This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
On-Demand Password Synchronization
On-Demand Password Synchronization

Version management

Difference between version and

At line 1 added 22 lines
SUN/Oracle came up with a different method to allow password synchronization with Active Directions that they call, [On-Demand Password Synchronization].
The on-demand password synchronization process occurs as follows:
* User presses Ctrl-Alt-Del on a [Windows Client] and changes his or her password. New passwords are stored in [Microsoft Active Directory].
* The Active Directory Connector polls the system at scheduled intervals as usual
* When the Connector detects the password change (based on changes made to the USNchanged (Update Sequence Number) and [PwdLastSet] attributes), the Connector publishes a message on Message Queue about the password change. The message is transferred on an SSL-encrypted channel.
* The Directory Server Connector receives the password change message from Message Queue (over [SSL]).
* The Directory Server Connector sets the user entry’s dspswvalidate attribute to true which invalidates the old password and alerts the Directory Server Plug-in of the password change.
* When the user tries logging on, using an [LDAP] application (such as Portal Server) to [authenticate] against the Directory Server, the Sun Java System Directory Server Plug-in detects that the password value in the Directory Server entry is invalid.
* The Directory Server Plug-in searches for the corresponding user in [Microsoft Active Directory]. When the Plug-in finds the user, the Plug-in performs a [Bind Request] to Active Directory using the password provided when the user tried logging into Directory Server.
* If the bind against Active Directory succeeds, then the user provided his or her new Active Directory password and the Directory Server Plug-in set the password and removed the invalid password flag from the user entry on Directory Server.
* If the user authentication fails, the user entry password remains in Directory Server and the passwords on Directory Server and Active Directory will be out-of-sync until the user logs in with a valid password (one that authenticates to Active Directory).
!!Note
On-demand password synchronization requires the application to use simple authentication against the Directory Server instead of using a more-complex authentication mechanism, such as [SASL] [DIGEST-MD5].
This process is specific to the SUN/[Oracle] [LDAP] server having the specific Sun Java System Directory Server Plug-in to operate and is therefore proprietorial to their solution.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop