Skip to main content

LDAP trigger

This section shows you how to set up transparent password synchronization with an LDAP Directory Service trigger system.

Before you begin, ensure you have researched and followed the steps outlined in Implementing Transparent Password Synchronization .

Bravura Pass can intercept password changes on Unix-based LDAP servers using a pre-change and post-change strength filter, psldap* (The actual name of the filter varies depending on the target system type. See the appropriate section for details).

You can install the LDAP password filter plugin (psldap) on the following Unix-based servers:

  • Sun ONE Directory Server (v5.x), Oracle DSEE and Red Hat Directory Server

  • OpenLDAP v2.2.x

  • IBM Directory Server

To set up transparent password synchronization with an LDAP Directory Service trigger system:

  1. Ensure that a compatible version of OpenSSL (3.0.x) is installed on the LDAP system.

  2. Install the LDAP password filter plugin.

  3. Configure the Password Manager (idpm ) service.

  4. Configure your LDAP installation to use the plugin.

  5. Optional: Filter password change requests to include certain users, groups and domains.

These steps are detailed in the following sections.

Warning

Ensure your LDAP client does not hash new passwords before sending requests to the LDAP server. If you do not want passwords to be transmitted in plaintext, enabling SSL on the LDAP server is highly recommended.

Installing the LDAP password filter plugin

To install the LDAP password filter plugin (psldap) on a Unix-based LDAP server:

  1. If you did not select Unix Installation Packages when you installed the Connector Pack, run setup on the Bravura Security Fabric server to modify your Connector Pack installation.

    Ensure that appropriate Unix package is selected on the component selection page.

    Click Next , then complete the installation procedure.

    See Install the psunix installation package for more detail.

  2. Copy the psunix-<os>.<cpu>.tar.gz file from the unix directory to a scratch directory (such as /tmp) on the Unix server.

  3. Log in to the LDAP server with administrative privileges and extract the files from the psunix archive.

    For example, type:

    cd /tmp
tar -zxvf psunix-linux-glibc-2.28.x64.tar.gz

  4. Run install.sh and select the LDAP Transparent Sync option.

    sh install.sh [ -inf <path>/idmsetup.inf ]

  5. Follow the instructions displayed by the installer script.

    In the installation process, follow the instructions and input the information prompted by each input field. To skip a field, press Enter to use the default value.

  6. Verify that the following shared object files are copied to /usr/local/psunix/default/.

    The psldap shared object files are named using the format:

    psldap-<ldap-type>.so

    Where the <ldap-type> is:

    • sunldap if you are running Oracle DSEE, Sun ONE Directory Server, or Red Hat Directory Server

    • openldap if you are running OpenLDAP

    • ibmldap if you are running IBM Directory Server

  7. Ensure that the psunix folder and all files and plugins inside are readable and executable.

    For example, run the following commands:

    chmod -R a+rx /usr/local/psunix/
chmod a+rx /usr/local/psunix/default/psldap-openldap.so

  8. Also ensure that /etc/psunix.cfg and /etc/psunix.d/ have read and execute permissions:

    chmod a+rx /etc/psunix.cfg
chmod -R a+rx /etc/psunix.d/

  9. Stop the LDAP service.

  10. Start the LDAP service.

Configure the Password Manager service for transparent synchronization

To allow external servers access to the Password Manager service (idpm ) on the primary Bravura Security Fabric server you must also add a CIDR mask address for the trigger system.

  1. Click Manage the system > Maintenance > Services.

  2. Select Bravura Security (idpm ) Password Manager Service.

  3. Add a CIDR mask address for the trigger system in the following setting:

    Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests

Configure your LDAP installation to use the LDAP password filter plugin

Refer to the appropriate subsection:

Oracle DSEE, Sun ONE Directory Server (v5.x), or Red Hat Directory Server

The following instructions are intended for Sun ONE Directory Server (formerly Netscape/iPlanet Directory Server) v5.x. Details may vary depending on your version of the software.

Caution

Sun ONE Directory Server is more currently known as Oracle Directory Server Enterprise Edition (Oracle DSEE).

For Sun ONE Directory Server, stop the directory server before making these changes, otherwise the changes will be overwritten.

To configure Sun ONE Directory Server to use LDAP password filter plugin:

  1. Find the dse.ldif file.

    The file is usually located in <slapd-servername>/config.

  2. Edit the file by appending the following two sections:

       dn: cn=Psynch Check Password,cn=plugins,cn=config 
   objectclass: top 
   objectclass: nsSlapdPlugin 
   objectclass: extensibleObject 
   cn: Hitachi ID Check Password 
   nsslapd-pluginPath: /usr/local/psunix/default/psldap-sunldap.so 
         
   nsslapd-pluginInitfunc: prepasswd_init 
   nsslapd-pluginType: preoperation 
   nsslapd-pluginEnabled: on 
   nsslapd-pluginarg0: -cfg 
   nsslapd-pluginarg1: /usr/local/psunix/default/psldap.cfg 
   nsslapd-pluginID: password-preop 
   nsslapd-pluginVersion: none 
   nsslapd-pluginVendor: Hitachi ID 
   nsslapd-pluginDescription: Transparent Password Strength plugin 
   dn: cn=Psynch Synchronize Password,cn=plugins,cn=config 
   objectclass: top 
   objectclass: nsSlapdPlugin 
   objectclass: extensibleObject 
   cn: Hitachi ID Synchronize Password 
   nsslapd-pluginPath: /usr/local/psunix/default/psldap-sunldap.so 
   nsslapd-pluginInitfunc: postpasswd_init 
   nsslapd-pluginType: postoperation 
   nsslapd-pluginEnabled: on 
   nsslapd-pluginarg0: -cfg 
   nsslapd-pluginarg1: /usr/local/psunix/default/psldap.cfg 
   nsslapd-pluginID: password-postop 
   nsslapd-pluginVersion: none 
   nsslapd-pluginVendor: Hitachi ID 
   nsslapd-pluginDescription: Transparent Password Synchronization plugin

    If the configuration file is not specified for Unix-based servers, the default is /etc/psunix.cfg.

  3. Save and close the file.

  4. Create a new directory, /usr/local/psunix/default/64/ and copy psldap-sunldap.so into the 64/ folder. For example:

    cd /usr/local/psunix/default/    mkdir 64 
cp psldap-sunldap.so 64/

    On 64-bit systems, the value of the nsslapd-pluginPath is entered as /usr/local/psunix/default/psldap-sunldap.so ; but the actual plugin, however, should be located in the /usr/local/psunix/default/64 directory.

OpenLDAP

Caution

Only OpenLDAP versions 2.2.x or later are supported.

The following instructions are intended for OpenLDAP v2.2.x. Details may vary depending on your version of the software.

Before you begin, note the following:

  • When installing OpenLDAP 2.2.x, ensure that the --enable-modules=yes, --enable-slapi=yes, and --enable-dynamic=yes configure options are set.

  • The plugin will only work if clear-text passwords are sent to the server.

  • The plugin will not work if the LDAPv3 Password Modify (RFC 3062)extended operation is used.

    Caution

    Stop the directory server before making these changes, otherwise the changes will be overwritten.

To configure OpenLDAP for transparent password synchronization:

  1. Find the slapd.conf configuration file.

  2. The file is usually located in /etc/openldap/.

  3. Edit the configuration file, and add the following two lines to the "database mdb" section in slapd.conf:

      plugin preoperation "<path-to-psldap>"  prepasswd_init ["-cfg" "<path-to-config-file>"] 
  plugin postoperation "<path-to-psldap>"  postpasswd_init ["-cfg" "<path-to-config-file>"]

    For example:

      plugin preoperation "/usr/local/psunix/default/psldap-openldap.so" prepasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg" 
  plugin postoperation "/usr/local/psunix/default/psldap-openldap.so" postpasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg"

    If the configuration file is not specified for Unix-based servers, the default is /etc/psunix.cfg.

  4. Save and close the file.

  5. Stop and restart the OpenLDAP services.

    To test that the plugins are loaded, run a command such as the following, replacing <password> with the password for cn=config:

      ldapsearch -D cn=config -w '<password>' -b 'cn=config' | egrep olcPlugin:

    This will return output such as the following:

      olcPlugin: {0} preoperation /usr/local/psunix/default/psldap-openldap.so prepa 
  olcPlugin: {0} postoperation /usr/local/psunix/default/psldap-openldap.so post

  6. Verify that the transparent password synchronization trigger is working as expected.

    Run a command for a native LDAP tool and change the password of a user that Bravura Pass is managing.

    For example, the ldapmodify command can be used in this case using the following steps:

    1. Create a user.ldif file that contains the following (modify as appropriate for your LDAP environment):

            dn: <full dn of the user>
      changetype: modify
      replace: userPassword
      userPassword: newpassword

    2. Run a command such as the following:

            ldapmodify -x -D "<dn of the OpenLDAP administrative account>" -W -f user.ldif

    3. Confirm that the ldapmodify command runs successfully to reset the user's password.

      Ensure that the password change was captured by Bravura Pass and propagated to other target systems.

IBM Directory Server

The following instructions are intended for IBM Tivoli server. Details may vary depending on your version of the software.

To configure IBM Directory Server for transparent password synchronization:

  1. Find the ibmslapd.conf configuration file.

  2. Edit the configuration file, and add the following two lines:

    ibm-slapdPlugin: preoperation <path-to-psldap> prepasswd_init ["-cfg" "<path-to-config-file>"]
ibm-slapdPlugin: postoperation <path-to-psldap> postpasswd_init ["-cfg" "<path-to-config-file>"]

    For example:

    ibm-slapdPlugin: preoperation /usr/local/psunix/default/psldap-ibmldap.so prepasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg"
ibm-slapdPlugin: postoperation /usr/local/psunix/default/psldap-ibmldap.so postpasswd_init "-cfg" "/usr/local/psunix/default/psunix.cfg"

    If the configuration file is not specified for Unix-based servers, the default is /etc/psunix.cfg.

  3. Save and close the file.

Filter password change requests on a LDAP Directory Service trigger system

You can configure the LDAP password synchronization to include certain users, groups, and domains when they make password change requests on LDAP Directory Service trigger systems.

To configure the user filters:

  1. Modify the psldap configuration file in /usr/local/psunix/default/psunix.d/ .

  2. Uncomment the following lines:

          #    filter-dn-include = { 
      #       "ou=finance,dc=example,dc=com"; 
      #       "ou=hr,dc=example,dc=com"; 
      #    };

  3. Edit the filters with specific UIDs, OUs, and DCs to include in password change requests.

    Filters are in the following syntax:

    "uid=<userid>,ou=Bravura Group,dc=<domain>,dc=<com>";

    Multiple filters can be used, with different levels of specificity. Users that pass any one of the filters will be included in password change requests.

    For example:

         filter-dn-include = { 
         "dc=mydomain,dc=net"; 
         "ou=people,dc=example,dc=com"; 
         "uid=testuser,ou=finance,dc=example,dc=com"; 
      };

  4. Save the file and restart the LDAP service.

In this section: