Another optional MIM feature is password synchronization. Password synchronization allows you to synchronize passwords between connected systems that have appropriately configured Management Agents. Password synchronization does not require run profiles, because the password is intercepted at the configured source system and passed to the configured target system. There are some key takeaways you should know about password synchronization.
First, there are three types of Management Agent:
- Those that support password synchronization by default
- Those that need a custom DLL for password synchronization
- Those that do not support password synchronization
Active Directory, Active Directory Lightweight Directory Services, IBM Directory Server, and Lotus Notes are some of the MAs that support password synchronization without the need to write any special code—there are a few configuration items within the MA that are needed, and you are done. The SQL Management Agent is an example of one that requires custom code to be written, while the MIM MA does not have any password synchronization settings.
To enable password synchronization, an MA is configured to be a source for password synchronization, a target to receive password changes, or nothing at all (default):
- If you look at the AD MA, in Configure Directory Partitions, there is an option named Enable this partition as a password synchronization source. Notice the Targets button where you can select the targets that this source MA should send its password updates to:
- If you want to configure an AD MA for a target to receive password updates, go to Configure Extensions, and check the Enable password management box and click on the Settings button, where you can find a few other options such as retry and whether MIM should unlock the account when resetting the password:
- Additionally, there is a global password synchronization setting within the Synchronization service itself, available from the Management Agents tool by clicking on Tools | Options:
