Sunday, October 25, 2009

On-Demand Password Syncronization

There is another feature that I like from Sun Java System Identity Synchronization for Windows 6.0.

On-Demand Password Sync

The on-demand password synchronization process is as follows:

1. The user presses Ctrl-Alt-Del on a machine running Windows and changes his or her password. The new passwords are stored in Active Directory.

2. The Active Directory Connector polls the system at scheduled intervals.When the Connector detects the password change, the Connector publishes a message on Message Queue about the password change.

3. The Directory Server Connector receives the password change message from Message Queue (over SSL).

4. The Directory Server Connector sets the user entry’s dspswvalidate attribute to true, which invalidates the old password and alerts the Directory Server Plug-in of the password change.

5. When the user tries to log in, using an LDAP application (such as Portal Server) to authenticate against the Directory Server, the Sun Java System Directory Server Plug-in detects that the password value in the Directory Server entry is invalid.

6. The Directory Server Plug-in searches for the corresponding user in Active Directory. When the Plug-in finds the user, the Plug-in tries to bind to Active Directory using the password provided when the user tried logging in to Directory Server.

7. If the bind against Active Directory succeeds, the Directory Server Plug-in sets the password and removes the invalid password flag from the user entry on Directory Server allowing the user to log in.

Note – If user authentication fails, the user entry password remains in Directory Server and the passwords on Directory Server and Active Directory are not the same until the user logs in with a valid password, one that authenticates to Active Directory.

This is really cool!

No comments:

Post a Comment