Skip to Content

Read password into IDM from AD

Hello Experts,

Password hook is not available for IDM 8.0 yet and I got to know few months back that its not reliable and has security implications.

So if not for password hook, how to read password from AD into IDM? Initial load doesnt bring in the password. We get NULL value for Ad attribute userPassword when using the standard initial load job.

How have you covered this scenario?

Kind regards,

Jai

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Aug 27, 2015 at 10:36 AM

    The password hook can only read password changes, it could never read existing passwords and if you could simply read the password from AD from ldap or adsi you'd have a major security issue. Even if you could get the hashed password value it would be useless for other systems.

    I'm not sure I understand your scenario, are you looking for SSO functionality or just catching password changes in ADS?

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Jai Suryan

      Hi Jai,

      As Chris&Matt said there is not an easy solution, but my suggestion is to set up the IdM authorization to be against AD, so to log in IdM the users should use their AD credentials. Then if the users want they can reset their password by using the standard Password Reset workflow(the password will be reset in all of the systems). In order to reset the password partially, you should do some custom extension of the standard workflow.

      BR,

      Simona

  • author's profile photo Former Member
    Former Member
    Posted on Aug 28, 2015 at 12:30 AM

    I recently worked on a scenario where IdM was integrated with a custom built.Net password utility that was used to reset AD passwords. This .Net utility passed the password value to VDS via LDAP update call applying the value to MX_PASSWORD attribute. This was then provisioned to all SAP systems where the user had an ID. We used productive password provisioning (which requires Secure Network Communication defined between IdM and the ABAP Netweaver Stack). This set the AD password and the SAP password to the same value (Note: that contradicting minds suggested that setting the AD password and SAP password the same was a security risk - something to consider).

    With that said, the .Net utility could be replaced with the delivered Password Self-service feature within IdM. The key is activation of SNC, modifying the update ABAP Password Pass to set a productive password, and setting the PSS component to allow the user to set their own password (versus allowing IdM to generate one).

    Hope this gives you some ideas...

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Aug 28, 2015 at 04:18 AM

    Thank you all for your prompt responses.

    So I will let them know there is no standard configuration to read passwords of existing users into IDM.

    SSO option will cover initial phase where passwords will be different between AD and SAP systems.

    Then for new users and password resets of existing users, IDM will maintain the master password and there will be single source of truth.

    Kind regards,

    Jaisuryan

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.