Task 4: Configure Password Synchronization
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you have installed Password Synchronization on the appropriate Windows–based computer, you can administer it by using the Identity Management for UNIX management console. You can also administer Password Synchronization by using the command-line utility psadmin. You must be a member of the Administrators group on the computer you want to administer.
The procedures in this topic show how you can use Password Synchronization administration to:
Select the server to be administered.
Set the default settings that apply to the entire configuration of UNIX-based computers defined for the Windows–based computer or domain. The settings determine what the event log displays, the maximum number of times to resend the failed password update, and the length of time the service waits before resending a password update that has failed.
Add or remove a UNIX-based computer from the list of computers designated to receive password updates.
Create or modify the configuration for the UNIX-based computer, including the custom settings (the default settings applied to that single computer) and the encryption settings for secure communication. The order in which the names of the UNIX hosts appear in the list determines their order in the registry and the order in which they are processed for password synchronization.
In this Section
Set Default Synchronization
Set the Default Encryption Key
Set the Default Port
Add or Remove Computers for Synchronization
Set Computer-specific Synchronization Properties
Configure Password Synchronization Audit Logging
Continue with Password Synchronization Setup
Set Default Synchronization
Set default synchronization by using the Windows interface
Set default synchronization by using the command line
Set default synchronization by using the Windows interface
Open Identity Management for UNIX.
If necessary, connect to the computer you want to manage.
Click Password Synchronization, and then click the Default tab.
To allow password synchronization from UNIX-based computers to Windows-based computers, click Synchronize password changes from computers that run UNIX to computers that run Windows.
To allow password synchronization from Windows-based computers to UNIX-based computers, click Synchronize password changes from computers that run Windows to computers that run UNIX.
To save the new settings, click Apply.
Note
To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. These settings affect the default synchronization for UNIX hosts when they are added for synchronization. It does not affect computers that have already been added for synchronization.
Set default synchronization by using the command line
To set the default direction of synchronization, at a command prompt, type
psadmin computer_name -enable [WintoUnix | UnixToWin | BothDir]
in which computer_name represents the name of the computer for which you want to configure the direction of password synchronization.
The following table describes the values available for the common option -enable.
Value | Description |
---|---|
WintoUnix |
Synchronizes password changes from computers that run Windows operating systems to computers that run UNIX operating systems. |
UnixToWin |
Synchronizes password changes from computers that run UNIX operating systems to computers that run Windows operating systems. |
BothDir |
Enables two-way password synchronization. |
Set the Default Encryption Key
Before you complete this procedure, have available the encryption key you want to use to encrypt passwords between UNIX-based and Windows-based computers on your network.
For more information, see Encryption key requirements in the Password Synchronization Help.
Set default encryption by using the Windows interface
Set default encryption by using the command line
Set default encryption by using the Windows interface
Open Identity Management for UNIX.
If necessary, connect to the computer you want to manage.
Click Password Synchronization, and then click the Default tab.
In the Encryption key text box, type the key you want to use, or, to have the program produce a key for you, click New Key.
To save the new settings, click Apply.
Note
To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. This setting affects the default encryption key for UNIX hosts when they are added for synchronization as well as the port used for UNIX-to-Windows synchronization. If you change this setting, you must edit the /etc/sso.conf file to specify the same encryption key on UNIX hosts that are configured for UNIX-to-Windows password synchronization with this computer. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer.
Set default encryption by using the command line
To set the default encryption method, at a command prompt, type
psadmin -comp name -key keyvalue
in which name represents the name of the computer for which you want to configure the direction of password synchronization, and keyvalue represents the encryption key you want to use.
Note
To have Password Synchronization assign a key for you, enter random as the key value.
Set the Default Port
This setting affects the default port number for UNIX hosts when they are added for synchronization, as well as the port used for UNIX-to-Windows synchronization. If you change this setting, you must edit the /etc/sso.conf file to specify the same port on UNIX hosts that are configured for UNIX-to-Windows password synchronization with this computer. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer.
For maximum security, use a port number other than the default (6677).
Set the default port by using the Windows interface
Set the default port by using the command line
Set the default port by using the Windows interface
Open Identity Management for UNIX.
If necessary, connect to the computer you want to manage.
Click Password Synchronization, and then click the Default tab.
To use a port other than 6677, in the Port number box, type the port number you want.
To save the new settings, click Apply.
Note
To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. This setting affects the default port number for UNIX hosts when they are added for synchronization, as well as the port used for UNIX-to-Windows synchronization. If you change this setting, you must edit the /etc/sso.conf file to specify the same port on UNIX hosts that are configured for UNIX-to-Windows password synchronization with this computer. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer. For maximum security, use a port number other than the default (6677).
Set the default port by using the command line
To set the default port, at a command prompt, type
psadmin -comp name -port port_number
in which name represents the name of the computer for which you want to change the port number, and port_number represents the port number you want to use.
Add or Remove Computers for Synchronization
Add or remove computers for synchronization by using the Windows interface
Add or remove computers for synchronization by using the command line
Add or remove computers for synchronization by using the Windows interface
Open Identity Management for UNIX.
If necessary, connect to the computer you want to manage.
Click Password Synchronization.
Click the Advanced tab, and then do one of the following:
To add a computer to the list of current computers, in Computer name, type the name of the UNIX-based computer you want to add, and then click Add.
To remove a computer, in the Current computers list, click the UNIX-based computer you want to remove, and then click Remove.
To save the new settings, click Apply.
Note
To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. In addition to adding a UNIX-based computer to the list, if you want to change the user's password on the UNIX computer when the corresponding Windows user's password is changed, you must install the Password Synchronization single sign-on daemon (SSOD) on the UNIX-based computer. For more information about installing the SSOD, see Task 2: Install the Password Synchronization Daemon on UNIX-based Computers. If you want to change the Windows user's password when the corresponding UNIX-based computer user's password is changed, you must install the pluggable authentication module (PAM) on the UNIX-based computer. For more information about installing the PAM, see Task 3: Install the Pluggable Authentication Module on UNIX-based Computers.
Add or remove computers for synchronization by using the command line
To add a computer for synchronization, at a command prompt, type
psadmin add computer_name
in which computer_name represents the name of the computer you want to participate in password synchronization.
To remove a computer from the password synchronization process, type
psadmin delete computer_name
in which computer_name represents the name of the computer you want to remove from the password synchronization process.
Note
psadmin list displays a list of all computers participating in password synchronization.
Set Computer-specific Synchronization Properties
Set computer-specific synchronization properties by using the Windows interface
Set computer-specific synchronization properties by using the command line
Set computer-specific synchronization properties by using the Windows interface
Open Identity Management for UNIX. If necessary, connect to the computer you want to manage.
Click Password Synchronization, and then click the Advanced tab.
In the Current computers list, click the one for which you want to set properties, and then click Configure.
Set the properties you want to apply to the selected computer.
To save the new settings, click Apply.
Note
To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. Before setting computer-specific synchronization properties in Password Synchronization, edit the sso.conf file on the UNIX-based computer to specify the same settings. For information about assigning computer-specific settings in the sso.conf file, see Using sso.conf to configure Password Synchronization on the UNIX computer.
Set computer-specific synchronization properties by using the command line
To modify computer-specific synchronization properties by using the command line, at a command prompt, type
psadmin -comp computer_name[common_option] [common_option_value]
in which computer_name represents the name of the computer for which you want to modify password synchronization properties, common_option represents one of the configurable parameters in the following table, and common_option_value represents one of the acceptable values for the parameter, as found in the following table.
Option | Description |
---|---|
-comp name |
Computer to which configuration options are applied. If -comp is unspecified, Password Synchronization modifies the default configuration settings. If -comp is the only option specified, then Password Synchronization configuration of the specified computer is displayed. |
-enable direction |
Specifies the direction of password synchronization. The variable direction can contain one of the following values: WintoUnix: Synchronize password changes from computers that run Windows operating systems to computers that run UNIX operating systems. UnixToWin: Synchronize password changes from computers that run UNIX operating systems to computers that run Windows operating systems. BothDir: Enable two-way password synchronization. |
-key keyvalue |
Sets the encryption and decryption key for the computer specified by -comp. If keyvalue is random, Password Synchronization uses a random encryption key. |
-port number |
Sets the port number for the specified computer. |
-? |
Displays psadmin usage and arguments. |
Configure Password Synchronization Audit Logging
Set auditing options by using the Windows interface
Set auditing options by using the command line
Set auditing options by using the Windows interface
Open Identity Management for UNIX.
If necessary, connect to the computer you want to manage.
Click Password Synchronization, and then click the Default tab.
To have information events as well as warnings and errors logged to Event Viewer, click Enable extensive logging.
To save the new settings, click Apply.
Note
To open Identity Management for UNIX, click Start, point to All Programs, point to Identity Management for UNIX, and then click Identity Management for UNIX. When the log file reaches the limit you set, logging stops and Event Viewer displays a note that the log file is full.
Set auditing options by using the command line
To enable or disable logging by using the command line, at a command prompt, type
psadmin -log [yes | no]
in which yes enables logging, and no disables logging.
Note
The -log option is a global setting; it can be used only when -comp is not used.
Continue with Password Synchronization Setup
To continue setting up Password Synchronization, go on to Task 5: Start Password Synchronization.
See Also
Other Resources
Encryption key requirements
Connect to a computer you want to manage
Implementing Password Synchronization
Understanding Password Synchronization
Password encryption
psadmin