PingIDM 7.5.0

Install the Active Directory password synchronization plugin

The following steps install the password synchronization plugin on an Active Directory server:

  1. Download the Active Directory password synchronization plugin.

  2. Launch the installation wizard using one of the following methods:

    • In Windows Explorer, double-click the ad-passwordchange-handler-1.7.0.exe file.

    • From a Powershell command-line, enter the executable name (.\ad-passwordchange-handler-1.7.0.exe), and press Enter.

      When starting the installation wizard from the command-line, the following options are available:

      • To save the settings in a configuration file, use the /saveinf switch:

        PS C:\path\to\dir> .\ad-passwordchange-handler-1.7.0.exe /saveinf=C:\temp\adsync.inf
      • If you have a configuration file with installation parameters, you can install the password plugin in silent mode as follows:

        PS C:\path\to\dir> .\ad-passwordchange-handler-1.7.0.exe /verysilent /loadinf=C:\temp\adsync.inf
  3. In the Setup - OpenIDM Password Sync window, on the License Agreement page, you must accept the license agreement to continue, and then click Next.

    Show Me

    ad-setup-license.png

  4. On the OpenIDM Information: Connection page, enter the applicable information in the following fields, and click Next.

    Show Me

    ad-setup-connection.png

    OpenIDM URL

    The URL where IDM is deployed, including the query that targets each user account. For example:

    https://localhost:8444/openidm/managed/user?_action=patch&_queryFilter=userName+eq+'${samaccountname}'

    OpenIDM User Password attribute

    The password attribute for the managed/user object, such as adPassword.

    If the password attribute does not exist in the IDM managed/user object, the password sync service will return an error when it attempts to replay a password update that has been made in Active Directory. If your managed user objects do not include passwords, you can add an onCreate script to the Active Directory > Managed Users mapping that sets an empty password when managed user accounts are created. The following excerpt of a sample sync.json file shows such a script in the mapping:

    "mappings" : [
        {
            "name" : "systemAdAccounts_managedUser",
            "source" : "system/ad/account",
            "target" : "managed/user",
            "properties" : [
                {
                    "source" : "sAMAccountName",
                    "target" : "userName"
                }
            ],
            "onCreate" : {
                "type" : "text/javascript",
                "source" : "target.password=''"
            },
            ...
        }
    ]

    The onCreate script creates an empty password in the managed/user object, so that the password attribute exists and can be patched.

  5. On the OpenIDM Information: Authentication page, enter the applicable information in the following fields, and click Next.

    Show Me

    ad-setup-auth.png

    User name

    An administrative user that can authenticate to IDM. For example, openidm-admin.

    Password

    The above, specified user’s password.

    OAuth2 Access Token URL

    If you are using the authentication type OAuth2 Access Token, enter the token URL. For example:

    https://am.example.com/am/oauth2/realms/root/access_token

    OAuth2 Scope

    If you are using the authentication type OAuth2 Access Token, enter the OAuth2 token scope. For example fr:idm:*.

    Select authentication type

    Select the authentication type that Active Directory will use to authenticate to IDM:

    • To use plain HTTP authentication, select OpenIDM Header.

    • To use mutual SSL authentication, select Certificate.

    • To use AM bearer tokens, select OAuth2 Access Token.

  6. If you selected Certificate as the authentication type, complete this step; otherwise, skip to the next step.

    On the OpenIDM Information: Certificate Authentication page, enter the applicable information in the following fields, and click Next.

    Show Me

    ad-setup-cert-auth.png

    Select Certificate file...

    Browse to select the certificate file that Active Directory will use to authenticate to IDM.

    The certificate file must be configured with an appropriate encoding, cryptographic hash function, and digital signature. The password synchronization plugin can read a public or a private key from a PKCS #12 archive file.

    For production purposes, you should use a certificate that has been issued by a certificate authority. For testing purposes, you can generate a self-signed certificate.

    You must also import the certificate into the IDM keystore.jceks file. On the machine that is running IDM, enter the following command:

    keytool \
    -importkeystore \
    -srckeystore /path/to/ad-pwd-plugin-localhost.p12 \
    -srcstoretype PKCS12 \
    -destkeystore keystore.jceks \
    -deststoretype JCEKS

    Private key alias

    The certificate alias, such as ad-pwd-plugin-localhost. The password sync plugin sends the alias when communicating with IDM, which uses the alias to retrieve the corresponding private key in IDM’s keystore.

    Update the IDM secret store (conf/secrets.json) to add this certificate alias to the idm.default secretId:

    {
        "stores" : [
            {
                "name" : "mainKeyStore",
                "class" : "org.forgerock.openidm.secrets.config.KeyStoreSecretStore",
                "config" : {
                ...
                "mappings" : [
                    {
                        "secretId" : "idm.default",
                        "types" : [
                            "ENCRYPT",
                            "DECRYPT"
                        ],
                        "aliases" : [
                            "&{openidm.config.crypto.alias|openidm-sym-default}",
                            "ad-pwd-plugin-localhost"
                        ]
                    },
                ...
                ]
                }
            },
            ...
        ],
        ...
    }

    For more information about secret stores, refer to Secret stores.

    Password to open certificate file

    The keystore password (changeit, in the previous example).

  7. On the Password Encryption page, enter the applicable information in the following fields, and click Next.

    Show Me

    ad-setup-data-encrypt.png

    Select Certificate file...

    Browse to select the certificate that will be used for password encryption. The certificate format must be PKCS #12.

    The certificate file must be configured with an appropriate encoding, cryptographic hash function, and digital signature. The plugin can read a public or a private key from a PKCS #12 archive file.

    For production purposes, you should use a certificate that has been issued by a certificate authority. For testing purposes, you can generate a self-signed certificate.

    You must also import the certificate into the IDM truststore. On the machine that is running IDM, enter the following command:

    keytool \
     -importkeystore \
     -srckeystore /path/to/ad-pwd-plugin-localhost.p12 \
     -srcstoretype PKCS12 \
     -destkeystore truststore \
     -deststoretype JKS

    Private key alias

    The certificate alias, such as ad-pwd-plugin-localhost. The password sync plugin sends the alias when communicating with IDM, which uses the alias to retrieve the corresponding private key in IDM’s keystore.

    Update the IDM secret store (conf/secrets.json) to add this certificate alias to the idm.default secretId:

    "mappings": [
        {
            "secretId": "idm.default",
            "types": [ "ENCRYPT", "DECRYPT" ],
            "aliases": [ "&{openidm.config.crypto.alias|openidm-sym-default}", "ad-pwd-plugin-localhost" ] },
            ...
        }
    ]

    For more information about secret stores, refer to Secret stores.

    Password to open certificate file

    The password to access the PFX keystore file, such as changeit, from the previous example.

    Select encryption...

    The encryption standard to use when encrypting the password value (AES-128, AES-192, or AES-256).

  8. On the Data Storage page, enter the applicable information in the following fields, and click Next.

    Show Me

    ad-setup-data-storage.png

    Select the folder in which Service will store its output data files

    Browse to select the folder for data output files. The server should prevent access to this folder except for the Password Sync service.

    The path name cannot include spaces.

    Directory poll interval (seconds)

    The number of seconds between calls to check whether IDM is available. For example, 60, to poll IDM every minute.

  9. On the Log Storage page, enter the applicable information in the following fields, and click Next.

    Show Me

    ad-setup-log-storage.png

    Select the folder in which Service will store its log files

    Browse to select the folder for log files.

    The path name cannot include spaces.

    Select logging level

    The severity of messages to log: error, info, warning, fatal, or debug.

  10. On the Select Destination Location page, browse to select the installation folder (default C:\Program Files\OpenIDM Password Sync), and click Next.

    Show Me

    ad-setup-intsall-loc.png

  11. On the Ready to Install page, verify the details are acceptable, and click Install to continue. If you need to change any installation options, click Back.

    Show Me

    ad-setup-ready-to-install.png

  12. On the Completing the OpenIDM Password Sync Setup Wizard page, select one of the following, and click Finish:

    Show Me

    ad-setup-install-complete.png

    • Yes, restart the computer now

    • No, I will restart the computer later

      If you select this option, you must restart the computer before you continue.
  13. If you selected Certificate as the authentication type during setup, complete Add a Certificate to the Windows Certificate Store; otherwise, your setup is now complete.

Password synchronization should now be configured and working. To test that the setup was successful, change a user password in Active Directory. That password should be synchronized to the corresponding IDM managed user account, and you should be able to query the user’s own entry in IDM using the new password.

Generate a self-signed certificate

For production purposes, you should use a certificate that has been issued by a certificate authority. For testing purposes, you can generate a self-signed certificate.

  1. On the Active Directory host, generate a private key, which will be used to generate a self-signed certificate with the alias ad-pwd-plugin-localhost:

    > keytool.exe ^
     -genkey ^
     -alias ad-pwd-plugin-localhost ^
     -keyalg rsa ^
     -dname "CN=localhost, O=AD-pwd-plugin Self-Signed Certificate" ^
     -keystore keystore.jceks ^
     -storetype JCEKS
    Enter keystore password:changeit
    Re-enter new password: changeit
    Enter key password for <ad-pwd-plugin-localhost>
          <RETURN if same as keystore password>
  2. Now use the private key, stored in the keystore.jceks file, to generate the self-signed certificate:

    > keytool.exe ^
     -selfcert ^
     -alias ad-pwd-plugin-localhost ^
     -validity 365 ^
     -keystore keystore.jceks ^
     -storetype JCEKS ^
     -storepass changeit
  3. Export the certificate. In this case, the keytool command exports the certificate in a PKCS #12 archive file format, used to store a private key with a certificate:

    > keytool.exe ^
     -importkeystore ^
     -srckeystore keystore.jceks ^
     -srcstoretype jceks ^
     -srcstorepass changeit ^
     -srckeypass changeit ^
     -srcalias ad-pwd-plugin-localhost ^
     -destkeystore ad-pwd-plugin-localhost.p12 ^
     -deststoretype PKCS12 ^
     -deststorepass changeit ^
     -destkeypass changeit ^
     -destalias ad-pwd-plugin-localhost ^
     -noprompt
  4. The PKCS #12 archive file is named ad-pwd-plugin-localhost.p12. Import the contents of the keystore contained in this file to the system that hosts IDM. To do so, import the PKCS #12 file into the IDM keystore file, named truststore , in the /path/to/openidm/security directory.

Add a certificate to the Windows certificate store

If you selected Certificate as the authentication type during setup, you must complete this procedure.

The Password Sync Service uses Windows certificate stores to verify IDM’s identity. The certificate that IDM uses must therefore be added to the list of trusted certificates on the Windows machine.

In a production environment, use a certificate that has been issued by a certificate authority. For test purposes, you can use the self-signed certificate that is generated by IDM on first startup.

To add the IDM certificate to the list of trusted certificates, use the Microsoft Management Console:

  1. Click the Start Menu, type mmc, and click mmc Run Command.

  2. In the Console window, select File > Add/Remove Snap-in.

    mmc-add-rem-snapin.png

  3. From the Available snap-ins area, select Certificates, and click Add >.

    mmc-snapin-window.png

  4. In the Certificates snap-in window, select My user account, and click Finish.

    mmc-cert-snapin-window.png

  5. From the Available snap-ins area, select Certificates, and click Add >.

    mmc-snapin-window2.png

  6. In the Certificates snap-in window, select Service account, and click Next >.

    mmc-cert-snapin-window2.png

  7. In the Select Computer window, select Local Computer, and click Next >.

    mmc-select-comp.png

  8. In the Cerificates snap-in window, select the service account OpenIDM Password Sync Service, and click Finish.

    mmc-select-serv-acct.png

  9. From the Available snap-ins area, select Certificates, and click Add >.

    mmc-snapin-window3.png

  10. In the Certificates snap-in window, select Computer account, and click Next >.

    mmc-cert-snapin-window3.png

  11. In the Select Computer window, select Local Computer, and click Finish.

    mmc-select-comp2.png

  12. In the Add or Remove Snap-ins window, verify that you have three certificates in the Selected snap-ins area, and click OK. If you are missing any certificates, please review the earlier steps in this procedure, and add the missing certificate(s).

    mmc-snapin-window4.png

  13. For each of the following nodes, import the certificate, as follows:

    List of Nodes

    Certificates - Current User > Personal

    Certificates - Current User > Trusted Root Certification Authorities

    Certificates - Service > OpenIDM Password Sync\Personal

    Certificates - Service > OpenIDM Password Sync\Trusted Root Certification Authorities

    Certificates > Local Computer > Personal

    Certificates > Local Computer > Trusted Root Certification Authorities

    1. Expand the node, and select the appropriate item. For example, Certificates - Current User > Personal:

      mmc-select-cert-current-user.png

    2. From the menu bar, select Action > All Tasks > Import.

      mmc-action-all-import.png

    3. In the Certificate Import Wizard window, click Next.

      mmc-cert-import-wiz.png

    4. On the File to Import page, click Browse, locate the IDM certificate, and then click Next. If you exported IDM’s self-signed certificate, the certificate is openidm-localhost.crt.

      mmc-cert-import-wiz-file.png

    5. On the Certificate Store page, leave the default option selected, and click Next. For example:

      mmc-cert-import-store.png

    6. On the final page of the wizard, review the details, and click Finish. For example:

      mmc-cert-import-wiz-done.png

    7. The Certificate Import Wizard window displays the success or failure of the import, click OK.

      mmc-wiz-success.png

      The main window of the Microsoft Management Console now displays the added certificate in a sub-node. For example:

      mmc-added-cert.png

      Make sure to repeat this sub-procedure for all required nodes.