Configure your LDAP installation to use the LDAP password filter plugin
Refer to the appropriate subsection:
Oracle DSEE, Sun ONE Directory Server (v5.x), or Red Hat Directory Server
The following instructions are intended for Sun ONE Directory Server (formerly Netscape/iPlanet Directory Server) v5.x. Details may vary depending on your version of the software.
Caution
Sun ONE Directory Server is more currently known as Oracle Directory Server Enterprise Edition (Oracle DSEE).
For Sun ONE Directory Server, stop the directory server before making these changes, otherwise the changes will be overwritten.
To configure Sun ONE Directory Server to use LDAP password filter plugin:
Find the dse.ldif file.
The file is usually located in <slapd-servername>/config.
Edit the file by appending the following two sections:
dn: cn=Psynch Check Password,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Hitachi ID Check Password nsslapd-pluginPath: /usr/local/psunix/default/psldap-sunldap.so nsslapd-pluginInitfunc: prepasswd_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: -cfg nsslapd-pluginarg1: /usr/local/psunix/default/psldap.cfg nsslapd-pluginID: password-preop nsslapd-pluginVersion: none nsslapd-pluginVendor: Hitachi ID nsslapd-pluginDescription: Transparent Password Strength plugin dn: cn=Psynch Synchronize Password,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Hitachi ID Synchronize Password nsslapd-pluginPath: /usr/local/psunix/default/psldap-sunldap.so nsslapd-pluginInitfunc: postpasswd_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: -cfg nsslapd-pluginarg1: /usr/local/psunix/default/psldap.cfg nsslapd-pluginID: password-postop nsslapd-pluginVersion: none nsslapd-pluginVendor: Hitachi ID nsslapd-pluginDescription: Transparent Password Synchronization pluginIf the configuration file is not specified for Unix-based servers, the default is /etc/psunix.cfg.
Save and close the file.
Create a new directory, /usr/local/psunix/default/64/ and copy psldap-sunldap.so into the 64/ folder. For example:
cd /usr/local/psunix/default/ mkdir 64 cp psldap-sunldap.so 64/
On 64-bit systems, the value of the nsslapd-pluginPath is entered as /usr/local/psunix/default/psldap-sunldap.so ; but the actual plugin, however, should be located in the /usr/local/psunix/default/64 directory.
OpenLDAP
Caution
Only OpenLDAP versions 2.2.x or later are supported.
The following instructions are intended for OpenLDAP v2.2.x. Details may vary depending on your version of the software.
Before you begin, note the following:
When installing OpenLDAP 2.2.x, ensure that the
--enable-modules=yes, --enable-slapi=yes, and--enable-dynamic=yesconfigure options are set.The plugin will only work if clear-text passwords are sent to the server.
The plugin will not work if the
LDAPv3 Password Modify (RFC 3062)extendedoperation is used.Caution
Stop the directory server before making these changes, otherwise the changes will be overwritten.
To configure OpenLDAP for transparent password synchronization:
Find the slapd.conf configuration file.
The file is usually located in /etc/openldap/.
Edit the configuration file, and add the following two lines to the "database mdb" section in slapd.conf:
plugin preoperation "<path-to-psldap>" prepasswd_init ["-cfg" "<path-to-config-file>"] plugin postoperation "<path-to-psldap>" postpasswd_init ["-cfg" "<path-to-config-file>"]
For example:
plugin preoperation "/usr/local/psunix/default/psldap-openldap.so" prepasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg" plugin postoperation "/usr/local/psunix/default/psldap-openldap.so" postpasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg"
If the configuration file is not specified for Unix-based servers, the default is /etc/psunix.cfg.
Save and close the file.
Stop and restart the OpenLDAP services.
To test that the plugins are loaded, run a command such as the following, replacing <password> with the password for cn=config:
ldapsearch -D cn=config -w '<password>' -b 'cn=config' | egrep olcPlugin:
This will return output such as the following:
olcPlugin: {0} preoperation /usr/local/psunix/default/psldap-openldap.so prepa olcPlugin: {0} postoperation /usr/local/psunix/default/psldap-openldap.so postVerify that the transparent password synchronization trigger is working as expected.
Run a command for a native LDAP tool and change the password of a user that Bravura Pass is managing.
For example, the ldapmodify command can be used in this case using the following steps:
Create a user.ldif file that contains the following (modify as appropriate for your LDAP environment):
dn: <full dn of the user> changetype: modify replace: userPassword userPassword: newpasswordRun a command such as the following:
ldapmodify -x -D "<dn of the OpenLDAP administrative account>" -W -f user.ldif
Confirm that the ldapmodify command runs successfully to reset the user's password.
Ensure that the password change was captured by Bravura Pass and propagated to other target systems.
IBM Directory Server
The following instructions are intended for IBM Tivoli server. Details may vary depending on your version of the software.
To configure IBM Directory Server for transparent password synchronization:
Find the
ibmslapd.confconfiguration file.Edit the configuration file, and add the following two lines:
ibm-slapdPlugin: preoperation <path-to-psldap> prepasswd_init ["-cfg" "<path-to-config-file>"] ibm-slapdPlugin: postoperation <path-to-psldap> postpasswd_init ["-cfg" "<path-to-config-file>"]
For example:
ibm-slapdPlugin: preoperation /usr/local/psunix/default/psldap-ibmldap.so prepasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg" ibm-slapdPlugin: postoperation /usr/local/psunix/default/psldap-ibmldap.so postpasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg"
If the configuration file is not specified for Unix-based servers, the default is /etc/psunix.cfg.
Save and close the file.