Follow these steps to register the Password Synchronizer for password
change notifications:
Copy the DLL tdipwflt.dll (in the TDI_Install_dir\pwd_plugins\windowsdirectory)
of the Windows Password
Synchronizer to the System32 folder of the Windows installation folder.
Note that on 64-bit Windows operating systems, the 64-bit
DLL of the Password Synchronizer must be put in the System32 folder.
Add the name of the Windows Password Synchronizer DLL (tdipwflt)
to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification
Packages" Windows registry key. Do not delete any existing data in
Notification Packages.
Execute the registerpwsync.reg file
(in the TDI_Install_dir\pwd_plugins\windows directory), which is shipped
with the Password Synchronizer. This will create a key for the Windows
Password Synchronizer in the Windows registry: "HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Tivoli
Directory Integrator\Windows Password Synchronizer". It will also
set a string value "ConfigFile" that contains the absolute file name
of the configuration file of the Windows Password Synchronizer. See
the Configuration parameters in the Windows registry section for a list of parameters that
are added to the Windows registry.
This plugin must be registered in the Windows LSA for receiving
password changes notifications. For this purpose the name of the external
library must be registered in the specific registry key. Additionally
the external library file should be placed in one of the directories
that is specified by the PATH environment variable. After this procedure
is completed the operating system must be restarted so the external
library can be loaded.
Note:
If the external library file
is registered but could not be loaded successfully for some reason
then the Windows OS might become unstable.
When the native module of the Windows Password Synchronizer is
initialized, it will read from the registry key folder:
The
following registry key is of vital importance, because it contains
the location of the configuration file of the Password Synchronizer:
Table 2. Primary registry key
Key name
Type
Description
Required?
ConfigFile
REG_SZ
This key specifies the full path of the configuration
file of the Windows Password Synchronizer.
true
Below is a list of optional registry keys which affect the
behavior of the Windows Password Synchronizer. You should not set
these manually - use the Administration
Tool instead.
Table 3. Optional registry keys
Key name
Type
Description
Default
Required?
disabled
REG_SZ
This key specifies whether the password change
should be propagated to the Java Proxy process.
false
false
reconfigure
REG_SZ
This key specifies whether the plugin should
reload its configuration file on the next password change notification.
false
false
Register the password filter module by editing the key in
the following registry key folder:
The Windows Password Synchronizer plug-in has a template configuration
file installed at TDI_Install_dir /pwd_plugins/windows/pwsync.props.
Many of the configuration parameters in this file are common to all
Password plug-ins, see Configuration file parameters.
The list below describes only those parameters that are specific
to the Windows Password plug-in.
includeGroups
An optional list of Windows groups. If a user is a member of
any group in the list, the user will be accepted by the user filter
(assuming the user is not excluded by any of the exclude lists).
excludeGroups
An optional list of Windows groups. If a user is a member of
any group in the list, the user will not be accepted by the user filter.
includeDNs
An optional list of DN suffixes. If a user's Distinguished Name
matches any suffix on the list, the user will be accepted by the user
filter (assuming the user is not excluded by any of the exclude lists).
excludeDNs
A list of DN suffixes. If a user's Distinguished Name matches
any suffix on the list, the user will not be accepted by the user
filter.
accountTypes
This property specifies the type of the account for which password
changes will be reported. Its format is a space-delimited list of
account types.
The Password Synchronizer plug-in is capable of reporting
password changes to the following Windows account
types:
NORMAL_ACCOUNT
This is a default account type that represents a typical user.
TEMP_DUPLICATE_ACCOUNT
This is an account for users whose primary account is in another
domain.
INTERDOMAIN_TRUST_ACCOUNT
This is a permit to trust account for a domain that trusts other
domains.
WORKSTATION_TRUST_ACCOUNT
This is a computer account for a computer that is a member of
this domain.
SERVER_TRUST_ACCOUNT
This is a computer account for a backup domain controller that
is a member of this domain.
An example value for this key would be:
"NORMAL_ACCOUNT WORKSTATION_TRUST_ACCOUNT"
Note:
The Password Synchronizer always reports password changes
to accounts of type NORMAL_ACCOUNT regardless of whether NORMAL_ACCOUNT
is specified in the AccountTypes parameter.
Select Control Panel>Administrative Tools>Local
Security Policy
Select Account Policies>Password Policy
Change Passwords must meet complexity
requirements to enabled.
Notes:
For this change to take place, reboot the machine. Make sure that
you set up the Password Store properties file before rebooting the
machine.
If the Windows Server is configured as
a Domain Controller, the "Passwords must meet complexity requirements"
setting needs to apply to the whole Active Directory Domain, therefore
this setting should be modified using the "Domain Security Policy"
tool.
A command-line tool pwsync_admin.exe, for performing
administrative tasks, can be found in the TDI_Install_dir\pwd_plugins\windows
directory. The primary purpose of this administrative tool is to allow
reconfiguration of the Windows Password
Synchronizer without rebooting the Windows system.
For example, this tool enables changing of the password store without
rebooting Windows.
Note:
The only change that cannot be accomplished without
rebooting Windows is replacing the tdipwflt.dll plug-in,
located in the Windows System32 directory.
Usage
This is how the administration tool is used from the command line:
pwsync_admin.exe - command for 32 bit Windows pwsync_admin_64.exe - command for 64 bit Windows
This
tool takes a single command-line parameter (the command argument above),
which can have one of the following values:
suspend_plugin
This command writes a boolean value to the Windows registry
(please see the Windows registry settings section),
thus indicating to the plug-in that subsequent password changes must
not be propagated to the Java proxy.
This command causes subsequent password changes to be skipped until
a resume_plugin command is issued.
resume_plugin
This command writes a boolean value to the Windows registry
(please see the Windows registry settings section),
thus indicating to the plug-in that subsequent password changes must
be propagated to the Java proxy.
This command causes subsequent password changes to be synchronized
until a suspend_plugin command is issued.
reconf_plugin
This command writes a boolean value to the Windows registry
(please see the Windows registry settings section),
thus indicating that the plugin must reload its configuration file.
Reloading will not happen immediately but rather on the next password
change. This means that if there are any errors with the new configuration,
they will not become evident immediately. You could trigger a password
change of a test account to enforce the reconfiguration. Beware that
reconfiguration will be postponed if the plugin is suspended.
query_plugin
This command queries the status of the plugin - whether
the plugin is currently loaded and if its last initialization was
successful.
stop_proxy
This command causes the administration tool to connect through
a socket to the command socket port of the Java proxy
and send a stop request to the proxy. This causes the proxy to terminate
gracefully.
start_proxy
This command starts the Java proxy,
which causes the proxy configuration to be reloaded.
restart_proxy
This command is equivalent to a stop_proxy command
followed by a start_proxy command.
query_proxy
command determines whether the Java Proxy is running or not.
Operational Windows registry
settings
There are a number of Windows registry keys associated with the
Windows Password Plug-in and its operations:
Enable or disable plugin
The registry key used by the suspend_plugin and resume_plugin
commands is:
If
the key has a value of true, then the plug-in will not synchronize
passwords. If this key is missing or has a value other than true,
the plug-in will synchronize passwords. This key is created by the
plug-in administration tool on first use.
Reload plugin configuration
The reconf_plugin command uses the following registry key:
If
the key is set to true, then on the next password change the plugin
will reload its configuration file. The plugin will also change the
value to "false", so that the reload happens only once.
Note:
Neither of the above keys is present in the Windows
registry after the plug-in is installed. These keys are not required
for the normal operation of the plug-in.
Logging
The administrative tool logs messages both to the console and to
a log file named pwsync_admin.log, which is located in
the install directory of the plug-in. The log file can be used for
analyzing errors encountered during administrative tool operations,
or a historical reference for operations performed using this tool.
Considerations when using the administration tool
When using the administration tool, be aware of the following considerations:
When the plug-in is suspended, password changes are skipped (not
propagated) by the plug-in. This can result in inconsistencies (password
changes lost) in the target synchronization system
The plug-in will attempt to restart the Java proxy only
if reconfiguration is requested (see the "reconf_plugin" admin tool
command) and the proxy is not already running.
When the Java proxy is started, it loads
the password store configuration file. This happens when the machine
is rebooted, or when the plug-in is not suspended but the Java proxy is stopped as a password change
occurs. If the user is editing the configuration file at the time,
the Java proxy may load a possibly corrupted configuration.
When the plug-in is not suspended and the Java proxy
is not running, if a password change is issued with the Active
Directory Users and Computers user interface tool, the plug-in
is notified by Windows two or three times of
this password change. The result is that the same password update
is propagated two or three times. This happens because the plug-in
starts the proxy on the next password change, which takes some time.
This causes Windows to notify the plug-in
several times of the same password change. This multiple reporting,
however, is only present the first time the Java proxy
is not running, because on subsequent password changes the Java proxy is already running.
When the plug-in is configured with the LDAP Password Store and
the LDAP Store itself is set for asynchronous storing (waitForStore=false specified
in the LDAP Store configuration file), and when the plug-in is not
suspended, it is possible that a stop_proxy command
would cause some password changes to be skipped.
The following recommendations help address these problems:
Suspend the plug-in using a suspend_plugin command
prior to any stop_proxy or restart_proxy commands.
Make a copy of the configuration file for editing purposes. Replace
the old configuration file with the new one when all edits are complete.
Make any necessary configuration changes at a low usage time,
so that few (if any) password changes will be skipped and not propagated.
Example for changing the configuration without rebooting the Windows machine
The following steps show how the configuration settings can be
changed without rebooting the Windows machine:
Note:
After these steps are completed the plugin, the Java
proxy and the password store will use the new configuration settings.
During the short window when the plug-in is suspended, however, password
changes could be skipped. They will occur in the Windows domain controller,
but they will not be propagated by the plug-in. Therefore, this procedure
should occur at a low usage time, when password changes are unlikely.
Copy the configuration file to a temporary location.
Edit the file in this temporary location.
Copy the edited file back to the original location.
Run the pwsync_admin.exe suspend_plugin command.
Run the pwsync_admin.exe reconf_plugin command
Run the pwsync_admin.exe stop_proxy command.
Run the pwsync_admin.exe start_proxy command.
Run the pwsync_admin.exe resume_plugin command.
Alternatively, if you wish to change only some Password Store settings
(and not settings related to the plugin or the proxy) you may skip
the reconfiguration command in the above steps.