Features Password Synchronization Transparent Password Synchronization

Transparent Password Synchronization

(1)When users change their Windows NT, Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), OS/390 and OS/400 password, the new password is subjected to a global password policy in addition to the native policy. If the password is acceptable, the new password is changed both on the initial system and, automatically, on every other system where the user has a login ID.

Use of an existing, familiar user interface to change passwords eliminates the need for training and guarantees high (100%) adoption rates.

Process

Transparent password synchronization, triggered by a native password change on a monitored system works as follows:

1. User: decides to change his password(s) or has been prompted to during the login process.

2. User: enters his login ID, current password and desired value.

3. Login server: (e.g., Windows NT, Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), OS/390 and OS/400 ) validates password quality internally, then calls a P-Synch® library to further validate password quality.

4. P-Synch library: contacts the P-Synch server; establishes an encrypted connection; forwards a request for password policy validation.

5. P-Synch server: validates password quality; returns result. In the event of an attempted policy violation, P-Synch may send a message directly to the user by e-mail or a Windows pop-up message; may write a call tracking system ticket and so on.

6. Login server: updates the user's password field internally, calls the P-Synch library to notify it of the successful change. Note that a failure to meet the P-Synch policy will normally block the initial password change from happening.

7. P-Synch library: contacts the P-Synch server; establishes an encrypted connection; forwards a request for password synchronization.

8. P-Synch server: queues up the new password for synchronization.

9. P-Synch server: resolves the single queued event to a list of passwords that must be set for this user (one per account).

10. P-Synch server: administratively sets the user's passwords on each system to the new value.

11. P-Synch server: in the event of failure, re-queues and retries; may send the user one or more e-mails to notify of the problem; may write a ticket to a call tracking system to alert someone of a problem.

Technical details

(2)

Transparent password synchronization can be triggered from native password changes on any of the following systems:

• Windows NT compatible servers and domains (password filter DLL on servers or the PDC).
• Windows 2000, Windows 2003 servers and Active Directory domains (password filter DLL on servers and/or DCs).
• zOS, OS/390 and MVS mainframes with RACF, ACF2 or TopSecret security products (security exit in the LPAR with the security products).
• OS/400, iSeries servers.
• Unix servers (passwd program wrapper binary or PAM).
• Sun, Oracle and IBM LDAP servers (attribute change filter on the directory server).

Each of these triggers contacts the P-Synch server twice per password change, over an encrypted TCP/IP socket (shared key handshake, 128-bit AES encryption):

• First connection: validate password quality, possibly reject the user's choice of a new password and block the triggering password change due to policy violation
• Second connection: initiate transparent password synchronization

© Hitachi ID Systems, Inc. 2008. All rights reserved.