The next part of the process, now that we have a webservice we can call to change the HTTP and ID Vault password is to actually capture the password. To complete this, we will do two things: configure a new password capture tool on each read/write domain controller and do a schema update as a location where we can temporarily store the password change.
To capture the password change on a domain controller, we will use Tivoli Directory Integrator 7.1.1 as it is part of our entitlement with Domino. Here are a few notes regarding this installation:
- FP 6 breaks the password capture process. This caused us much frustration trying to figure out why things weren’t working. Currently, I am installing the password sync with no fixpack. We did open an incident with FP6 and IBM was able to duplicate the issue. FP 5 does seem to work though.
- To run the installer on Windows 2012 R2 (and probably on 2012, as well), you have to run it in Windows 7 compatibility mode and as an administrator.
- We chose to install it to a path without any spaces. Some of this came as we were troubleshooting the FP6 issue and some as we just found it was easier to put the paths into the pwsync.props file.
After installing just the Password Sync to the domain controller, there are a few post installation steps:
- Copy the tdipwflt_64.dll file to C:\Windows\System32
- Add the name of the dll file to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages”
- Run registerpwsync.reg to add info to the registry on where to find the pwsync.props file.
- Reboot the DC.
Before any of this will work, it is necessary to configure the pwsync.props file. At this point, it is important to decide what method you will use to capture the password. Here are a few of the options:
- Log Password – This is only recommended to be used for testing purposes.
- MQe (Message Queue Element) – With this you need to have something like IBM’s Websphere MQ server or other such product.
- LDAP – This stores the information in an LDAP directory. This is the method we chose to use.
There are a few sections that it is important to modify in the pwsync.props file.
# Executable (binary or shell script) used to start the Java Proxy.
# If this property is set, both ‘jvmPath’ and ‘jvmClassPath’ will be ignored.
proxyStartExe=C:\\TDI\\V711/pwd_plugins/bin/startProxy.bat
# Port number, on which the Java Proxy listens for commands.
serverPort=18001
# The log file of the Plug-in part of the Password Synchronizer.
# If empty, no logging will be done.
logFile=C:\\TDI\\V711/pwd_plugins/windows/plugin.log
# Whether to reject password changes if the Password Store is down.
checkRepository=true
For testing purposes, you can configure the User filtering configuration section. For example, you might want to set it so that a user must be in a group for a password change to be password to the password sync process.
#
# The Password Store component
#syncClass=com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStore
The LDAP section is the last section to configure:
#
# LDAP Password Store Configuration
#
# LDAP server host
ldap.hostname=DCNameHere
# LDAP server port
ldap.port=389
# LDAP bind dn
ldap.admindn=CN=SVC TDILDAP,DC=contoso,DC=net
# LDAP bind password
# This field must be encoded. Use the ‘encryptPasswd’ utility.
ldap.password=db8450d230833c9ae307c065401058d36d8a6b
# If set to true, password changes will be committed synchronously to the Password Store when
# a password change notification is received. The source of the password change will be blocked
# until the password change is written to the Password Store.
#
# If set to false, the commit will be asynchronous. Use the ‘ldap.delayMillis’ property to configure
# the time to wait before committing the password change.
ldap.waitForStore=true
# Time to wait (in milliseconds), before committing the password change to the Password Store.
# Will be ignored if ‘waitForStore’ is set to true.
# ldap.delayMillis=2000
# Use SSL for LDAP communication.
# If set to true, JSSE must be configured (set the javax.net.ssl.trustStore and javax.net.ssl.keyStore properties).
# ldap.ssl=false
# Location in the LDAP directory tree, where the Password Synchronizer will store data.
ldap.suffix=OU=TDI,DC=contoso,DC=net
# Name of an LDAP object class used to hold information for a given user.
ldap.schemaPersonObjectName=ibm-diPerson
# Name of an LDAP attribute which represents user identifier.
# This attribute must be a member of the object class specified by the ‘ldap.schemaPersonObjectName’ property.
ldap.schemaUseridAttributeName=ibm-diUserId
# Name of an LDAP attribute which represents user password.
# This attribute must be a member of the object class specified by the ‘ldap.schemaPersonObjectName’ property.
ldap.schemaPasswordAttributeName=ibm-diPassword
You will notice some special schema attributes mentioned in this section. The next part of this blog will cover the schema attributes that need to be added and detail how they are used.
Once you have the pwsync.props file configured once, you can copy the file to each server (in the C:\TDI\V711\pwd_plugins\windows folder if you use the same install path that I did). You will just want to update a couple of lines to reflect the correct server name.
Here are a couple of links to IBM support documents regarding this:
https://www.ibm.com/support/knowledgecenter/SSCQGF_7.1.1/com.ibm.IBMDI.doc_7.1.1/pluginsguide.pdf