Push user password to Active Directory

This topic has 5 replies, 4 voices, and was last updated 4 years, 10 months ago by migault1990.

  • Author
    Posts
  • #6840
     sr
    Participant

    Hi,

    We have configured LDAP connector 1.4.1.0 for connecting to AD.
    We are able to sync users from OpenIDM to AD without passwords.
    However, we wish to create/update users in AD with their OpenIDM passwords.

    Any pointers to achieve this would be very helpful.

    We have written a script that converts user’s password in openidm to unicode format
    and then map it to AD unicodePwd attribute.

    But we are getting error as LDAP operation not supported.

    Kindly help.

    #6843

    You should use standard password attribute. Do not set up unicodePwd manually. Connector is able to do that for you.

    In provisioner config you should have something similar to this:

        "passwordAttribute" : "unicodePwd",
        "passwordHashAlgorithm" : "WIN-AD",
    
                    "password" : {
                        "type" : "string",
                        "nativeName" : "__PASSWORD__",
                        "nativeType" : "JAVA_TYPE_GUARDEDSTRING",
                        "flags" : [
                            "NOT_READABLE",
                            "NOT_RETURNED_BY_DEFAULT"
                        ]
                    },
    
    #6899
     sr
    Participant

    Thanks Pavel. It works now!

    #14909
     migault1990
    Participant

    Hi –

    What’s your script to convert the OpenIDM password in unicode format?

    Additionally, you’re probably decrypting the password in OpenIDM as well. Am I correct?

    We’re trying to achieve the same thing here and any help would be usefull :)

    #14927
     srastogi
    Participant

    Hi,

    In AD LDAP connector provisioner file under account properties attributes, we added an attribute “adPassword” to push password into AD.

    “adPassword” : {
    “type” : “string”,
    “nativeName” : “__PASSWORD__”,
    “nativeType” : “JAVA_TYPE_GUARDEDSTRING”,
    “flags” : [
    “NOT_READABLE”,
    “NOT_RETURNED_BY_DEFAULT”
    ]
    }

    Also, in our sync mapping from IDM to AD, we have the below mapping:

    {
    “target” : “adPassword”,
    “source” : “password”
    }

    The “password” attribute is an encrypted attribute in our IDM set-up & we didn’t need to decrypt it in our code to push it to AD.
    Also please ensure that you are connecting to AD over LDAPS connection for pushing passwords.

    Thanks,
    Shubhi

    #14971
     migault1990
    Participant

    Hey –

    We actually fixed it yesterday after sending that Message.

    Lessons Learned :

    – LDAPS is required
    – unicodePWd is the Password Attribute in AD
    – You don’t need to decrypt or encode the password value.

    Cheers,

    L.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?