Reference Material | Sync Provider Configuration Reference

The Sync Provider is the system you want to synchronize passwords with. Specops Password Sync ships with a number of included providers. If you want to develop your own Sync Providers for the Systems used by your organization, contact Specops support.

Below you will find the configuration specifications for the included providers.

Active Directory Provider

The Active Directory provider is used to synchronize password changes to another Active Directory domain. The other Active Directory domain can be either trusted or untrusted.

Prerequisites

  • Admin account in the remote domain.
  • Open network communication between the Sync Server and the target domain Controller. This typically means that the following two ports must be open:
    • tcp/389 (LDAP)
    • tcp/445 (SMB)

Parameters

ParameterDescription
Domain or Domain Controller NameThe FQDN of the remote Active Directory Domain or a Domain Controller in it.
Unlock user if locked outAutomatically unlocks locked user accounts when the password is synchronized.
1: Unlock locked accounts (Default value).
0: Do not unlock locked accounts.
Admin User NameThe name of the admin account used to reset passwords in the remote domain.
Example: Example\Administrator
Provider PasswordThe password of the admin account.
Domino provider (Notes Client)

The Domino provider is used to synchronize passwords to the Domain Internet Password.

Prerequisites

  • Notes client release 5.0.2b or later installed on the Sync Server.
  • Admin credentials present in the Notes client.
  • Open network communication from the Specops Password Sync Server to the Domino server.

Parameters

ParameterDescription
Address to the Domino ServerThe FQDN of the Domino server.
User databaseThe database that contains the users.
Default value: names.nsf
Database viewThe view in the database which contains the users.
Default value: ($VIMPeople)
Name columnThe name of the column in the view that contains the users.
Default value: Name

Note: For information about configuring the Domino Web Service, see Domino for Specops Password Sync.

Email Notification Provider

The email notification provider is used to trigger a customized email to be sent when the password of a user is changed. This can be used for a wide range of purposes, one of which being an SMS being sent to the mobile device of the user to remind them that they should change their Active Sync password on the device to match the new Active Directory password.

Prerequisites

  • An email server must be available to send mail from the service account used on the Sync Server.

Parameters

ParameterDescription
SMTP Server NameThe FQDN of the SMTP server to use when sending email.
PortThe Port number on the SMTP server.
Default value: 25
FromThe email address the email should be sent from.
Supports placeholders.
ToThe email address the email should be sent to.
Supports placeholders.
SubjectThe subject of the email.
Supports placeholders.
BodyThe body text of the email.
Supports placeholders.

Placeholders

The email fields in the Email Notification provider also supports using placeholders to customize the email content. The placeholders can be used multiple times in the same field if necessary.

PlaceholderDescription
%User.%Retrieves values from attributes on the user object of the user who triggered the password change.
%Password%Used to include the new password in the email sent by the provider.
Note: You should only use this placeholder after verifying that the resulting action is compatible with the information security policy of your organization.
Google Apps provider

The google apps provider is used to synchronize passwords with Google Apps.

Prerequisites

  • Admin account in the Google Apps domain where passwords should be synchronized.
  • Internet access on the Specops Password Sync Server.
  • For new Google Apps accounts, the user must initialize the account by logging in for the first time.

You will need to complete the below tasks as a part of the prerequisites:

Create a google apps service account

  1. Visit developers.google.com.
  2. Login with a Google Apps account.
  3. Click Create Project.
  4. Enter a project name, and click Create.
  5. Select the newly created project and from the left menu pane browse to APIs & auth, and click Credentials.
  6. Click Create new Client ID.
  7. Select Service Account as the application type, and click Create new Client ID.

Note: The Service account ends with @developer.gserviceaccount.com.

  1. Click Generate new P12 key. You will be prompted to save the private key.
  2. In the New Public/Private key pair generated dialogue box, find and make note of your private key’s password. You will need it to save the certificate.

Note: Your private key’s password may be notasecret. Make sure to make note of the actual password.

  1. Browse to APIs & auth and click APIs. Under Google Apps APIs find the Admin SDK and enable it.
  2. Click Permissions.
  3. Verify that the Can edit button appears in the permission column for the new service account.

Delegate the service account

  1. Visit and sign into google.com with an account with administrator permissions in the google apps environment.
  2. In the administrator console, click Security.
  3. Select API reference, and ensure API access is enabled.
  4. Click show more, advanced settings, and click Manage API client access.
  5. In the Client Name field enter the client id from the newly created service account.
  6. In the One or More API Scopes, enter the following: https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.readonly
  7. Click Authorize.

Note: The links should appear in the following format. This verifies the validity of the URL.
Delegate the service account

Import the certificate on all Sync Servers running the Google App Sync Point

  1. Run MMC.exe.
  2. Select File and click Add/Remove Snap-in…
  3. Select Certificates from the available snap-ins, and click Add.
  4. Select Computer account in the Certificates snap-in dialog box, and click
  5. Ensure that Local computer is selected, and click Finish.
  6. In the Console Root window’s left pane, expand Certificates.
  7. Right-click Personal, select All Tasks, and click Import.
  8. Follow the on-screen instructions in the Certificate Import Wizard, and click Finish when complete.
    Note: In the Import options, ensure that the Mark this key as exportable is checked.
  9. In the Console Root window’s left pane, expand Certificates.
  10. Expand Personal, and click Certificates.
  11. In the list of certificates, locate and double click the newly created certificate.
  12. In the Certificate dialog box, click the Details
  13. Scroll through the list of fields, and click Thumbprint.
  14. Copy the hexadecimal characters from the box.
    Import the certificate on all sync servers

Configure the Sync Point

  1. Open the Specops Password Sync Administration Tools.
  2. Click Sync Points.
  3. Select the Google App provider and click Edit.

Note: The Google App provider will only appear if the Sync point already exists.

  1. Click Select and Configure Provider.
  2. Configure the following parameters and click OK.
ParameterDescription
Administrator Account EmailThe login account that will be used to perform the password change in your Google Apps domain.
Certificate thumbprintCertificate thumbprint for the certificate generated by Google.
Service account email addressThe email address of the Google apps service account ending in @developer.gservice.com
IBM Connections

The IBM Connections provider is used to synchronize passwords to IBM Connections.

Prerequisites

  • IBM Connections account with Administrator or Admin Assistant roles.

Parameters

ParameterDescription
Administration accountThe email address associated with the IBM Connections account.
URLThe URL to the IBM Connections API.
ex: https://apps.na.collabserv.com/api/bss
Provider PasswordThe password associated with the administration account
Repeat PasswordThe password associated with the administration account
Kerberos provider

The Kerberos provider is used to synchronize passwords to Kerberos based systems.

Prerequisites

  • Admin account with permissions to reset passwords in the Kerberos realm of the target users.
  • Open network communication from the Specops Password Sync Server to the Kerberos server.

Parameters

ParameterDescription
Target RealmThe Kerberos realm where the target account exists.
KDC AddressThe address of the Kerberos KDC to contact.
This field is optional.
Admin RealmThe Kerberos realm where the administrator account exists.
Admin User NameThe user name of the admin account.
Provider PasswordThe password of the admin account.
LDAP Provider

The LDAP provider is used to synchronize passwords to remote LDAP systems, such as OpenLdap or Microsoft Active Directory Lightweight Services (AD LDS). If the target server is a full Microsoft Active Directory, the Active Directory provider should be used.

Prerequisites

  • Admin account in the remote system.
  • Open network communication between the Sync Server and the remote server. This typically means that one the following two ports must be open:
    • tcp/389 (non-SSL-encrypted LDAP)
    • tcp/636 (SSL-encrypted LDAP)

Parameters

ParameterDescription
Server nameThe name of the remote LDAP server.
Port numberThe port number to use when contacting the remote LDAP server.
Default port: 636
Authentication TypeCan be set to either of the following:
• Basic: Uses basic authentication with username/password. Should be used for testing only.
• BasicSsl: Uses basic authentication with username/password over SSL. This can be used in production against an OpenLDAP server. In order to use this authentication type, you need to configure the server’s certificate used, so that the sync point knows that it’s a trusted server.
• Negotiate: Uses the best algorithm that encrypts and verifies integrity of the password changes to the LDAP server. This is used if the LDAP server is Kerberos trusted with the Sync Server in use.
Valid Certificate ThumbprintThe server certificate’s thumbprint. Leaving this field empty means that any certificate will be accepted (not recommended).
To determine the server certificate thumbprint, type “xyz” as “Valid Server Certificate Thumbprint” and attempt one reset. The error message in the test tool (or the app event log) will contain the thumbprint. The
The thumbprint is a hex string and may or may not contain “:” separators in between.
Note: This setting is only applicable for Basic Ssl authentication.
Attribute NameThe name of the user attribute in the LDAP system where the password is stored. This parameter is used in conjunction with “Convert to Unicode.”
Default value: unicodePwd.
Password FormatDetermines how the password sent to the target system should be encoded.
Possible values:

  • QuotedUnicode (Adds quotes to the password, then sends Unicode bytes to the target system. This should be used when syncing to another Microsoft Active Directory.)

  • Unicode (Sends Unicode bytes to the target system.)

  • Utf8 (Sends Utf8 bytes to the target system.)

Admin User NameUser name of the admin account in the LDAP system. The user name should be in distinguished name format (CN=admin, DC=example, DC=com).
Provider PasswordThe password of the admin account.

Note: Specops recommends using the Active Directory provider to synchronize passwords against remote Active Directories. If you need to use the LDAP provider against Active Directory, the Admin User Name should be specified in the SAM Account Name format instead of the DN of the admin account.

Sample Configurations

Open Ldap Non-SSL (not for production use)

If the target is an OpenLdap Server configured to use basic authentication (clear text), configure with:

  • Server name: DNS name of the LDAP server
  • Port number: Typically 389
  • Authentication Type: Basic
  • AttributeName: userPassword
  • Password Format: Utf8

Target user should be DN-formatted (use proper name mapping).

OpenLdap SSL

If target is an OpenLdap Server configured to use SSL, configure with:

  • Server name: DNS name of the LDAP server
  • Port number: Typically 636
  • Authentication Type: BasicSsl
  • Valid Certificate Thumbprint: Hex string of server certificate’s thumbprint (40 hex digits)

Note: It is not sufficient to use a trusted certificate. The server certificate’s thumbprint must be configured in the syncpoint.

  • AttributeName: UserPassword
  • Password Format: Utf8

Active Directory Lightweight Directory Services

If the target server is an Active Directory Lightweight Services Server, configure with:

  • Server: Name of a DC
  • Port number: Typically 389
  • Authentication Type: Negotiate
  • Attribute Name: UnicodePWD
  • Password Format: QuotedUnicode
  • Admin username: Administrator (flat-name without domain)

Note: Target user should be DN-formatted.

Local Accounts provider

The Local Accounts provider is used to reset passwords for local user accounts on a specific computer.

Prerequisites

  • Admin account for the target computer.
  • Open network communication from the Specops Password Sync server to the target computer.

Parameters

ParameterDescription
Administrator AccountThe user name of the admin account.
Computer NameThe name of the target computer
Provider PasswordThe password of the admin account.
Microsoft Online Services provider

The Microsoft Online Services provider is used to synchronize passwords to Microsoft Online Services, such as Office 365.

Prerequisites

Parameters

ParameterDescription
Administrator AccountThe user name of the admin account.
Provider PasswordThe password of the admin account.
Microsoft SQL Server provider

The Microsoft SQL Server provider is used to synchronize passwords to MS SQL server users.

Prerequisites

  • SQL Server authenticated admin account (Windows authentication is not supported).
  • SQL Server user accounts (accounts stored within custom databases are not supported).
  • Open network communication between the Specops Password Sync Server and the target MS SQL server.
  • SQL Server Management Studio Tools installed on the Sync server.

Parameters

ParameterDescription
SQL ServerThe name of the target MS SQL Server.
Admin User NameThe user name of the admin account.
Provider PasswordThe password of the admin account.
Oracle Database provider

The Oracle Database provider is used to synchronize passwords to Oracle database users.

Prerequisites

  • The provider is designed for Oracle 11g, but may work on other versions as well.
  • Oracle admin account.
  • Oracle authenticated users

Note: Accounts stored within custom databases are not supported.

ParameterDescription
Database ServerThis is the format of the data source:
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)))You will need to change the value of the highlighted items above to the value of thetnsnames.ora file. You can find this file in the ORACLE HOME\NETWORK\ADMINdirectory.
The following is a sample of the tnsnames.ora file:ORACLR_CONNECTION_DATA =(DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)))(CONNECT_DATA =(SID = CLRExtProc)

(PRESENTATION = RO)

)

)

 

ORCL =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = SRV04.shrek.qa)(PORT = 1521))

(CONNECT_DATA =

(SERVER = DEDICATED)

(SERVICE_NAME = orcl.shrek.qa)

)

)

The data source should look like this after you have added the corresponding values from the tnsnames.ora file.

(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=

SRV04.shrek.qa)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=

orcl.shrek.qa)))

ParameterDescription
Admin User NameThe user name of the admin account.
ParameterDescription
Provider PasswordThe password of the admin account.
Salesforce provider

The Salesforce provider is used to synchronize passwords to Salesforce.

Prerequisites

  • Admin account in the target Salesforce.
  • Valid Salesforce security token for the admin account. The security token for the admin account should have been emailed to you when you set up your Salesforce account or the last time you reset your password. If you are unable to find this email, you will need to reset the token.

To get or reset your security token:

  1. At the top of any Salesforce page, click the down arrow next to your name. From the menu under your name, select Setupor My Settings—whichever one appears.
  2. From the left pane, select one of the following:
    • If you clicked Setup, select My Personal InformationReset My Security Token.
    • If you clicked My Settings, select PersonalReset My Security Token.
  3. Click the Reset Security Token The new security token is sent via email to the email address on your Salesforce user record. Keep this email. Your security token is not displayed in your settings or profile.

Note: This token is changed every time the password of the admin account is changed.

Parameters

ParameterDescription
URLThe URL to the Salesforce.com API.
Default value: https://login.salesforce.com/services/Soap/c/23.0
Admin User NameThe user name of the admin account.
Provider PasswordThe password and security token.
Ex. For example, if your password is “myPassword” and your security token is “XXXX”, you will enter “myPasswordXXXX”
SAP provider

The SAP provider is used to synchronize passwords to user accounts in SAP systems.

Prerequisites

  • Admin account in the target SAP environment.
  • SAP .Net Connector 3.0 for .Net 4.0 must be installed on the Specops Password Sync Server.

Note:

  • The SAP.Net Connector has a dependency to the Visual C++ 2010 redistributable which the SAP installer does not handle. If this component was not installed as part of another package, the provider will fail with the following error message: “Could not load file or assembly ‘sapnco_utils.dll’ or one of its dependencies. The specified module could not be found.”
  • Installing KB2365063- Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package MFC Security Update will fix the problem.

Parameters

ParameterDescription
Address to the SAP serverFQDN to the SAP server where the password should be changed.
System IDThe system ID in SAP (e.g. 00)
Client IDThe client ID in SAP (e.g. 100)
Admin User NameThe user name of the admin account
Provider PasswordThe password of the admin account
Windows Service provider

The Windows Service provider is used to update the password used in a Windows Service when the password of the domain service account is changed. The provider will find all services running as the domain account on the target server and set the new password on them.

Prerequisites

  • Admin account on the target server.
  • Open network communication between the Specops Password Sync Server and the target server.

Parameters

ParameterDescription
Administrator AccountThe user name of the admin account that will be used to change the password on the remote server.
Server NameThe name of the target server where the service is running.
Provider PasswordThe password of the admin account.