How to Synchronize Password Changes From Active Directory to LDAP

Introduction

One of the common problems in the identity and access management domain is to how to synchronize passwords from Active Directory to a directory or database that allows people to log in to multiple applications with a single password using Windows login credentials.

There are many products blogs out there that tell us a lot about how do we achieve this, but none of them give us a clear idea about the implementation from end to end perspective.

The purpose of this article is to outline how we can achieve this using ForgeRock stack end-to-end, thereby saving a lot of effort and time for people evaluating different products. This article outlines how to synchronize password changes from Active Directory to LDAP and then federate using an OpenIDConnect client based on the ForgeRock product stack.

Software Required

We'll be using the below ForgeRock Products. You'll need to create an account on the ForgeRock backstage site to download them.

•  Active Directory Password Sync Plugin 1.1.0. The password sync plugin captures password changes in plain text before they're hashed in AD and sends it to OpenIDM over an encrypted channel.

• OpenIDM 3.1. OpenIDM is synchronization engine that synchronizes data (including passwords) to external resources such as LDAP, database, etc.

• OpenDJ 3.0. This is an LDAP Directory server that is forked from OpenLDAP.

• OpenAM 13.0 WAR. OpenAM is access management that provides federation services and acts like an identity provider connecting to a custom backend such as OpenDJ for authenticating users.

You will also need below software to test the flow:

• Oracle Virtual Box Manager

• Windows 10 (64-bit) VM created using VirtualBox (you may create any Windows VM that's available)

• Active Directory Domain Controller (Windows Server 2012)

• Active Directory

Steps for Installation

The below steps need to be completed before we proceed with deploying password sync agent.

1. Get the Domain Controller running on Windows Server 2012 with the AD Directory service up and running.

2. Create a user on Active Directory. We will use this user to log into the Windows machine connected to AD domain.

3. Install Oracle Virtual Box Manager and create a Windows VM. This is required so that you can use Windows VM as a client that can join the AD domain. You will also need this if you need to install Windows server 2012 on a VM.

4. To install Windows Server 2012 using VirtualBox, please refer to this link. 

5. To set up Domain Controller on a Windows server, 2012 please refer to this link.

6. Create a user in Active Directory who can log in via a Windows machine connected to Active Directory Domain. You can create a user by logging into Windows Server and then search for "Active Directory Users and Computers" and that should pop up in the AD browser.

7. Connect windows client to join an AD Domain as by default it will be connected to WORKGROUP. Please refer to this link. 

Once you have the above prerequisite software installed, you need to follow the below steps to configure the password sync (AD > OpenIDM > OpenDJ) and then federate using OpenAM to use AD credentials (OpenID Connect Client > OpenAM > OpenDJ).

1. Install OpenDJ with LDAPS enabled. Refer to this ForgeRock documentation for details. During installation, choose the option create a base DN and also choose the option to create the base entry. Do not select the option to leave the database empty. 

2. Unzip OpenIDM in a folder and configure an LDAP connector to connect to the OpenDJ installed in the above step. Refer to this link to learn how to configure an LDAP connector.

Configuring an LDAP connector means connecting OpenIDM to OpenDJ through OpenICF Connectors. OpenIDM provides many connectors to connect to an external resource. You can also set up the connector through OpenIDM Admin UI.

By default, OpenIDM uses OrientDB as an internal repository that's not recommended for production but is good for evaluation.

3. Create a managed user in OpenIDM through the curl command. This managed user is the same user who's available in Active Directory and who will be logging through the Windows machine connected to the AD domain. In the real world, this user will be created by reconciling data from Active Directory to OpenIDM using Active Directory connector. For evaluation, though, we can use the below curl command.

curl --header "Content-Type: application/json" 
--header "X-OpenIDM-Username : openidm-admin" 
--header "X- OpenIDM-Password : openidm-admin" 
--request POST
--data '{"userName":"nitinprabhu","accountStatus":"active","givenName":"nitin","sn":"prabhu","cn":"Nitin Prabhu","mail":"nitin@dummy.co.uk"}' 
"http://localhost:8080/openidm/managed/user?_action=create"

4. Set up mapping from the OpenIDM managed user to LDAP so that whenever a password is updated in OpenIDM's internal repository, it automatically gets updated in LDAP.

The OpenIDM password sync agent will update internal repository whenever agent detects password change in Active Directory. Refer to this link for tips. 

You just need to set one-way mapping, i.e., from the managed user to LDAP (in the sample, you map both ways, i.e., from managed user to LDAP and from LDAP to managed user).

5. Now we need to deploy Password Sync agent on the windows server. Refer to this link for tips. 

Generate the ad-pwd-plugin-localhost.p12 cert before proceeding with the installation, as you need to browse the path of the P12 cert file during installation.

If you need to reinstall the agent, make sure you delete everything under Registry > HKEY_LOCAL_MACHINE > SOFTWARE > ForgeRock > OpenIDM > PasswordSync.

6. This completes the setup for password synchronization from AD > OpenIDM Internal Repository (managed user) > OpenDJ.

Testing the Setup

Once all the steps are completed, change the password of the Windows machine connected to the AD domain. That should sync the password in OpenDJ.

Check the password sync agent logs (logs location is specified during agent installation) and you should see a POST request made to OpenIDM with the success status.

If you are getting a BadPaddingException/Decryption error, there is a problem with certificate installation. You need to regenerate and re-import the P12 certs on OpenIDM trust store and also deploy the agent again with the new certs. You need to delete the registry keys as well as OpenIDM's internal repository (delete everything under /path/to/openidm/db/openidm/*).

Federation Using OpenAM by Authenticating Against OpenDJ Using AD Credentials

We will be authenticating users against OpenDJ to which passwords are synchronized using OpenAM and the redirect users once authenticated.

For evaluation purposes, we will be just deploying the OpenAM WAR in Apache Tomcat and not deploying any agents or configure the user interface.

Steps to Configure OpenAM

1. Download the latest OpenAM 13 WAR file from ForgeRock backstage.

2. Download and install Apache Tomcat 7 and JDK 7+.

3. Enable Tomcat manager roles to deploy OpenAM WAR through Tomcat UI. You can also deploy it manually by placing the WAR in the Tomcat web apps folder.

4. Before you deploy OpenAM WAR, there are few environmental changes that need to be done. Refer to this link for details.

5. Once the OpenAM WAR is deployed, launch the application to configure OpenAM to use OpenDJ (to which AD passwords are synchronized) as the backend for the authentication. Refer for details.

6. Now you can log into OpenAM using AD credentials.

Configuring OpenID Connect Client in OpenAM

Refer to this link to configure OpenID Connect client. Now, the Windows user can now access other applications through OpenID Connect Client using windows credentials.