On-Demand Password Synchronization

SUN/Oracle came up with a different method to allow password synchronization with Active Directions that they call, On-Demand Password Synchronization.

The on-demand password synchronization process occurs as follows:

  • User presses Ctrl-Alt-Del on a Windows Client and changes his or her password. New passwords are stored in Microsoft Active Directory.
  • The Active Directory Connector polls the system at scheduled intervals as usual
  • When the Connector detects the password change (based on changes made to the USNchanged (Update Sequence Number) and PwdLastSet attributes), the Connector publishes a message on Message Queue about the password change. The message is transferred on an SSL-encrypted channel.
  • The Directory Server Connector receives the password change message from Message Queue (over SSL).
  • The Directory Server Connector sets the user entry‚Äôs dspswvalidate attribute to true which invalidates the old password and alerts the Directory Server Plug-in of the password change.
  • When the user tries logging on, using an LDAP application (such as Portal Server) to authenticate against the Directory Server, the Sun Java System Directory Server Plug-in detects that the password value in the Directory Server entry is invalid.
  • The Directory Server Plug-in searches for the corresponding user in Microsoft Active Directory. When the Plug-in finds the user, the Plug-in performs a Bind Request to Active Directory using the password provided when the user tried logging into Directory Server.
  • If the bind against Active Directory succeeds, then the user provided his or her new Active Directory password and the Directory Server Plug-in set the password and removed the invalid password flag from the user entry on Directory Server.
  • If the user authentication fails, the user entry password remains in Directory Server and the passwords on Directory Server and Active Directory will be out-of-sync until the user logs in with a valid password (one that authenticates to Active Directory).


On-demand password synchronization requires the application to use simple authentication against the Directory Server instead of using a more-complex authentication mechanism, such as SASL DIGEST-MD5.

This process is specific to the SUN/Oracle LDAP server having the specific Sun Java System Directory Server Plug-in to operate and is therefore proprietorial to their solution.

More Information#

There might be more information for this subject on one of the following: