Installing the Active Directory Password Synchronization Plugin

The following steps install the password synchronization on an Active directory server:

  1. Download the Active Directory password synchronization plugin.

  2. Install the plugin using one of the following methods:

    • Double-click the setup file to launch the installation wizard.

    • Alternatively, from a command-line, start the installation wizard with the idm-setup.exe command. To save the settings in a configuration file, use the /saveinf switch as follows: 

      PS C:\path\to\dir> idm-setup.exe /saveinf=C:\temp\adsync.inf

    • If you have a configuration file with installation parameters, you can install the password plugin in silent mode as follows: 

      PS C:\path\to\dir> idm-setup.exe /verysilent /loadinf=C:\temp\adsync.inf

  3. Provide the following information during the installation. You must accept the license agreement shown to proceed with the installation:

    OpenIDM Connection information

    • OpenIDM URL

      Enter the URL where IDM is deployed, including the query that targets each user account. For example:

      https://localhost:8444/openidm/managed/user?_action=patch&_queryFilter=userName+eq+'${samaccountname}'

    • OpenIDM User Password attribute

      The password attribute for the managed/user object, such as password.

      If the password attribute does not exist in the IDM managed/user object, the password sync service will return an error when it attempts to replay a password update that has been made in Active Directory. If your managed user objects do not include passwords, you can add an onCreate script to the Active Directory > Managed Users mapping that sets an empty password when managed user accounts are created. The following excerpt of a sample sync.json file shows such a script in the mapping: 

      "mappings" : [
 {
   "name" : "systemAdAccounts_managedUser",
   "source" : "system/ad/account",
   "target" : "managed/user",
   "properties" : [
     {
       "source" : "sAMAccountName",
       "target" : "userName"
     }
   ],
   "onCreate" : {
     "type" : "text/javascript",
     "source" : "target.password=''"
   },
...

      The onCreate script creates an empty password in the managed/user object, so that the password attribute exists and can be patched.

    OpenIDM Authentication Parameters

    Provide the following information:

    • User name

      Enter the name of an administrative user that can authenticate to IDM, for example, openidm-admin.

    • Password

      Enter the password of the user that authenticates to IDM; for example, openidm-admin.

    • OAuth2 Access Token URL

      If you are using the authentication type OAuth2 Access Token, enter the token URL; for example: 

      https://am.example.com/am/oauth2/realms/root/access_token

    • OAuth2 Scope

      If you are using the authentication type OAuth2 Access Token, enter the OAuth2 token scope; for example fr:idm:*.

    • Select authentication type

      Select the authentication type that Active Directory will use to authenticate to IDM:

      • To use plain HTTP authentication, select OpenIDM Header.

      • To use SSL mutual authentication, select Certificate.

      • To use AM bearer tokens, select OAuth2 Access Token.

    Certificate authentication settings

    If you selected Certificate as the authentication type on the previous screen, specify the details of the certificate that will be used for authentication.

    • Select Certificate file

      Browse to select the certificate file that Active Directory will use to authenticate to IDM. The certificate file must be configured with an appropriate encoding, cryptographic hash function, and digital signature. The plugin can read a public or a private key from a PKCS #12 archive file.

      For production purposes, you should use a certificate that has been issued by a Certificate Authority. For testing purposes, you can generate a self-signed certificate. Whichever certificate you use, you must import that certificate into the IDM truststore.

      To generate a self-signed certificate for Active Directory, follow these steps:

      1. On the Active Directory host, generate a private key, which will be used to generate a self-signed certificate with the alias ad-pwd-plugin-localhost: 

        > keytool.exe ^
 -genkey ^
 -alias ad-pwd-plugin-localhost ^
 -keyalg rsa ^
 -dname "CN=localhost, O=AD-pwd-plugin Self-Signed Certificate" ^
 -keystore keystore.jceks ^
 -storetype JCEKS
Enter keystore password: changeit
Re-enter new password: changeit
Enter key password for <ad-pwd-plugin-localhost>
      <RETURN if same as keystore password>

      2. Now use the private key, stored in the keystore.jceks file, to generate the self-signed certificate: 

        > keytool.exe ^
 -selfcert ^
 -alias ad-pwd-plugin-localhost ^
 -validity 365 ^
 -keystore keystore.jceks ^
 -storetype JCEKS ^
 -storepass changeit

      3. Export the certificate. In this case, the keytool command exports the certificate in a PKCS #12 archive file format, used to store a private key with a certificate: 

        > keytool.exe ^
 -importkeystore ^
 -srckeystore keystore.jceks ^
 -srcstoretype jceks ^
 -srcstorepass changeit ^
 -srckeypass changeit ^
 -srcalias ad-pwd-plugin-localhost ^
 -destkeystore ad-pwd-plugin-localhost.p12 ^
 -deststoretype PKCS12 ^
 -deststorepass changeit ^
 -destkeypass changeit ^
 -destalias ad-pwd-plugin-localhost ^
 -noprompt

      4. The PKCS #12 archive file is named ad-pwd-plugin-localhost.p12. Import the contents of the keystore contained in this file to the system that hosts IDM. To do so, import the PKCS #12 file into the IDM keystore file, named truststore, in the /path/to/openidm/security directory.

        On the machine that is running IDM, enter the following command: 

        keytool \
 -importkeystore \
 -srckeystore /path/to/ad-pwd-plugin-localhost.p12 \
 -srcstoretype PKCS12 \
 -destkeystore truststore \
 -deststoretype JKS

    • Password to open the archive file with the private key and certificate

      Specify the keystore password (changeit, in the previous example).

    Password Encryption settings

    Provide the details of the certificate that will be used to encrypt password values.

    • Select certificate file

      Browse to select the certificate that will be used for password encryption. The certificate format must be PKCS #12.

      For evaluation purposes, you can use a self-signed certificate, as described earlier. For production purposes, you should use a certificate that has been issued by a Certificate Authority.

      Whichever certificate you use, the certificate must be imported into the IDM keystore, so that IDM can locate the key with which to decrypt the data. To import the certificate into the IDM keystore, keystore.jceks, run the following command on the IDM host (UNIX): 

      keytool \
 -importkeystore \
 -srckeystore /path/to/ad-pwd-plugin-localhost.p12 \
 -srcstoretype PKCS12 \
 -destkeystore /path/to/openidm/security/keystore.jceks \
 -deststoretype jceks

    • Private key alias

      Specify the alias for the certificate, such as ad-pwd-plugin-localhost. The password sync plugin sends the alias when communicating with IDM, which uses the alias to retrieve the corresponding private key in IDM's keystore.

      Update the IDM secret store (conf/secrets.json) to add this certificate alias to the idm.default secretId: 

      "mappings": [
    {
        "secretId": "idm.default",
        "types": [ "ENCRYPT", "DECRYPT" ],
        "aliases": [ "&{openidm.config.crypto.alias|openidm-sym-default}","ad-pwd-plugin-localhost" ] },
        ...
    }
]

      For more information about secret stores, see "Configuring Secret Stores".

    • Password to open certificate file

      Specify the password to access the PFX keystore file, such as changeit, from the previous example.

    • Select encryption standard

      Specify the encryption standard that will be used when encrypting the password value (AES-128, AES-192, or AES-256).

    Data storage

    Provide the details for the storage of encrypted passwords in the event that IDM is not available when a password modification is made.

    • Select the folder in which Service will store its output data files

      The server should prevent access to this folder, except access by the Password Sync service. The path name cannot include spaces.

    • Directory poll interval (seconds)

      Enter the number of seconds between calls to check whether IDM is available, for example, 60, to poll IDM every minute.

    Log storage

    Provide the details of the messages that should be logged by the plugin.

    • Select the folder in which Service will store its log files

      The path name cannot include spaces.

    • Select logging level

      Select the severity of messages that should be logged, either error, info, warning, fatal, or debug.

    Select Destination Location

    Setup installs the plugin in the location you select, by default C:\Program Files\OpenIDM Password Sync.

  4. After running the installation wizard, restart the computer.

  5. If you selected Certificate as the authentication type during setup, complete the following sub-steps; otherwise, your setup is now complete.

    1. The Password Sync Service uses Windows certificate stores to verify IDM's identity. The certificate that IDM uses must therefore be added to the list of trusted certificates on the Windows machine.

      In a production environment, use a certificate that has been issued by a certificate authority. For test purposes, you can use the self-signed certificate that is generated by IDM on first startup.

      To add the IDM certificate to the list of trusted certificates, use the Microsoft Management Console.

      1. Select Start and type mmc in the Search field.

      2. In the Console window, select File > Add/Remove Snap-in.

      3. From the left hand column, select Certificates and click Add.

      4. Select My user account, and click Finish.

      5. Repeat the previous two steps for Service account and Computer account.

        For Service account, select Local computer, then select OpenIDM Password Sync Service.

        OpenIDM architecture

        For Computer account, select Local computer.

      6. Click Finish when you have added the three certificate snap-ins.

      7. Still in the Microsoft Management Console, expand Certificates - Current User > Personal and select Certificates.

      8. Select Action > All Tasks > Import to open the Certificate Import Wizard.

      9. Browse for the IDM certificate. If you have exported IDM's self-signed certificate, the certificate is openidm-localhost.crt.

      10. Enter the Password for the certificate (changeit by default, if you use the IDM self-signed certificate).

      11. Accept the default for the Certificate Store.

      12. Click Finish to complete the import.

      13. Repeat the previous six steps to import the certificate for:

        Certificates - Current User > Trusted Root Certification Authorities
        Certificates - Service > OpenIDM Password Sync\Personal
        Certificates - Service > OpenIDM Password Sync\Trusted Root Certification Authorities
        Certificates > Local Computer > Personal
        Certificates > Local Computer > Trusted Root Certification Authorities

Password synchronization should now be configured and working. To test that the setup was successful, change a user password in Active Directory. That password should be synchronized to the corresponding IDM managed user account, and you should be able to query the user's own entry in IDM using the new password.

Read a different version of :