IBM Verify

 View Only

 Selectively disabling ISIM Password Sync for an AD Service that manages System Accounts

Ninad Tamras's profile image
Ninad Tamras posted Fri January 10, 2025 08:24 AM

We have two AD services in ISIM, one for personal user accounts, one for service accounts (for use by applications). When a User requests AD Service Account, we want the password to be different from the User's Password for all other personal accounts. Is there a way to  to selectively disable Password Sync functionality for specific Service instance?

Franz Wolfhagen's profile image
Franz Wolfhagen

We are now writing 2025 - twenty years ago password synchronization was a security problem....

So my first advice is to get rid of the password synchronization as soon as possible - it was a convenient but stupid and insecure way of supporting users ease of access - should definitely not be used if you are taken security (specifically lateral movements) seriously.

Beside that - check this section of the documentation  Password synchronization properties - the second property is what you want to use...

There are other ways to do it depending on how you do the synchronization - but assuming you are using the default password synchronization this is the way to solve the issue.

The older (and IMHO better but more complex way) is to use a specific account for the password synchronization that is coupled to the specific plugin(s) and is using ACIs to scope the password changes are a much more flexible and controllable option - but that is still a bad idea as stated...  

Jacky Wang's profile image
Jacky Wang

Happy new year to all/@Franz Wolfhagen

We are currently using Security Verify Directory Server as for enterprise app LDAP repo, enabling with Pass-Through-Authentication (PTA) to internal windows Active Directory.  I see the SDS/SVD password policy is powerful but its entry enablement replies on userPassword attribute's existence.  On the contrary, the SVD entry's PTA enablement requires the absence of userPassword.

I wonder if you see there is enhancement on SVD's supporting both PwdPolicy & PTA(no-pwd-sync/migration scenario) in the same time? and any good practice direction/integration trends for (on-prem)SVD/LDAP/AD passwordless authentication?

Thank you!

Franz Wolfhagen's profile image
Franz Wolfhagen

A change to UG code seems to have removed the option to answer in thread - so this is an answer to Jacky Wang on the topic of PTA and password policies...

First - please do not hijack another thread - especially now where thread answering is impossible - it will be a mess...

Can you please open the question and give some examples of what you expect the system to do - I have been in contact with our Product Manager and he is needing a little more input to understand the scenarios/use cases.

So please post your questing again in a new top post and then also give some examples - then we can suggest a way forward :-)