Sun Directory Server Password Synchronizer

The Sun Directory Server Password Synchronizer intercepts changes to LDAP passwords in the Sun Directory Server.

Components of Sun Directory Password Synchronizer

You can build a solution that synchronizes passwords, but without using the Sun Directory Server plug-in. For more information about solution building, see Solution building.

The Sun Directory Password Synchronizer consists of the following parts:

Sun Directory Server plug-in: The plug-in is a native binary file, which uses the plug-in API of the Sun Directory Server. It runs in the Sun Directory Server process.
Java™ Proxy: A separate Java process, which is started or stopped by the server plug-in. The main purpose of this process is to host the Password Storage component and communicate with the plug-in. For more information about the Java Proxy, see Password synchronization architecture and workflow.
Password Storage component: A Java component, which runs inside the Java Proxy and stores passwords in a particular Password Store such as LDAP directory or message queue. For more information about the Password Storage components, see Specialized components.

Passwords in the Sun Directory Server are stored in the userPassword LDAP attribute. The Password Synchronizer intercepts updates of the userPassword LDAP attribute.

The Sun Directory Server Password Synchronizer intercepts modifications of the userPassword attribute of entries of any object class.

Password updates are intercepted for the following types of entry modifications:

When a new entry is added in the directory, the entry contains the userPassword attribute.
When an existing entry is modified, one of the modified attributes is userPassword. The entry includes the following cases:
- The userPassword attribute is added. For example, the entry did not have a userPassword attribute.
- The userPassword attribute is modified. For example, the entry had this attribute and its value is now changed.
- The userPassword attribute is deleted from the entry.

Note:

Deletion of the entries is not intercepted by the Sun Directory Server Password Synchronizer even when the entry contains the userPassword attribute.
The userPassword attribute in the Sun Directory Server is multi-valued. Users can have several passwords. The Sun Directory Server Password Synchronizer intercepts and reports any change in any of the password values.

Hashed Passwords

The Password Synchronizer ignores hashed password values. Only the plaintext passwords are synchronized. The Password Synchronizer receives hashed passwords in the following cases:

If an LDAP client sends a password value that is already hashed, the Sun Directory Server accepts it. However, the Password Synchronizer cannot obtain a plaintext password and ignores it. For example, if an LDAP client sends "{SHA}5yfRRkrhJDbomacm2lsvEdg4GyY=" instead of "mypass", the Password Synchronizer sends no password to the Password Store.
If password encryption is set to one-way transformation, for example, "crypt", "MD5", or "SHA-1", passwords are stored in hashed form in the directory. The replication operations work with hashed password values. The Password Synchronizers on replication consumers receive the already hashed password values.

Supported platforms

The Sun Directory Server Password Synchronizer is available for the Sun Directory Server on the following platforms:

Solaris 10 SPARC (32/64-bit), Sun ONE 5.2, Sun Java System Directory Server 7.0 (32/64-bit)
Solaris 11 SPARC (32/64-bit), Sun ONE 5.2, Sun Java System Directory Server 7.0 (32/64-bit)