AD Ldap password synchronization using OpenIDM as a black box :
OpenIDM provides 2 password synchronization plugins (AD and OpenDJ) which allows to synchronize passwords between the source (AD or OpenDJ) and OpenIDM.
Each of this plugin intercept the password update before its get hashed, and propagates it to openIDM in clear text format. As the exchange between the source and openIDM takes place in clear format, the communication needs to be encrypted using TLS.
As a consequence the following deployments are available:
- Bidirectional password synchronization between openDJ and AD through openIDM.
- Password Synchronization between openDJ (where openDJ is teh source) to any LDAP Directory through openIDM
- Password Synchronization between AD (where AD is the source) to any LDAP Directory through openIDM.
OpenIDM allows also synchronization of attributes between directories, as described in article, using the change log, where attributes changes are recorded into it.
But password synchronization is more restrictive, as password changes/updates are not provided to the changelog.