<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
SUN/Oracle came up with a different method to allow password synchronization with Active Directions that they call, [On-Demand Password Synchronization].

The on-demand password synchronization process occurs as follows:
* User presses Ctrl-Alt-Del on a [Windows Client] and changes his or her password. New passwords are stored in [Microsoft Active Directory].
* The Active Directory Connector polls the system at scheduled intervals as usual
* When the Connector detects the password change (based on changes made to the USNchanged (Update Sequence Number) and [PwdLastSet] attributes), the Connector publishes a message on Message Queue about the password change. The message is transferred on an SSL-encrypted channel.
* The Directory Server Connector receives the password change message from Message Queue (over [SSL]).
* The Directory Server Connector sets the user entry’s dspswvalidate attribute to true which invalidates the old password and alerts the Directory Server Plug-in of the password change.
* When the user tries logging on, using an [LDAP] application (such as Portal Server) to [authenticate] against the Directory Server, the Sun Java System Directory Server Plug-in detects that the password value in the Directory Server entry is invalid.
* The Directory Server Plug-in searches for the corresponding user in [Microsoft Active Directory]. When the Plug-in finds the user, the Plug-in performs a [Bind Request] to Active Directory using the password provided when the user tried logging into Directory Server.
* If the bind against Active Directory succeeds, then the user provided his or her new Active Directory password and the Directory Server Plug-in set the password and removed the invalid password flag from the user entry on Directory Server.
* If the user authentication fails, the user entry password remains in Directory Server and the passwords on Directory Server and Active Directory will be out-of-sync until the user logs in with a valid password (one that authenticates to Active Directory).


!!Note
On-demand password synchronization requires the application to use simple authentication against the Directory Server instead of using a more-complex authentication mechanism, such as [SASL] [DIGEST-MD5].

This process is specific to the SUN/[Oracle] [LDAP] server having the specific Sun Java System Directory Server Plug-in to operate and is therefore proprietorial to their solution.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>