Password sync issue between edir and AD

We have IDM 4.5.2 syncing users between eDir and AD, and have password sync through that driver. If we have the user pwd expiring from eDir and the user logs into Groupwise they are prompted to change their password and that password change syncs. On the other hand, if we have the password expired in AD and the user is prompted from their Windows workstation to change their password, that does not sync. If the password in AD is not set to expire but the user changes their password on their workstation it syncs as it is supposed to.
What seems to be the problem is when the user is forced to change their password by AD. On a user object in iManager if I check their password status under those circumstances, it will display the following:

"Not Synchronized. Check password connection validation.Bind failed because of one or more of the following errors.The user's password must be changed before logging on the first time.Invalid Credentials"

Is this something to be expected? I do not have GroupWise accounts for all users so I cannot fall back to having eDir be the only place where their password would expire - I have to have AD do it.

Any feedback would be appreciated

-Dan
Parents
  • No, and most-likely the symptoms are a coincidence.

    All password changes in MAD go to a DC, no matter what causes them, or who
    changes them, or anything else. The selection of DCs is almost always
    random, so you MUST have a filter running properly on all DCs. The
    most-likely cause for a password synchronizing less-than 100% of the time
    is one or more DCs missing the filter, so the password is only
    synchronized from MAD to eDirectory/vault when the user's workstation
    happens to hit DCs that do have the filter running properly.

    For more troubleshooting, post a level five (5) trace from the Remote
    Loader (RL) side at the time of the password change that is working, as
    well as the time of a password change that is expected to fail.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • All DCs in the domain have the filter. I will post a trace either later today or tomorrow

  • dpbrant;265456 Wrote:
    > All DCs in the domain have the filter. I will post a trace either later
    > today or tomorrow
    >
    >
    > --
    > dpbrant
    > ------------------------------------------------------------------------
    > dpbrant's Profile: https://forums.novell.com/member.php?userid=8261
    > View this thread: https://forums.novell.com/showthread.php?t=497018


    Hi Dan,
    From your explanation looks like user changed expired "local" user
    account (not domain user account).
    In this case it is logical, that password filters on any DCs didn't
    capture any password change.

    Could you confirm, that it was domain user case?
    Could you repeat same steps again and provide RL logs?


    --
    If you find this post helpful, please show your appreciation by clicking
    on the star below :cool:
    ------------------------------------------------------------------------
    al_b's Profile: https://forums.netiq.com/member.php?userid=209
    View this thread: https://forums.netiq.com/showthread.php?t=55419

  • Yes, this was a user in AD. BTW, this behavior seems to have started shortly after applying MS patches on the DC that the remote loader is on.
    We also noticed that, while the engine was at the 4.5 release, the RL was at 4.0.2. We have resolved the issue at this point by upgrading the Remote loader to 4.5.3 as well as applying 4.5.3 Engine update. The password sync and AD driver were at the latest version already

    Lesson to be learned here for me is to keep the whole environment up-to-date at the same time

    Thanks for the quick feedback!
Reply
  • Yes, this was a user in AD. BTW, this behavior seems to have started shortly after applying MS patches on the DC that the remote loader is on.
    We also noticed that, while the engine was at the 4.5 release, the RL was at 4.0.2. We have resolved the issue at this point by upgrading the Remote loader to 4.5.3 as well as applying 4.5.3 Engine update. The password sync and AD driver were at the latest version already

    Lesson to be learned here for me is to keep the whole environment up-to-date at the same time

    Thanks for the quick feedback!
Children