Table of Contents
Advertisement
The connected system determines the level of support for password synchronization. Some systems,
such as Microsoft Active Directory and Novell eDirectory
, support bidirectional synchronization.
TM
Other systems support synchronization in one direction only. See
Chapter 3, "Connected System
Support for Password Synchronization," on page 15
for details.
1.3 Password Policy Enforcement
Identity Manager can enforce password policies on incoming passwords from connected systems
and on passwords set or changed through the User Application password self-service. If the new
password does not comply, you can specify that Identity Manager not accept the password. This also
means that passwords that don't comply with your policies are not distributed to other connected
systems.
In addition, Identity Manager can enforce password policies on connected systems. If the password
being published to the Identity Vault does not comply with rules in a policy, you can specify that
Identity Manager not only does not accept the password for distribution, but actually resets the
noncompliant password on the connected system by using the current Distribution password in the
Identity Vault.
For example, you want to require passwords to include at least one numeric character. However, the
connected system does not have the ability to enforce such a policy. You specify that Identity
Manager resets passwords that flow from the connected system but do not comply with rules in the
policy.
1.4 Password Policy Enforcement Notifications
Identity Manager enables you to automatically notify users via e-mail when a password change was
not successful.
For example, you set Identity Manager to not accept incoming passwords from Active Directory
when they don't comply with your password policy. One policy rule specifies that the company
name can't be used as a password. A user changes his or her Active Directory password to include
the company name. Identity Manager rejects the password and sends the user an e-mail message
stating that the password change was not synchronized.
The User Application password self-service console lets you display the password policy rules so
that users know how to create a compliant password. However, if you allow users to change their
password through a connected system, the connected system is not able to display the policy.
If you want to avoid notifications caused by non-compliant passwords, you should require users to
change the password only in the User Application, or at least make sure that the policy rules are well
publicized.
1.5 Password Policy Assignments
Password policies are assigned with a tree-centric perspective, meaning that you assign them to the
Identity Vault containers that hold the users to whom you want the policies applied. In contrast,
password synchronization is set up per driver. Drivers are installed on a per-server basis and can
manage only those users who are in a master or read/write replica on the server.
Overview
11
Advertisement
Chapters
Table of Contents
Troubleshooting
