Password Sync from AD to LDAP Directory using FIM 2010 R2

  • 37 Views
  • Last Post 3 weeks ago
nidhin_ck posted this 4 weeks ago

We have a requirement to synchronize passwords from Active Directory to an LDAP directory that has a copy of the AD users. Actually, we don’t need to sync attributes, just passwords when are changed in AD.  

LDAP Directory: Oracle (previously Sun) Directory Server Enterprise Edition

We don’t have any FIM license, but according to the documentation, I found it seems that using only the synchronization part a license should not be required since FIM License is covered by Windows server license and CALS are not needed for Synchronization services.  


Could you please help me to clarify if we use FIM2010R2 is it possible to sync passwords from AD to LDAP? IF yes, Did anyone did this before? any blog for reference?


Regards,
Nidhin CK

Order By: Standard | Newest | Votes
bdesmond posted this 4 weeks ago

You can sync password changes to your Oracle LDAP, but not extract existing passwords. This means until every user changes their password, LDAP won’t be in sync. The MIM

sync engine which is included with Windows Server is sufficient to do this.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

nidhin_ck posted this 4 weeks ago

Thanks for the clarification Brian! Just to confirm, are you saying we don't have to install PCNS on DC's? 

One more doubt. Let's say we have 1000 objects in AD & Oracle LDAP. If 10 users change their password in AD, whether those changes will sync to Oracle LDAP?




Regards,


Nidhin CK











show

bdesmond posted this 4 weeks ago

You do need to install PCNS on all your DCs as part of the solution.

 

If you have those ten users change their password once PCNS is setup and MIM is properly configured, the passwords will flow to Oracle LDAP.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

kbatlive posted this 3 weeks ago

I did something similar only to a ADLDS instance. 



 

Had to install PCNS on every DC – and each DC must

have communications to the FIM server – otherwise when users change their passwords, the PCNS service can’t forward it to the FIM server (to be sent onto the LDAP server).

 

show

nidhin_ck posted this 3 weeks ago

Do we need to configure anything in Oracle LDAP side to make this pwd synchronization work?




I have seen an article which discusses configuring Synchronization rules on MIM Portal. But in our case, we don't need to sync any user attributes except password.




Also, i have a doubt abt PWD synchronization. Whether this PWD sync is immediate or it will wait for the delta synchronization 







Regards,


Nidhin CK











show

cduers posted this 3 weeks ago

Hi – the password sync is immediate – it doesn’t depend on run cycles. If you set up MIM and just do joins with the Oracle LDAP objects, you don’t have to flow

anything, you can still sync the passwords – but you need the joins.

 



Christopher Duers

XL Catlin,

Identity and Security

203-979-3914

chris.duers@xxxxxxxxxxxxxxxx

 



 



 

show

Close