Password Sync from AD to LDAP Directory using FIM 2010 R2

  • 165 Views
  • Last Post 06 July 2017
nidhin_ck posted this 30 June 2017

We have a requirement to synchronize passwords from Active Directory to an LDAP directory that has a copy of the AD users. Actually, we don’t need to sync attributes, just passwords when are changed in AD.  

LDAP Directory: Oracle (previously Sun) Directory Server Enterprise Edition

We don’t have any FIM license, but according to the documentation, I found it seems that using only the synchronization part a license should not be required since FIM License is covered by Windows server license and CALS are not needed for Synchronization services.  


Could you please help me to clarify if we use FIM2010R2 is it possible to sync passwords from AD to LDAP? IF yes, Did anyone did this before? any blog for reference?


Regards,
Nidhin CK

Order By: Standard | Newest | Votes
cduers posted this 06 July 2017

Hi – the password sync is immediate – it doesn’t depend on run cycles. If you set up MIM and just do joins with the Oracle LDAP objects, you don’t have to flow

anything, you can still sync the passwords – but you need the joins.

 



Christopher Duers

XL Catlin,

Identity and Security

203-979-3914

chris.duers@xxxxxxxxxxxxxxxx

 



 



 

show

nidhin_ck posted this 06 July 2017

Do we need to configure anything in Oracle LDAP side to make this pwd synchronization work?




I have seen an article which discusses configuring Synchronization rules on MIM Portal. But in our case, we don't need to sync any user attributes except password.




Also, i have a doubt abt PWD synchronization. Whether this PWD sync is immediate or it will wait for the delta synchronization 







Regards,


Nidhin CK











show

kbatlive posted this 02 July 2017

I did something similar only to a ADLDS instance. 



 

Had to install PCNS on every DC – and each DC must

have communications to the FIM server – otherwise when users change their passwords, the PCNS service can’t forward it to the FIM server (to be sent onto the LDAP server).

 

show

bdesmond posted this 30 June 2017

You do need to install PCNS on all your DCs as part of the solution.

 

If you have those ten users change their password once PCNS is setup and MIM is properly configured, the passwords will flow to Oracle LDAP.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

nidhin_ck posted this 30 June 2017

Thanks for the clarification Brian! Just to confirm, are you saying we don't have to install PCNS on DC's? 

One more doubt. Let's say we have 1000 objects in AD & Oracle LDAP. If 10 users change their password in AD, whether those changes will sync to Oracle LDAP?




Regards,


Nidhin CK











show

bdesmond posted this 30 June 2017

You can sync password changes to your Oracle LDAP, but not extract existing passwords. This means until every user changes their password, LDAP won’t be in sync. The MIM

sync engine which is included with Windows Server is sufficient to do this.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

Close