• State Suggested Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 1211 views
  • Users 0 members are here
Options
Related

Second Password Capture Agent on AD Domain

jessey widhalm
over 2 years ago

Hi experts,

is it possible to run a second password capture agent on the same AD Domain, pointing to another One Identity Manager version?

We currently have two One Identity Manger installations running, the old Version 6.1, for which the password capture agent is currently installed, and Version 8.1.

We are rebuilding all functionalities of V6.1 in V8.1, so that V6.1 can be shut down some day, and would like to start rebuilding some processes that rely on the passwords from AD.

It would be great if we could do it gradually, but for that we would need to be able to capture the passwords from AD and  send the changed passwords to both IDM versions.

Thank you and best regards
 Jessey

  • 0 over 2 years ago

    Are you putting these on the same domain controller? Are they managing the same users? 

  • 0 over 2 years ago in reply to Troy Grandy

    Hello,

    if possible yes, we would like to have a second capture agent on the same domain, to send the changed passwords to the IDM V8.1 for the same users.

  • 0 over 2 years ago in reply to jessey widhalm

    I believe it is possible as they would get installed in two different directories. I am not sure though if it would cause any issues. I wouldn't recommend it.

  • 0 over 2 years ago

    I've used different password hooks in my AD and they seem to live happily together. I had 389ds dir sync installed, along with GSuite's password sync , both working together. But , that's true, they pointed to different databases (ldap, google) and different products.  I'm not quite sure it'll work if you install two versions of the same product.

    Options:

    • A: Send the passwords only to 8.1 , then create a OneIdentity sync project to point to the older 6.1 version. I haven't tried that and it'll only update Persons attributes, but as long as the AD accounts are attached to a person account, the password should propagate first up to the Person (8.1) then down to the AD account (6.1)
    • B: Do not delete the password from the ADSAccount table (the process does delete them after updating the object) in 8.1 and build an external process that updates the 6.1 tables from the password attribute in 8.1