Other than some really old KB articles from 2012, just wondering if this can even be done or how to deal with the situation I'm dealt.
eDir <-> eDir Vault <-> AD
Passwords, however, are synced only one way from eDir -> AD (there's no password driver installed on the AD DC).
For political, oh I mean, "security" reasons, the AD Default Domain policy regarding passwords needs to be changed to use MS Complexity and the Max Password age set to 90 and the Min. set to 1)
I've got the eDir NMAS stuff setup as "equivalent" as I can.
Now, we have a loopback driver that adjusts the TIME of the password expiration in eDirectory so that if you change the password, it adjusts the time (not the date) to 90 days at midnight.
Ie, if I change it today, it'll set to 3/20/19 at midnight.
Now, in AD of course, it sets the pwdLastSet to the actual date/time that the password was changed, so it'll be like, 12/20/19 @ 10:50 a.m.
So the issue that we've encountered in testing is that, the user will sit down to their PC and login with the Novell Client, which will (or used to) seamlessly login to AD. But you'll then get prompted by the MS Client to change your AD password (this depends on WHEN you login to the PC obviously), and you have to do that first before you can get the desktop and then change the eDirectory password.
I'm racking my brain to come up with any method that would sync the password expiration date/time to AD (and of course AD stores the value in some hideous format).
BUT, I'm now thinking, that even if that's is accomplished, we'd run into the same situation:
You'll login to eDirectory via the Novell Client, which will try to login to AD (so that you can actually change the password) but even if both passwords expire at midnight, you'll be prompted to change the AD password before you load up the desktop.
The only viable option I see is to not set AD to expire passwords every 90 days which won't fly (well it's not my decision, but I'm 99% certain the answer will be "no").
We could try to mitigate it via pre-emptive password change emails, but it seems that doesn't work reliably (from a cursory forum search), and knowing our users (we have another system that emails every 15 days prior to password expiration and I'd say at least 50% of the people don't pay attention to it).
But I'm open to ideas/suggestions that I can pass along.