Configuring password encryption
You must follow this procedure when synchronizing passwords from a PingDirectory server to Active Directory (AD), or when synchronizing clear text passwords.
About this task
These steps aren’t required for the following scenarios:
-
Synchronizing from AD to a PingDirectory server
-
Excluding password synchronization
Steps
-
On the PingDirectory server that will receive the password modifications, enable the Change Log Password Encryption component. The component intercepts password modifications, encrypts the password and adds an encrypted attribute,
ds-changelog- encrypted-password
, to the change log entry. The encryption key can be copied from the output if displayed, or accessed from the<serverroot>/bin/sync-pipe-cfg.txt
file.$ bin/dsconfig set-plugin-prop --plugin-name "Changelog Password Encryption" \ --set enabled:true \ --set changelog-password-encryption-key:<key>
-
On PingDataSync, set the decryption key used to decrypt the user password value in the change log entries. The key allows the user password to be synchronized to other servers that do not use the same password storage scheme.
$ bin/dsconfig set-global-sync-configuration-prop \ --set changelog-password-decryption-key:ej5u9e39pqo68
Next steps
Test the configuration or populate data in the destination servers using the bulk comparison capability of the
resync tool. Then, use the realtime-sync
tool to start synchronizing the data. If synchronizing passwords, install the Password Sync Agent (PSA) on all of the domain controllers in the topology.
To synchronize passwords from PingDirectory to AD, you must use the |