SUN/Oracle came up with a different method to allow password synchronization with Active Directions that they call, On-Demand Password Synchronization.
The on-demand password synchronization process occurs as follows:
- User presses Ctrl-Alt-Del on a Windows Client and changes his or her password. New passwords are stored in Microsoft Active Directory.
- The Active Directory Connector polls the system at scheduled intervals as usual
- When the Connector detects the password change (based on changes made to the USNchanged (Update Sequence Number) and PwdLastSet attributes), the Connector publishes a message on Message Queue about the password change. The message is transferred on an SSL-encrypted channel.
- The Directory Server Connector receives the password change message from Message Queue (over SSL).
- The Directory Server Connector sets the user entry’s dspswvalidate attribute to true which invalidates the old password and alerts the Directory Server Plug-in of the password change.
- When the user tries logging on, using an LDAP application (such as Portal Server) to authenticate against the Directory Server, the Sun Java System Directory Server Plug-in detects that the password value in the Directory Server entry is invalid.
- The Directory Server Plug-in searches for the corresponding user in Microsoft Active Directory. When the Plug-in finds the user, the Plug-in performs a Bind Request to Active Directory using the password provided when the user tried logging into Directory Server.
- If the bind against Active Directory succeeds, then the user provided his or her new Active Directory password and the Directory Server Plug-in set the password and removed the invalid password flag from the user entry on Directory Server.
- If the user authentication fails, the user entry password remains in Directory Server and the passwords on Directory Server and Active Directory will be out-of-sync until the user logs in with a valid password (one that authenticates to Active Directory).