Can new IM Provisioning global users be enabled for Reverse Password Sync Agent automatically?

book

Article ID: 36500

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Introduction: 

In order for the IM Reverse Password Sync Agent to work for a user the Provisioning global user object must have the “Enable Password Synchronization Agent” enabled (i.e. eTPropagatePassword=1 stored on the Provisioning global user object). By default this is not set for new users.

Question:

Is there a way for all new Provisioning global users to be created with eTPropagatePassword set to value 1 automatically? Is there a way to modify all existing Provisioning global users to set eTPropagatePassword to value 1?

Environment:  

All

Answer: 

There are various paths from which Provisioning global users may be created:

1)   IM creating the Provisioning global user when IM user is given a provisioning role for the first time

2)   Provisioning Server creating a global user as part of the Correlate/Create operation

3)   Provisioning Manager or other clients sending a create Provisioning global user request to the Provisioning Server directly (end users should not be creating users in this way)

As an initial step you will want to set eTPropagatePassword to the value 1 on all existing Provisioning global users who do not have that value already. You can run an etautil command on the Provisioning Server machine such as the following (replace USER and PWD with proper bind values):

etautil.exe –u USER –p PWD masschange ‘eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects’ eTGlobalUser eTPropagatePassword=0 to eTPropagatePassword=1

To handle path (1) mentioned above and set eTPropagatePassword to the value 1 on all new Provisioning global users created by the IM Server when an IM user is given an initial provisioning role you would do the following:

Log into the IM Management Console and navigate under IME->Advanced Settings->Provisioning in order to enable the checkbox for “Enable Password Changes from Endpoint Accounts” and then restart the IM environment.

To handle the path (2) mentioned above and set eTPropagatePassword to the value 1 on all new Provisioning global users created by an Explore/Correlate/Create operation you would do the following:

Log into the Provisioning Manager and navigate under System->Domain Configuration->Explore and Correlate->Create Users Default Attributes and then add a setting of EnablePasswordSync=1 to the configuration.

To handle the path (3) mentioned above which is discouraged you would need to include eTPropagatePassword=1 in your submitted request. If this is done via the Provisioning Manager you would enable the checkbox “Enable Password Synchronization Agent” which is found on the Password tab of the Provisioning global user object.

Additional Information:

If you would like to identify which Provisioning global users currently do not have eTPropagatePassword=1 already you can run an etautil command on the Provisioning Server machine such as the following (replace USER and PWD with proper bind values):

etautil.exe –u USER –p PWD select ‘eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects’ eTGlobalUser eTPropagatePassword=’0’ list eTGlobalUserName

If you would like to then update an individual Provisioning global user you can run an etautil command on the Provisioning Server machine such as the following (replace USER and PWD with proper bind values):

etautil.exe –u USER –p PWD update ‘eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects’ eTGlobalUser eTGlobalUserName=’my_user’ to eTPropagatePassword=1

Environment

Release:
Component: IDMGR