remotely
request a restart of each DC to enable the filter.

It will also write the correct registry settings on each DC to instruct
them to securely forward password changes to the remote loader box.

This is all explained in documentation, including alternate install steps
if your DCs have remote registry access disabled (for security reasons).

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD


alexmchugh;272452 Wrote:
> jlewter <jlewter@no-mx.forums.microfocus.com> wrote:
> >

> Pardon my ignorance, but what are the password sync filters and how do
> you go about getting them.
>
> If you want to sync password changes from AD to eDir you need password
> sync
> filters installed/running on all DCs. This is because in AD password
> changes from a client can in theory be processed by any DC that is
> read/write. Once the password change is processed by a DC it is only
> stored
> as a non reversible hash. It is this hash that gets replicated to other
> DCs. Password sync filter intercepts the clear text password, encrypts
> it
> and forwards to RL. This ensures that the IDM AD driver can see all
> password changes across entire domain.
>
> Installing the remote loader components (connected system in the
> terminology of the IDM installer) and selecting to install AD driver
> will
> also install (but not configure) the password sync components on your
> remote lower box.
>
> You then need to ensure that the same password sync filter is
> installed/configured/active on all other read/write DCs. This is
> usually
> done via the Password Sync control panel (also installed on remote
> loader
> box). This will enumerate all the DCs and offer the option to copy the
> password sync filter to each and then allow you to optionally remotely
> request a restart of each DC to enable the filter.
>
> It will also write the correct registry settings on each DC to instruct
> them to securely forward password changes to the remote loader box.
>
> This is all explained in documentation, including alternate install
> steps
> if your DCs have remote registry access disabled (for security
> reasons).
>
> --
> If you find this post helpful and are logged into the web interface,
> show
> your appreciation and click on the star below...


Communication between IDM Engine and RemoteLoader on Member Server can
be encrypted (recommendation) or 'clear text', but new Windows
implementation (2008/2012/2016) will decline password change, if
communication between AD driver SHIM and domain controller didn't
encrypted. You have to use encrypted (SSL) connectivity to your DC.


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=56850

0 Likes
Knowledge Partner
Knowledge Partner

Re: New IDM install password synchronization Edirectory and AD


https://www.netiq.com/support/kb/doc.php?id=7018092

> Situation
> Unable to check-in password with Microsoft Active Directory (AD) LDAP
> Password Checkout for Active Directory Application over LDAP is not
> working
> Using the checked-out password reports invalid credentials, account name
> / password
> MyAccess reports Failed Check-in to user
> The following appears in the Debug unifid.log when attempting check-in:
> WARNING, LDAP MODIFY FAILED, ERROR 53 (SERVER IS UNWILLING TO PERFORM)
> ERROR, LDAP MODIFY FAILED - 182553
> Resolution
> Microsoft Active Directory (AD) may have requirements that are
> preventing the password change from taking place. This error means the
> destination LDAP server is not allowing this password change to go
> through. While there might several reasons for this error to be returned
> from the LDAP server, here are some common explanations / requirements:
>
> Microsoft Active Directory may impose some strength requirements on
> the password. In order to conform to these requirements, a password
> policy must be created and assigned to the application account domain in
> the Enterprise Credential Vault. For more details about this process,
> please refer to documentation:
> Create the Password Policy: See Specifying Password Policies.
> Apply the Password Policy to the AD Application Domain:
> See Password Policy from Enabling Password Checkout for
> Applications.
>
> *Microsoft Active Directory may only accept password changes over
> secure connections (SSL, ldap port 636)*. Verify the Active Directory
> Application Account Domain in the Enterprise Credential Vault has been
> configured to have SSL enabled and to use the correct port.
> Note: By default, LDAPS://connections use port 636 for SSL.



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=56850

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.