Active Directory LDAP password sync using OpenIDM as a black box, use cases:
OpenIDM provides 2 password synchronization plugins (AD and OpenDJ) which allows to synchronize passwords between the source (AD or OpenDJ) and OpenIDM.
Each of this plugin intercept the password update before its get hashed, and propagates it to openIDM in clear text format. As the exchange between the source and openIDM takes place in clear format, the communication needs to be encrypted using TLS.
As a consequence the following use case are relevant:
- Bidirectional password synchronization between OpenDJ and AD through OpenIDM.
- Password Synchronization between OpenDJ (where openDJ is teh source) to any LDAP Directory through OpenIDM
- Password Synchronization between AD (where AD is the source) to any LDAP Directory through OpenIDM.
OpenIDM allows also synchronization of attributes between directories, as described in article, using the change log, where attributes changes are recorded into it.
But password synchronization is more restrictive, as password changes/updates are not provided to the changelog.
This tool can be used in the case of an LDAP migration in order to ensure business continuity.