IBM Support

Define the TDI pwsync.props for integration with ITIM password policy checking.

Troubleshooting


Problem

The Tivoli Directory Integrator (TDI) Password Synchronization can be configured to connect to an IBM Tivoli Identity Manager (ITIM) service to validate the change based on an ITIM password policy.

Symptom

The documentation does not include specific details to build the itimServiceDN.

Cause

The TDI documentation does not include specific details to build the itimServiceDN.

Environment

IBM Tivoli Directory Integrator

Diagnosing The Problem

The following error may be seen in the proxy.log:

[2/21/13 11:17 PM] {LDAPStore}
WARN: RemoteException occurred in server thread; nested exception is:
java.rmi.RemoteException: ;
nested exception is: java.lang.NullPointerException

Resolving The Problem


Prior to including the ITIM password checking, you should have already configured your password store.
You should verify that a password change can be performed successfully and that the password has been successfully added to the store.

Verify an ITIM Service is defined and has a password policy associated.

Manage Policies > Manage Password Policies > Select Password Policies


Verify the passwordsynch Servlet URL.

Open a browser and check the ITIM passwordsync url returns the following:


The following attributes and parameters need to be configured in the pwsync.props file.

1. The 'syncClass' property

The 'syncClass' property setting will be based upon the password store definition.
For example, if you password store is configured as LDAP:

LDAP w/o ITIM: syncClass=com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStore
LDAP w/ ITIM : syncClass=com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStoreITIMDecorator

2. URL of the Tivoli Identity Manager hosted Password Strength Servlet

itimPasswordUrl=http://ITIMServer.myserver.com:port/passwordsynch/synch

3. Tivoli Identity Manager user account permitted to perform a password check. The default value of ITIM Manager can be used.

itimPrincipalName=ITIM Manager

4. The password for the Tivoli Identity Manager user account. This parameter must be encrypted using the <tdi-pwsync-install-dir>\pwd_plugins\bin\encryptPasswd.bat/sh

itimPrincipalPassword=0c0bf0e3146b

5. The Tivoli Identity Manager service name. The Tivoli Identity Manager service name is NOT the value of the DN defined in the DIT. The erservicename is shown in the ITIM GUI as the target of the password policy. You can also find this using an ldap browser. Consider the following definition and breakdown of each component:

itimSourceDN=erservicename=AD-profile5.1.3-scalpm11,o=org,ou=org,dc=com

where:
erservicename=AD-profile5.1.3-scalpm11



For the remainder of the definition, you will need the enrole tenant and ldapserver root definitions from the ITIM enrole.properties file. Please contact your ITIM Administrator for access to this file.

For example:
        enrole.defaulttenant.id=org
        enrole.organization.name=org
        enrole.ldapserver.root=dc=com

o=< value of enrole.defaulttenant.id>
ou=<enrole.organization.name>
complete with the value of <enrole.ldapserver.root>

[{"Product":{"code":"SSCQGF","label":"Tivoli Directory Integrator"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1;7.1.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21627312

Page Feedback