Task 4: Configure Password Synchronization

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When you have installed Password Synchronization on the appropriate Windows–based computer, you can administer it by using the Identity Management for UNIX management console. You can also administer Password Synchronization by using the command-line utility psadmin. You must be a member of the Administrators group on the computer you want to administer.

The procedures in this topic show how you can use Password Synchronization administration to:

  • Select the server to be administered.

  • Set the default settings that apply to the entire configuration of UNIX-based computers defined for the Windows–based computer or domain. The settings determine what the event log displays, the maximum number of times to resend the failed password update, and the length of time the service waits before resending a password update that has failed.

  • Add or remove a UNIX-based computer from the list of computers designated to receive password updates.

  • Create or modify the configuration for the UNIX-based computer, including the custom settings (the default settings applied to that single computer) and the encryption settings for secure communication. The order in which the names of the UNIX hosts appear in the list determines their order in the registry and the order in which they are processed for password synchronization.

In this Section

  • Set Default Synchronization

  • Set the Default Encryption Key

  • Set the Default Port

  • Add or Remove Computers for Synchronization

  • Set Computer-specific Synchronization Properties

  • Configure Password Synchronization Audit Logging

  • Continue with Password Synchronization Setup

Set Default Synchronization

Set default synchronization by using the Windows interface

Set default synchronization by using the command line

Set default synchronization by using the Windows interface

  1. Open Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. Click Password Synchronization, and then click the Default tab.

  4. To allow password synchronization from UNIX-based computers to Windows-based computers, click Synchronize password changes from computers that run UNIX to computers that run Windows.

  5. To allow password synchronization from Windows-based computers to UNIX-based computers, click Synchronize password changes from computers that run Windows to computers that run UNIX.

  6. To save the new settings, click Apply.

Note

To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. These settings affect the default synchronization for UNIX hosts when they are added for synchronization. It does not affect computers that have already been added for synchronization.

Set default synchronization by using the command line

  • To set the default direction of synchronization, at a command prompt, type

    psadmin computer_name -enable [WintoUnix | UnixToWin | BothDir]

    in which computer_name represents the name of the computer for which you want to configure the direction of password synchronization.

The following table describes the values available for the common option -enable.

Value Description

WintoUnix

Synchronizes password changes from computers that run Windows operating systems to computers that run UNIX operating systems.

UnixToWin

Synchronizes password changes from computers that run UNIX operating systems to computers that run Windows operating systems.

BothDir

Enables two-way password synchronization.

Set the Default Encryption Key

Before you complete this procedure, have available the encryption key you want to use to encrypt passwords between UNIX-based and Windows-based computers on your network.

For more information, see Encryption key requirements in the Password Synchronization Help.

Set default encryption by using the Windows interface

Set default encryption by using the command line

Set default encryption by using the Windows interface

  1. Open Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. Click Password Synchronization, and then click the Default tab.

  4. In the Encryption key text box, type the key you want to use, or, to have the program produce a key for you, click New Key.

  5. To save the new settings, click Apply.

Note

To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. This setting affects the default encryption key for UNIX hosts when they are added for synchronization as well as the port used for UNIX-to-Windows synchronization. If you change this setting, you must edit the /etc/sso.conf file to specify the same encryption key on UNIX hosts that are configured for UNIX-to-Windows password synchronization with this computer. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer.

Set default encryption by using the command line

  • To set the default encryption method, at a command prompt, type

    psadmin -comp name -key keyvalue

    in which name represents the name of the computer for which you want to configure the direction of password synchronization, and keyvalue represents the encryption key you want to use.

Note

To have Password Synchronization assign a key for you, enter random as the key value.

Set the Default Port

This setting affects the default port number for UNIX hosts when they are added for synchronization, as well as the port used for UNIX-to-Windows synchronization. If you change this setting, you must edit the /etc/sso.conf file to specify the same port on UNIX hosts that are configured for UNIX-to-Windows password synchronization with this computer. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer.

For maximum security, use a port number other than the default (6677).

Set the default port by using the Windows interface

Set the default port by using the command line

Set the default port by using the Windows interface

  1. Open Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. Click Password Synchronization, and then click the Default tab.

  4. To use a port other than 6677, in the Port number box, type the port number you want.

  5. To save the new settings, click Apply.

Note

To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. This setting affects the default port number for UNIX hosts when they are added for synchronization, as well as the port used for UNIX-to-Windows synchronization. If you change this setting, you must edit the /etc/sso.conf file to specify the same port on UNIX hosts that are configured for UNIX-to-Windows password synchronization with this computer. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer. For maximum security, use a port number other than the default (6677).

Set the default port by using the command line

  • To set the default port, at a command prompt, type

    psadmin -comp name -port port_number

    in which name represents the name of the computer for which you want to change the port number, and port_number represents the port number you want to use.

Add or Remove Computers for Synchronization

Add or remove computers for synchronization by using the Windows interface

Add or remove computers for synchronization by using the command line

Add or remove computers for synchronization by using the Windows interface

  1. Open Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. Click Password Synchronization.

  4. Click the Advanced tab, and then do one of the following:

  5. To add a computer to the list of current computers, in Computer name, type the name of the UNIX-based computer you want to add, and then click Add.

  6. To remove a computer, in the Current computers list, click the UNIX-based computer you want to remove, and then click Remove.

  7. To save the new settings, click Apply.

Note

To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. In addition to adding a UNIX-based computer to the list, if you want to change the user's password on the UNIX computer when the corresponding Windows user's password is changed, you must install the Password Synchronization single sign-on daemon (SSOD) on the UNIX-based computer. For more information about installing the SSOD, see Task 2: Install the Password Synchronization Daemon on UNIX-based Computers. If you want to change the Windows user's password when the corresponding UNIX-based computer user's password is changed, you must install the pluggable authentication module (PAM) on the UNIX-based computer. For more information about installing the PAM, see Task 3: Install the Pluggable Authentication Module on UNIX-based Computers.

Add or remove computers for synchronization by using the command line

  • To add a computer for synchronization, at a command prompt, type

    psadmin add computer_name

    in which computer_name represents the name of the computer you want to participate in password synchronization.

  • To remove a computer from the password synchronization process, type

    psadmin delete computer_name

    in which computer_name represents the name of the computer you want to remove from the password synchronization process.

Note

psadmin list displays a list of all computers participating in password synchronization.

Set Computer-specific Synchronization Properties

Set computer-specific synchronization properties by using the Windows interface

Set computer-specific synchronization properties by using the command line

Set computer-specific synchronization properties by using the Windows interface

  1. Open Identity Management for UNIX. If necessary, connect to the computer you want to manage.

  2. Click Password Synchronization, and then click the Advanced tab.

  3. In the Current computers list, click the one for which you want to set properties, and then click Configure.

  4. Set the properties you want to apply to the selected computer.

  5. To save the new settings, click Apply.

Note

To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. Before setting computer-specific synchronization properties in Password Synchronization, edit the sso.conf file on the UNIX-based computer to specify the same settings. For information about assigning computer-specific settings in the sso.conf file, see Using sso.conf to configure Password Synchronization on the UNIX computer.

Set computer-specific synchronization properties by using the command line

  • To modify computer-specific synchronization properties by using the command line, at a command prompt, type

    psadmin -comp computer_name[common_option] [common_option_value]

    in which computer_name represents the name of the computer for which you want to modify password synchronization properties, common_option represents one of the configurable parameters in the following table, and common_option_value represents one of the acceptable values for the parameter, as found in the following table.

Option Description

-comp name

Computer to which configuration options are applied. If -comp is unspecified, Password Synchronization modifies the default configuration settings. If -comp is the only option specified, then Password Synchronization configuration of the specified computer is displayed.

-enable direction

Specifies the direction of password synchronization. The variable direction can contain one of the following values:

WintoUnix: Synchronize password changes from computers that run Windows operating systems to computers that run UNIX operating systems.

UnixToWin: Synchronize password changes from computers that run UNIX operating systems to computers that run Windows operating systems.

BothDir: Enable two-way password synchronization.

-key keyvalue

Sets the encryption and decryption key for the computer specified by -comp. If keyvalue is random, Password Synchronization uses a random encryption key.

-port number

Sets the port number for the specified computer.

-?

Displays psadmin usage and arguments.

Configure Password Synchronization Audit Logging

Set auditing options by using the Windows interface

Set auditing options by using the command line

Set auditing options by using the Windows interface

  1. Open Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. Click Password Synchronization, and then click the Default tab.

  4. To have information events as well as warnings and errors logged to Event Viewer, click Enable extensive logging.

  5. To save the new settings, click Apply.

Note

To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. When the log file reaches the limit you set, logging stops and Event Viewer displays a note that the log file is full.

Set auditing options by using the command line

  • To enable or disable logging by using the command line, at a command prompt, type

    psadmin -log [yes | no]

    in which yes enables logging, and no disables logging.

Note

The -log option is a global setting; it can be used only when -comp is not used.

Continue with Password Synchronization Setup

To continue setting up Password Synchronization, go on to Task 5: Start Password Synchronization.

See Also

Other Resources

Encryption key requirements
Connect to a computer you want to manage
Implementing Password Synchronization
Understanding Password Synchronization
Password encryption
psadmin