Using P-Synch in Application Migrations
Introduction
This document describes a number of ways in which P-Synch® can be used to ease system and directory migrations.
Examples of migrations include, but are not limited to:
- Upgrading a Windows NT domain to Windows 2000 Active Directory.
- Moving from one mail system (e.g., Lotus cc:Mail) to another (e.g., Microsoft Exchange).
- Migrating from one NOS, such as Novell NDS, to another such as Windows 2000.
- Replacing one vendor's LDAP product
- Rolling out a new application that impacts a large user population, such as a self-service human resources (H.R.) portal.
As will be described below, P-Synch can assist in the initial activation of the new system or directory and in the transition period where both the old and new systems are active.
Migrating Users
As a part of its nightly automation process, P-Synch extracts a list of users from every system where it manages passwords.
When migrating users to a new directory, these user lists are a natural place to start to get a list of users that should be created on the new system.
For example, the following command can be used to extract a list of user IDs and full names from the P-Synch database:
c: cd "\program files\p-synch\cgi-bin" ..\utils\dumpdb user -trim -delimited > c:\temp\users.txt
This list of users can be manipulated into SQL commands to create database users, or an LDIF file to create LDAP users, or a batch file to create Windows NT or Windows 2000 users. Details of how to do this are beyond the scope of this document, as they are specific to the type of application in question.
Another key advantage of using P-Synch in the directory migration is to create new users with random initial password values. Read more in the next section about users can then activate their own accounts.
Initializing Passwords
A major problem in activating a new system is selecting a suitable initial password for users, and communicating that initial value to users securely.
Setting the initial password value to a user's SSN or login ID is insecure. Setting a stronger password is better, but communicating that initial value to users by e-mail is also insecure.
With P-Synch, users need not know the initial password value to their new account. Instead, they can be instructed by e-mail to change all of their passwords, including the new one, with P-Synch. This way, they change their password from an initial random string (which they do not know) to a strong value securely, after proper authentication (with another system's password).
For example, new users of an LDAP directory might receive an e-mail with the text:
Acme, Inc. has activated a new corporate directory. New applications, and our Intranet, will verify your identity using a user ID and password on this directory. To activate your corporate directory account, click on the link below, enter your windows network login ID and password, and select a new password for all of your accounts. You will then be able to use the new password both for the systems with which you are already familiar, and for the new corporate directory. http://password.acme.com/psynch/nph-psf.exe
Users would follow the link, type their existing Windows NT login ID and password, and select a new password. They will then be able to log into every system, including the new LDAP directory, with the new password. Thus migrating users can be done efficiently and securely.
Maintaining Passwords During the Transition
In the event of a directory migration (for example, upgrading a domain from Windows NT to Windows 2000/2003 Active Directory), it may be useful to keep running both systems for a transition period.
In these cases, the password synchronization features of P-Synch will significantly reduce the complexity for end users, as they won't really have to understand which resources use which directory (and hence which password).
This will directly reduce the support load produced by the transition period.