Tuesday, 21 July 2015

Tivoli Directory Integrator: Sync AD Password with Domino

How to configure TDI for User Registration and Password Syncronization
  1. Infrastructure: (Ensure Firewall is turned off or allow the required ports to be opened)
    1. Machine 1: Active Directory
    2. Machine 2: TDI
    3. Machine 3: Domino Server
  2. Installation:
    1. Machine 1: Install TDI Plugins for Change Password Detection.
      1. Install the plugin as per the guidelines :
        • Copy the file tdipwflt.dll to the System32 folder of the Windows installation folder. Note that on 64-bit Windows operating systems, the 64-bit DLL of the Password Synchronizer must be put in the System32 folder.
        • List the name of the Windows Password Synchronizer DLL (without the ".dll" file extension) in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages" Windows registry key. Make sure you put in the name of the 64-bit DLL on a 64-bit Windows platform.
        • Execute the registerpwsync.reg file, which is shipped with the Password Synchronizer. This will create a key for the Windows Password Synchronizer in the Windows registry: "HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Tivoli Directory Integrator\Windows Password Synchronizer". It will also set a string value "ConfigFile" that contains the absolute file name of the configuration file of the Windows Password Synchronizer.
        • Restart the machine and few extra files like “proxy” should be created in Plugin folder
      2. Configure following settings in pwsync.props file in TDI Plugin directory
        • syncClass=com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
        • jms.broker=tcp://<ip_machine2>:61616
        • jms.clientId=client1
      3. Use the pwsync_admin.exe utility to restart the proxy.
    2. Machine 2: Install TDI and then apply FP 1 and FP2 (Note: FP2 installation will fail if UpdateInstaller is not replaced as per the documentation in the maintenance folder)
    3. Machine 3: Domino Server should be installed with ID Vault Configured.
  3. Configuration:
    1. Machine 2: Import the Assembly lines attached with this document in TDI and update the LDAP, Domino and AD settings
    2. For Domino User Connector, try IIOP or Local Client setting. Reference documents are attached along with this document.
    3. Deploy PasswordSync.nsf database which contains Web Service to change passwords for HTTP and ID Vault. (Note: Please ensure to update Web Service properties according to your environment)
      image
    4. Modify the Configuration Document on Domino Server to “Allow LDAP users write access”.
  4. Modify the ID Vault policy to ensure that Notes Client doesn't ask to change password after the password is reset via ID Vault.

    Download attachment from here: Link