Bi-Directional Edir driver - Password cannot be readen toIDM


Hi

I have a problem with Bi-Directional Edirectory driver.
I should migrate Production Edir accounts with password into IDM Edir,
But Driver cannot read distribution password.

I have double checked that password policy have "Allow Admin to retrieve
password and also User which is used by driver is there.
IDM driver user have full rights from root of Prod Tree.

When I start Migrate into Edir following happens:
Error message is: "ERROR : Unexpected error while retreiving password
information. Reason :"


<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.5.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="CN">
<value>migtest</value>
</search-attr>
</query>
</input>
</nds>



<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20160425_0222" instance="Bi-directional eDirectory"
version="4.0.2.0">Identity Manager Bi-directional Driver for
eDirectory</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance class-name="inetOrgPerson" event-id="0"
src-dn="cn=MigTest,ou=IDM-Migraatio-Test,o=KPA">
<association
state="associated">635A3459111F134DCB99635A3459111F</association>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>


<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.5.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="entry">
<association>635A3459111F134DCB99635A3459111F</association>
<read-attr attr-name="assistant"/>
<read-attr attr-name="assistantPhone"/>
<read-attr attr-name="businessCategory"/>
<read-attr attr-name="children"/>
<read-attr attr-name="city"/>
<read-attr attr-name="CN"/>
<read-attr attr-name="co"/>
<read-attr attr-name="company"/>
<read-attr attr-name="costCenter"/>
<read-attr attr-name="costCenterDescription"/>
<read-attr attr-name="departmentNumber"/>
<read-attr attr-name="Description"/>
<read-attr attr-name="directReports"/>
<read-attr attr-name="EMail Address"/>
<read-attr attr-name="employeeStatus"/>
<read-attr attr-name="employeeType"/>
<read-attr attr-name="Equivalent To Me"/>
<read-attr attr-name="Facsimile Telephone Number"/>
<read-attr attr-name="Full Name"/>
<read-attr attr-name="Generational Qualifier"/>
<read-attr attr-name="Given Name"/>
<read-attr attr-name="Group Membership"/>
<read-attr attr-name="homeCity"/>
<read-attr attr-name="homeEmailAddress"/>
<read-attr attr-name="homeFax"/>
<read-attr attr-name="homePhone"/>
<read-attr attr-name="homePostalAddress"/>
<read-attr attr-name="homeState"/>
<read-attr attr-name="homeZipCode"/>
<read-attr attr-name="Initials"/>
<read-attr attr-name="instantMessagingID"/>
<read-attr attr-name="Internet EMail Address"/>
<read-attr attr-name="jackNumber"/>
<read-attr attr-name="jobCode"/>
<read-attr attr-name="L"/>
<read-attr attr-name="Language"/>
<read-attr attr-name="Login Disabled"/>
<read-attr attr-name="Mailbox ID"/>
<read-attr attr-name="Mailbox Location"/>
<read-attr attr-name="mailstop"/>
<read-attr attr-name="manager"/>
<read-attr attr-name="managerWorkforceID"/>
<read-attr attr-name="mobile"/>
<read-attr attr-name="NSCP:employeeNumber"/>
<read-attr attr-name="nspmDistributionPassword"/>
<read-attr attr-name="nsRoleDN"/>
<read-attr attr-name="O"/>
<read-attr attr-name="otherPhoneNumber"/>
<read-attr attr-name="OU"/>
<read-attr attr-name="pager"/>
<read-attr attr-name="personalMobile"/>
<read-attr attr-name="personalTitle"/>
<read-attr attr-name="photo"/>
<read-attr attr-name="Physical Delivery Office Name"/>
<read-attr attr-name="Postal Address"/>
<read-attr attr-name="Postal Code"/>
<read-attr attr-name="Postal Office Box"/>
<read-attr attr-name="preferredDeliveryMethod"/>
<read-attr attr-name="preferredName"/>
<read-attr attr-name="registeredAddress"/>
<read-attr attr-name="roomNumber"/>
<read-attr attr-name="S"/>
<read-attr attr-name="SA"/>
<read-attr attr-name="Security Equals"/>
<read-attr attr-name="See Also"/>
<read-attr attr-name="siteLocation"/>
<read-attr attr-name="spouse"/>
<read-attr attr-name="Surname"/>
<read-attr attr-name="Telephone Number"/>
<read-attr attr-name="teletexTerminalIdentifier"/>
<read-attr attr-name="telexNumber"/>
<read-attr attr-name="Timezone"/>
<read-attr attr-name="Title"/>
<read-attr attr-name="tollFreePhoneNumber"/>
<read-attr attr-name="UID"/>
<read-attr attr-name="uniqueID"/>
<read-attr attr-name="userCertificate"/>
<read-attr attr-name="vehicleInformation"/>
<read-attr attr-name="workforceID"/>
</query>
</input>
</nds>


[06/08/16 19:36:06.838]:Bi-directional eDirectory ST:Bi-directional
eDirectory: LDAP Search
base=O=nn
scope=2
filter=guid=\63\5A\34\59\11\1F\13\4D\CB\99\63\5A\34\59\11\1F
attrs=[dn]
attrsOnly=false
[06/08/16 19:36:06.875]:Bi-directional eDirectory ST:Bi-directional
eDirectory: LDAP Search
base=cn=MigTest,ou=IDM-Migraatio-Test,o=nn
scope=0
filter=(objectclass=*)
attrs=[assistant, assistantPhone, businessCategory, children, city,
cn, co, company, costCenter, costCenterDescription, departmentNumber,
description, directReports, eMailAddress, employeeStatus, employeeT
ype, equivalentToMe, facsimiletelephonenumber, fullName,
generationQualifier, givenname, groupMembership, homeCity,
homeEmailAddress, homeFax, homePhone, homePostalAddress, homeState,
homeZipCode, initials,
instantMessagingID, mail, jackNumber, jobCode, l, Language,
loginDisabled, mailboxID, mailboxLocation, mailstop, manager,
managerWorkforceID, mobile, NSCP:employeeNumber, nsRoleDN, O,
otherPhoneNumber, ou, p
ager, personalMobile, personalTitle, photo, physicalDeliveryOfficeName,
postaladdress, postalCode, postOfficeBox, preferredDeliveryMethod,
preferredName, registeredAddress, roomNumber, st, street, securityEq
uals, See Also, siteLocation, spouse, sn, telephonenumber,
teletexTerminalIdentifier, telexNumber, Timezone, title,
tollFreePhoneNumber, UID, uid, usercertificate, vehicleInformation,
workforceID, objectclas
s]
attrsOnly=false
[06/08/16 19:36:06.894]:Bi-directional eDirectory ST:Bi-directional
eDirectory: Query.queryOperation() result=dn:
cn=MigTest,ou=IDM-Migraatio-Test,o=nn
securityEquals: cn=Everyone,o=nn
securityEquals: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
ou: Tenholantien toimipaikka
eMailAddress: 7#Veli-Matti.Luotonen@nnn.fi
cn: MigTest
l: Tenholantie
UID: migtest
mail: Testaus.migraatio@keskuspuisto.fi
description: IDM-projektin perustunnus Test Migration
groupMembership: cn=Everyone,o=nn
groupMembership: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
sn: Migraatio
fullName: Testaus Migraatio
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: ndsLoginProperties
objectclass: Person
objectclass: Top
objectclass: DirXML-Identity
objectclass: DirXML-PasswordSyncStatusUser
givenname: Testaus



[06/08/16 19:36:06.957]:Bi-directional eDirectory ST:Bi-directional
eDirectory: Querying for the GUID : GUID is
1EFE040D352B994070951EFE040D352B
[06/08/16 19:36:06.962]:Bi-directional eDirectory ST:Bi-directional
eDirectory: *ERROR : Unexpected error while retreiving password
information. Reason :*
[06/08/16 19:36:06.964]:Bi-directional eDirectory
ST:SubscriptionShim.execute() returned:
[06/08/16 19:36:06.965]:Bi-directional eDirectory ST:



So User gets the default password -
So I am stuck now in the migration in this step :(
What could cause this ?


Kind Regards
Veli-Matti


--
vm_luotonen
------------------------------------------------------------------------
vm_luotonen's Profile: https://forums.netiq.com/member.php?userid=2726
View this thread: https://forums.netiq.com/showthread.php?t=56003

  • Do the user have an distribution password? Have a look at the password policy and verify.
  • > I have a problem with Bi-Directional Edirectory driver.
    > I should migrate Production Edir accounts with password into IDM Edir,
    > But Driver cannot read distribution password.


    So you need to see an error to troubleshoot. It sounds dumb, but do the
    users actually have a UP set? Get Jim Willeke's DumpUP tool and check
    what the health of the users in questions UP actually is.

    Next, on the server running the engine, in more standard dstrace (either
    ndstrace on Linux, dstrace.dlm on Winders, or iMonitor's dstrace) enable
    NMAS and try that again, perhaps you will see a hint of an error in the
    NMAS trace as it tries to read the password.

    Once you have an actual error it is easier to figure out.

    "Reason" and then nothing is what is known as a 'sucky' error message to
    return. :)


    > I have double checked that password policy have "Allow Admin to retrieve
    > password and also User which is used by driver is there.
    > IDM driver user have full rights from root of Prod Tree.
    >
    > When I start Migrate into Edir following happens:
    > Error message is: "ERROR : Unexpected error while retreiving password
    > information. Reason :"
    >
    >
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.5.3.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <query class-name="User" scope="subtree">
    > <search-class class-name="User"/>
    > <search-attr attr-name="CN">
    > <value>migtest</value>
    > </search-attr>
    > </query>
    > </input>
    > </nds>
    >
    >
    >
    > <nds dtdversion="2.0" ndsversion="8.x">
    > <source>
    > <product build="20160425_0222" instance="Bi-directional eDirectory"
    > version="4.0.2.0">Identity Manager Bi-directional Driver for
    > eDirectory</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <instance class-name="inetOrgPerson" event-id="0"
    > src-dn="cn=MigTest,ou=IDM-Migraatio-Test,o=KPA">
    > <association
    > state="associated">635A3459111F134DCB99635A3459111F</association>
    > </instance>
    > <status event-id="0" level="success"/>
    > </output>
    > </nds>
    >
    >
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.5.3.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <query class-name="User" scope="entry">
    > <association>635A3459111F134DCB99635A3459111F</association>
    > <read-attr attr-name="assistant"/>
    > <read-attr attr-name="assistantPhone"/>
    > <read-attr attr-name="businessCategory"/>
    > <read-attr attr-name="children"/>
    > <read-attr attr-name="city"/>
    > <read-attr attr-name="CN"/>
    > <read-attr attr-name="co"/>
    > <read-attr attr-name="company"/>
    > <read-attr attr-name="costCenter"/>
    > <read-attr attr-name="costCenterDescription"/>
    > <read-attr attr-name="departmentNumber"/>
    > <read-attr attr-name="Description"/>
    > <read-attr attr-name="directReports"/>
    > <read-attr attr-name="EMail Address"/>
    > <read-attr attr-name="employeeStatus"/>
    > <read-attr attr-name="employeeType"/>
    > <read-attr attr-name="Equivalent To Me"/>
    > <read-attr attr-name="Facsimile Telephone Number"/>
    > <read-attr attr-name="Full Name"/>
    > <read-attr attr-name="Generational Qualifier"/>
    > <read-attr attr-name="Given Name"/>
    > <read-attr attr-name="Group Membership"/>
    > <read-attr attr-name="homeCity"/>
    > <read-attr attr-name="homeEmailAddress"/>
    > <read-attr attr-name="homeFax"/>
    > <read-attr attr-name="homePhone"/>
    > <read-attr attr-name="homePostalAddress"/>
    > <read-attr attr-name="homeState"/>
    > <read-attr attr-name="homeZipCode"/>
    > <read-attr attr-name="Initials"/>
    > <read-attr attr-name="instantMessagingID"/>
    > <read-attr attr-name="Internet EMail Address"/>
    > <read-attr attr-name="jackNumber"/>
    > <read-attr attr-name="jobCode"/>
    > <read-attr attr-name="L"/>
    > <read-attr attr-name="Language"/>
    > <read-attr attr-name="Login Disabled"/>
    > <read-attr attr-name="Mailbox ID"/>
    > <read-attr attr-name="Mailbox Location"/>
    > <read-attr attr-name="mailstop"/>
    > <read-attr attr-name="manager"/>
    > <read-attr attr-name="managerWorkforceID"/>
    > <read-attr attr-name="mobile"/>
    > <read-attr attr-name="NSCP:employeeNumber"/>
    > <read-attr attr-name="nspmDistributionPassword"/>
    > <read-attr attr-name="nsRoleDN"/>
    > <read-attr attr-name="O"/>
    > <read-attr attr-name="otherPhoneNumber"/>
    > <read-attr attr-name="OU"/>
    > <read-attr attr-name="pager"/>
    > <read-attr attr-name="personalMobile"/>
    > <read-attr attr-name="personalTitle"/>
    > <read-attr attr-name="photo"/>
    > <read-attr attr-name="Physical Delivery Office Name"/>
    > <read-attr attr-name="Postal Address"/>
    > <read-attr attr-name="Postal Code"/>
    > <read-attr attr-name="Postal Office Box"/>
    > <read-attr attr-name="preferredDeliveryMethod"/>
    > <read-attr attr-name="preferredName"/>
    > <read-attr attr-name="registeredAddress"/>
    > <read-attr attr-name="roomNumber"/>
    > <read-attr attr-name="S"/>
    > <read-attr attr-name="SA"/>
    > <read-attr attr-name="Security Equals"/>
    > <read-attr attr-name="See Also"/>
    > <read-attr attr-name="siteLocation"/>
    > <read-attr attr-name="spouse"/>
    > <read-attr attr-name="Surname"/>
    > <read-attr attr-name="Telephone Number"/>
    > <read-attr attr-name="teletexTerminalIdentifier"/>
    > <read-attr attr-name="telexNumber"/>
    > <read-attr attr-name="Timezone"/>
    > <read-attr attr-name="Title"/>
    > <read-attr attr-name="tollFreePhoneNumber"/>
    > <read-attr attr-name="UID"/>
    > <read-attr attr-name="uniqueID"/>
    > <read-attr attr-name="userCertificate"/>
    > <read-attr attr-name="vehicleInformation"/>
    > <read-attr attr-name="workforceID"/>
    > </query>
    > </input>
    > </nds>
    >
    >
    > [06/08/16 19:36:06.838]:Bi-directional eDirectory ST:Bi-directional
    > eDirectory: LDAP Search
    > base=O=nn
    > scope=2
    > filter=guid=\63\5A\34\59\11\1F\13\4D\CB\99\63\5A\34\59\11\1F
    > attrs=[dn]
    > attrsOnly=false
    > [06/08/16 19:36:06.875]:Bi-directional eDirectory ST:Bi-directional
    > eDirectory: LDAP Search
    > base=cn=MigTest,ou=IDM-Migraatio-Test,o=nn
    > scope=0
    > filter=(objectclass=*)
    > attrs=[assistant, assistantPhone, businessCategory, children, city,
    > cn, co, company, costCenter, costCenterDescription, departmentNumber,
    > description, directReports, eMailAddress, employeeStatus, employeeT
    > ype, equivalentToMe, facsimiletelephonenumber, fullName,
    > generationQualifier, givenname, groupMembership, homeCity,
    > homeEmailAddress, homeFax, homePhone, homePostalAddress, homeState,
    > homeZipCode, initials,
    > instantMessagingID, mail, jackNumber, jobCode, l, Language,
    > loginDisabled, mailboxID, mailboxLocation, mailstop, manager,
    > managerWorkforceID, mobile, NSCP:employeeNumber, nsRoleDN, O,
    > otherPhoneNumber, ou, p
    > ager, personalMobile, personalTitle, photo, physicalDeliveryOfficeName,
    > postaladdress, postalCode, postOfficeBox, preferredDeliveryMethod,
    > preferredName, registeredAddress, roomNumber, st, street, securityEq
    > uals, See Also, siteLocation, spouse, sn, telephonenumber,
    > teletexTerminalIdentifier, telexNumber, Timezone, title,
    > tollFreePhoneNumber, UID, uid, usercertificate, vehicleInformation,
    > workforceID, objectclas
    > s]
    > attrsOnly=false
    > [06/08/16 19:36:06.894]:Bi-directional eDirectory ST:Bi-directional
    > eDirectory: Query.queryOperation() result=dn:
    > cn=MigTest,ou=IDM-Migraatio-Test,o=nn
    > securityEquals: cn=Everyone,o=nn
    > securityEquals: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
    > ou: Tenholantien toimipaikka
    > eMailAddress: 7#Veli-Matti.Luotonen@nnn.fi
    > cn: MigTest
    > l: Tenholantie
    > UID: migtest
    > mail: Testaus.migraatio@keskuspuisto.fi
    > description: IDM-projektin perustunnus Test Migration
    > groupMembership: cn=Everyone,o=nn
    > groupMembership: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
    > sn: Migraatio
    > fullName: Testaus Migraatio
    > objectclass: inetOrgPerson
    > objectclass: organizationalPerson
    > objectclass: ndsLoginProperties
    > objectclass: Person
    > objectclass: Top
    > objectclass: DirXML-Identity
    > objectclass: DirXML-PasswordSyncStatusUser
    > givenname: Testaus
    >
    >
    >
    > [06/08/16 19:36:06.957]:Bi-directional eDirectory ST:Bi-directional
    > eDirectory: Querying for the GUID : GUID is
    > 1EFE040D352B994070951EFE040D352B
    > [06/08/16 19:36:06.962]:Bi-directional eDirectory ST:Bi-directional
    > eDirectory: *ERROR : Unexpected error while retreiving password
    > information. Reason :*
    > [06/08/16 19:36:06.964]:Bi-directional eDirectory
    > ST:SubscriptionShim.execute() returned:
    > [06/08/16 19:36:06.965]:Bi-directional eDirectory ST:
    >
    >
    >
    > So User gets the default password -
    > So I am stuck now in the migration in this step :(
    > What could cause this ?
    >
    >
    > Kind Regards
    > Veli-Matti
    >
    >



  • Hi
    I didn't find out the reason why I didn't get passowrd migrate to work
    with distribution passoword - but I changed sync to NDS password and I
    solved the issue that way.


    --
    vm_luotonen
    ------------------------------------------------------------------------
    vm_luotonen's Profile: https://forums.netiq.com/member.php?userid=2726
    View this thread: https://forums.netiq.com/showthread.php?t=56003

  • vm luotonen <vm_luotonen@no-mx.forums.microfocus.com> wrote:
    >

    Hi
    > I didn't find out the reason why I didn't get passowrd migrate to work

    with distribution passoword - but I changed sync to NDS password and I
    solved the issue that way.

    Did you have SSL setup to protect the connection from engine to shim?

    Some of the shims won't let passwords be synchronised in clear-text
    (unencrypted)

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...