15.6. Managing Password Synchronization
Synchronizing user entries is configured with the sync agreement. However, passwords in both Active Directory and Identity Management are hashed when they are stored, and cannot be decrypted as part of the user synchronization process. A separate client must be installed on the Active Directory servers to capture passwords as user accounts are created or passwords are changed, and then to forward that password information with the sync updates.
Note that IdM currently does not support initial password synchronization for user accounts. The user first needs to manually change the password before the password can be synchronized over to IdM.
15.6.1. Setting up the Windows Server for Password Synchronization
Synchronizing passwords requires two things:
The Password Sync Service records password changes and synchronizes them, over a secure connection, to the IdM entry.
- Active Directory must be running in SSL.
- The Password Sync Service must be installed on each Active Directory domain controller.
Install the Microsoft Certificate System in Enterprise Root Mode. Active Directory will then automatically enroll to retrieve its SSL server certificate.
- Make sure that the Active Directory password complexity policies are enabled so that the Password Sync service will run.
secpol.mscfrom the command line.
- Select Security Settings.
- Open Account Policies, and then open Password Policy.
- Enable the
Password must meet complexity requirementsoption and save.
- If SSL is not already enabled, set up SSL on the Active Directory server. Setting up LDAPS is explained in more detail in the Microsoft knowledgebase at http://support.microsoft.com/kb/321051.
- Install a certificate authority in the Windows Components section in Add/Remove Programs.
- Select the Enterprise Root CA option.
- Reboot the Active Directory server. If IIS web services are running, the CA certificate can be accessed by opening
- Set up the Active Directory server to use the SSL server certificate.
- Create a certificate request
.inf, using the fully-qualified domain name of the Active Directory as the certificate subject. For example:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=ad.server.example.com, O=Engineering, L=Raleigh, S=North Carolina, C=US" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=220.127.116.11.18.104.22.168.1 ;-----------------------------------------------For more information on the
.infrequest file, see the Microsoft documentation, such as http://technet.microsoft.com/en-us/library/cc783835.aspx.
- Generate the certificate request.
certreq -new request.inf request.req
- Submit the request to the Active Directory CA. For example:
certreq -submit request.req certnew.cer
NoteIf the command-line tool returns an error message, then use the Web browser to access the CA and submit the certificate request. If IIS is running, then the CA URL is
- Accept the certificate request. For example:
certreq -accept certnew.cer
- Make sure that the server certificate is present on the Active Directory server.In the File menu, click Add/Remove, then click Certificates and Personal>Certificates.
- Import the CA certificate from Directory Server into Active Directory. Click Trusted Root CA, then Import, and browse for the Directory Server CA certificate.
- Reboot the domain controller.
15.6.2. Setting up Password Synchronization
Install the Password Sync Service on every domain controller in the Active Directory domain in order to synchronize Windows passwords.
- Download the
PassSync.msifile to the Active Directory machine.
- Log into the Customer Portal.
- Click the Downloads tab.
- Click the Red Hat Enterprise Linux downloads button in the middle of the page.
- Filter the downloads by using a search term such as Directory Server, and then expand one of the Red Hat Enterprise Linux versions.
- Click the Directory Server link.
- On the Directory Server page, download the appropriate version of the WinSync Installer. This is the Password Sync MSI file (
NoteRegardless of the Red Hat Enterprise Linux architecture, there are two PassSync packages available, one for 32-bit Windows servers and one for 64-bit. Make sure to select the appropriate packages for your Windows platform.
- Double-click the Password Sync MSI file to install it.
- The Password Sync Setup window appears. Hit Next to begin installing.
- Fill in the information to establish the connection to the IdM server.
Hit Next, then Finish to install Password Sync.
- The IdM server connection information, including the hostname and secure port number.
- The username of the system user which Active Directory uses to connect to the IdM machine. This account is configured automatically when sync is configured on the IdM server. The default account is
- The password set in the
--passsyncoption when the sync agreement was created.
- The search base for the people subtree on the IdM server. The Active Directory server connects to the IdM server similar to an
ldapsearchor replication operation, so it has to know where in the IdM subtree to look for user accounts. The user subtree is
- The certificate token is not used at this time, so that field should be left blank.
- Import the IdM server's CA certificate into the Active Directory certificate store.
- Download the IdM server's CA certificate from
- Copy the IdM CA certificate to the Active Directory server.
- Open the command prompt, using
Run as Administrator.
- Install the IdM CA certificate in the Password Sync database. For example:
cd "C:\Program Files\Red Hat Directory Password Synchronization" certutil.exe -d . -A -n "IPASERVER.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt
cd "C:\Program Files\389 Directory Password Synchronization" certutil.exe -d . -A -n "IPASERVER.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt
- Reboot the Windows machine to start Password Sync.
NoteThe Windows machine must be rebooted. Without the rebooting,
PasswordHook.dllis not enabled, and password synchronization will not function.
The first attempt to synchronize passwords, which happened when the Password Sync application is installed, will always fail because of the SSL connection between the Directory Server and Active Directory sync peers. The tools to create the certificate and key databases is installed with the
15.6.3. Allowing Users to Change Other Users' Passwords Cleanly
By default, every time an administrator changes a user password, that user is required to reset the password at the next login. However, this behavior can be changed to allow administrators to reset a password without requiring an immediate password reset.
passSyncManagersDNsattribute lists administrator accounts which are allowed to perform password change operations and which will not then require a password reset.
This is required for password synchronization because, otherwise, whenever a password is synchronized, the IdM server would interpret that as a password change operation and then require a password change at the next login.
Edit the password synchronization entry,
cn=ipa_pwd_extop,cn=plugins,cn=config, and add the
passSyncManagersDNsattribute with the name of the user. This attribute is multi-valued. For example:
$ ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389 dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
Be careful to limit the listed DNs only to administrator accounts which require the ability to set user passwords. Any user listed here is given access to all user passwords, which is extremely powerful.