Explanation behind how the Provisioning Server Reverse Password Synchronization (PSYNC Agent) works.

All versions of Identity Suite (Identity Manager)

Background:  

Provisioning Server Support for Reverse Password Sync

The Provisioning Server relies on the usage of two special attributes on it's managed accounts in order to provide Reverse Password Sync support. We provide out-of-the-box ability for this for some endpoint types (i.e. NT/ADS, UNIX, OS400, TSS/ACF2) via the use of agents or built in facilities that can intercept password changes locally on the endpoint and then send appropriate search/modify operations to the Provisioning Server. It is technically possible to build PSYNC agents for other endpoint types as long as they were to utilize this same approach although that is outside the scope of support.

eTTestPassword - special attribute on the account object which triggers a faux password change as a means of testing to see if the new password meets the password quality/history requirements.

eTSyncPassword - special attribute on the account object which triggers the password change for the associated Provisioning global user and propagates to the Provisioning global user's accounts.

Note: Provisioning Server will exclude the originating account from the list of accounts and it will then attempt to propagate to any other accounts associated to the Provisioning global user. The Provisioning Server will also exclude updating any accounts where the Endpoint has been configured to Disabled Password Propagation on the Endpoint Settings tab.

Enabling Provisioning Global Users for Reverse Password Sync

The Provisioning global users need to have eTPropagatePassword set to the value 1 otherwise they cannot be updated by Reverse Password Sync. In the Provisioning Manager this is the "Enable Password Synchronization Agent" checkbox on the Provisioning global user's Password tab. In order to ensure that all Provisioning global users have this attribute set on creation the following should be done:

1. Provisioning global users created via the IM layer- In the IM Management Console under the IME->Advanced Settings->Provisioning enable the checkbox for "Enable Password Changes from Endpoint Accounts"
   The setting is stored in the IM objectstore's IM_ENVIRONMENT_JDBC_LD table with an ATTRIBUTE_NAME of bidirectpwdsyncenabled and value of false/true

2. Provisioning global users created via Explore/Correlate/Create- in the Provisioning Manager under System->Domain Configuration->Explore and Correlate->Create Users Default Attributes configure EnablePasswordSync=1
   The setting is stored in the Provisioning Repository under eTConfigParamName=Create Users Default Attributes,eTConfigParamFolderName=Explore and Correlate,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects,dc=im,dc=etadb

3. Provisioning global users that already exist- can be done via etautil or ldap

If you need to set this value on existing Provisioning global users you can use etautil to do so for the entire user population:

etautil -u USER -p PWD masschange 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=* to eTPropagatePassword='1'

If you need to set this value on a single existing Provisioning global users you can use etautil to do so:

etautil -u USER -p PWD update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='my_user' to eTPropagatePassword='1'

You could also use and ldapbrowser or ldapmodify to update a single global user

ldapmodify -h IMPS_HOST -p 20389 -D "eTGlobalUserName=my_user,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f input.ldif

where input.ldif contains

dn: eTGlobalUserName=my_user,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta

changetype: modify

replace: eTPropagatePassword

eTPropagatePassword: 1

Provisioning Server Domain Configuration Settings

In the Provisioning Manager under System->Domain Configuration->Password Synchronization there are two settings which come into play when using the Reverse Password Sync:

Password Synchronization/Agent Response Threshold (Default value is 600 seconds) - Maximum expected duration (in seconds) of each password change that IM Provisioning sends to an endpoint on which a password synchronization agent is installed.  This parameter allows IM Provisioning to recognize when a password synchronization agent is processing a password change sent to it by the IM Provisioning Server as distinct from a password change originating on that endpoint. This is stored in the Provisioning Repository under:

eTConfigParamName=Agent Response Threshold,eTConfigParamFolderName=Password Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects,dc=im,dc=etadb

Password Synchronization/Update Only Global User (Default value is No) - Controls having password change notifications from a password synchronization agent update only the global user's password.  By default, the global user's password and all of that user's account passwords are updated (except where password propagation has been disabled). This is stored in the Provisioning Repository under:

eTConfigParamName=Update Only Global User,eTConfigParamFolderName=Password Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects,dc=im,dc=etadb

There is no recommended Agent Response Threshold value since it would be dependent on how long it takes to update all of the associated accounts of a Provisioning global user for a customer's specific environment which could vary in the number of accounts, time needed per account, load, network latency, etc. The value should be as long as it is needed for all the accounts to be updated in order to avoid a looping effect if there are multiple accounts associated to the Provisioning global user where a Reverse Password Sync is configured. Note that often times while performing testing failures are seen because users are repeatedly testing the same account but not waiting the appropriate amount of time in between tests.

Provisioning Server Password Policies

The Provisioning Server does have a single Password Policy that can be found in the Provisioning Manager under System->Password Profile but this should never be enabled. It is stored in the Provisioning Repository under:

eTPasswordProfileName=Password Profile,eTPasswordProfileContainerName=Password Profile,eTNamespaceName=CommonObjects,dc=im,dc=etadb

Instead a Password Policy should be configured in the IM Server layer and the Provisioning Server should be configured to send the password quality/history to the IM Server layer. This is configured in the Provisioning Manager under System->Domain Configuration->Identity Manager Server

Identity Manager Server/Use External Password Policies (Default value is Yes) - When "yes", a user changing his own global user password or one of his synchronized account passwords will have the password validated using Identity Manager password policies.  A user's synchronized account passwords are the passwords for his accounts on endpoints for which the "Disable Password Propagation" property is disabled.  It is recommended that the parameter "Enforce Synchronized Account Passwords" be set to "yes" whenever this parameter is set to "yes".  Note that when this parameter is set to "yes", the IM Provisioning password rules that are only applicable to a user changing his own password ("Password history checks" and "Minimum interval between self-changes") are no longer consulted. This is stored in the Provisioning Repository under:

eTConfigParamName=Use External Password Policies,eTConfigParamFolderName=Identity Manager Server,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects,dc=im,dc=etadb

Note that the Provisioning Server relies on the same Inbound Notification configurations for sending the password quality/history requests to the IM Server but these requests happen separate from the inbound notification queue. Also when the IM Server is integrated with Siteminder then IM will relay the work to Siteminder once it receives it.

Reverse Password Sync Agent (ADS and NT)

Communication Flow

When the PSYNC Agent intercepts a password change it will send the following requests to the IMPS:

1. Search request to see if account has been explored

2. Modify request to set eTTestPassword on the account

3. Search request to see if account has been explored

4. Modify request to set eTSyncPassword on the account

 Note that (1) and (2) only get sent from the PSYNC Agent if it has profile_enable=yes

Implementation

The Identity Manager PSYNC Agent (NT/ADS) is implemented as a Windows Password Filter which means it is running inside of the lsass.exe process and therefore the bit version of the PSYNC Agent installed must match the bit version of the OS else the PSYNC Agent DLL cannot be loaded by the lsass.exe process. You could use a tool such as Microsoft Process Explorer to check if the eta_pwdsync.dll is loaded in the lsass.exe process. Installing and Registering a Password Filter DLL involves updating the HKEY\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages registry key as well as place the files on the system. The PSYNC Agent is only loaded/unloaded on the OS reboot.

Note: If using PSYNC Agent for domain accounts the agent must be installed on all domain controllers for that domain.

Configuration File

Found under C:\program files\ca\eTrust Admin Password Sync Agent\Data\eta_pwdsync.conf and it gets re-read when a password change is intercepted by the Password Filter. The configuration file allows you to:

• Enable/Disable PSYNC Agent (i.e. pwd_sync_enable)

• Allow Windows account to be updated even if IMPS account is not (i.e. out_of_sync)

• Configure various Timeouts

• Enable/Disable Logging (i.e. logging_enabled and ldap_logging_enabled)

• Enable/Disable Password Quality Checking (i.e. profile_enable)

• Configure the AD/NT Endpoint information

• Configure target Provisioning Server target and bind credentials

Note: You should set machine_account=no under the Server section in the conf file in order to ignore machine account changes (machine accounts end with $ character).

Be careful that the configuration file from one domain was not simply copied to another domain since the AD/NT Endpoint information would be different.

It might also be a good idea to configure different "admin" user for each domain controller since when looking at the IMPS log that would be the only way of knowing which DC originated the request else you would need to collect/review PSYNC logs from all of the DCs.

Log File

Found under C:\program files\ca\eTrust Admin Password Sync Agent\logs\eta_pwdsync.log and it gets written to as long as the Password Filter is properly loaded by the OS.

Reverse Password Sync Agent (ACF2 and TSS)

Implementation

The LDS Facility is used on ACF2 and Top-Secret system in order to intercept local password changes and initiate ldap modify operations back to the Provisioning Server.

Reverse Password Sync Agent (UNIX)

Implementation

The UNIX PAM framework is used to detect the local password changes. The UNIX Password Sync Agent must be installed and the PAM module (pam_CA_eta) needs to be added to the library path of all users.

Reverse Password Sync Agent (OS400)

Implementation

The OS400 Password Sync Agent must be installed and it will intercept password changes initiated from the Change Password command (CHGPWD) or Change Password (QSYCHGPW) API.