Password Synchronization with OpenLDAP Server
Steps to configure OpenLDAP Server with ADSelfService Plus
Important : Install the Password Sync Agent to synchronize native password changes and resets.
-
Log into ADSelfService Plus admin console with admin credentials.
-
Navigate to Configuration → Self-Service → Password Sync/ Single Sign On.
- Select OpenLDAP.
Note: You can also find OpenLDAP from the search bar located in the left pane or from the alphabet-wise navigation option in the right pane.
-
Enter the Application Name and Description.
-
In the Assign Policies field, select the policies for which password sync need to be enabled.
Note:ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy.
-
Select Enable Password Sync.
-
Enter the System Name or IP Address of the OpenLDAP Server.
-
Enter the Domain Name of the OpenLDAP Server in distinguished name format. For example, dc=example,dc=com.
-
Enter the Username of the OpenLDAP Server in distinguished name format. For example, cn=directory manager,dc=example,dc=com.
-
Enter the Password of the OpenLDAP Server.
Note:
The username and password must belong to the administrator account of the server in which OpenLDAP is installed.
-
Enter the LDAP (default port for LDAP is 389) and LDAP SSL (default port for LDAP SSL is 636) port number of the OpenLDAP Server.
- Check the Use LDAP Password Modify Extended Operation box if required. Click here to learn about this setting.
-
Click Add Application
About the LDAP Password Modify Extended Operation
The LDAP Password Modify Extended Operation - (RFC-3062) was introduced by IETF in LDAP v.3. This operation allows modification of user passwords, which is not dependent on the password attribute and the password storage mechanism used. ADSelfService uses this operation for synchronizing passwords between Active Directory and OpenLDAP.
Once LDAP Password Modify Extended operation is enabled, the password is passed on to the OpenLDAP server in plain text, and the server takes care of the change process. In case this option isn't enabled, the password is hashed using MD5, and this hashed password is used to update the userPassword attribute using the LDAP modify operation.
Enabling this operation in ADSelfService Plus offers the following benefits to the password modification and synchronization process that were not available in previous versions of LDAP:
- Modification of a user's password even when the user is not represented by a distinguished name (DN) in the OpenLDAP directory or has an entry in the directory. It allows password modification even if the password used by the OpenLDAP directory server is not stored as an attribute of a user entry in the directory.
- Synchronization of the modified password with multiple password attributes, including custom attributes that have been introduced through integration with external authentication services like Samba.
Important: While enabling the LDAP Password Modify Extended Operation - (RFC-3062) operation, appropriate privacy measures like SSL must be configured in the OpenLDAP server. Failing to do so may lead to unauthorized exposure of passwords, since the passwords are sent to the OpenLDAP server in plain text.