Anonymous_User Absent Member.
Absent Member.
632 views

AD ID created disabled every time

Hello

Using IDM 4. Win2008R2 with Remote Loader. Win box is DC

I am using the sample password policy setup by the IDM 4 integration install

Everytime I create an ID in the Vault it creates the ID in AD disabled.

Both the Windows server and IDM servers are default setup

I wanted to just do a default setup of both Win2008R2 and IDM in the lab
and just installed the AD driver. Made it flat and placement is under
the specific OU (TESTUSERS)

So after setting all up using defaults except for flat tree the ID gets
created disabled

I am confused...very confused

Integration setup of IDM 4
Remote Loader setup
set the driver and RL passwords as the same as engine in the Driver


Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: AD ID created disabled every time

On 07.11.2011 13:39, IDM Learning wrote:
> Hello
>
> Using IDM 4. Win2008R2 with Remote Loader. Win box is DC
>
> I am using the sample password policy setup by the IDM 4 integration
> install
>
> Everytime I create an ID in the Vault it creates the ID in AD disabled.
>
> Both the Windows server and IDM servers are default setup
>
> I wanted to just do a default setup of both Win2008R2 and IDM in the lab
> and just installed the AD driver. Made it flat and placement is under
> the specific OU (TESTUSERS)
>
> So after setting all up using defaults except for flat tree the ID gets
> created disabled
>
> I am confused...very confused


Check that the OU in the IDVault has universal password policy applied.
Also ensure that the users you are trying to sync have passwords set
(after the universal password policy was applied)

Check your password policies on the AD side -
http://technet.microsoft.com/en-us/library/cc264456.aspx

The most common reasons for an account being disabled after creation by
IDM are all password related.

1. Password not supplied (no universal password policy on IDV OU)
2. Password sync not enabled in the driver.
3. The AD DC rejects the password supplied in the Add document because
it doesn't meet the default AD password policies (minimum length,
complexity etc)
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD ID created disabled every time

Thank you for your quick reply

I have a password policy assigned to the IDV USERS OU

Password sync is enabled on the AD Driver

I have turned off Microsft Password Complexity

The password I am using as my test password is Maple123

I use the HELPDESK TASK CREATE USER in the IDVAULT Imanager and create
the ID and set the password then.

I cant find ANY error/warning on that relates to password in either the
IDVAULT or the AD Remote Loader. Trace is set to 3.

Only error is LDAP_NO_SUCH_OBJECT

<output>
<status level="warning" type="driver-general"
event-id="TESTIDV#20111107140850#1#2:1d19ed99-40c6-4e46-91bc-99ed191dc640">
<ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
<client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such
Object</client-err>
<server-err>0000208D: NameErr: DSID-031001E5, problem 2001
(NO_OBJECT), data 0, best match of:
''
</server-err>
<server-err-ex win32-rc="8333"/>
</ldap-err>
</status>
</output>


On 07/11/2011 8:05 AM, Alex McHugh wrote:
> On 07.11.2011 13:39, IDM Learning wrote:
>> Hello
>>
>> Using IDM 4. Win2008R2 with Remote Loader. Win box is DC
>>
>> I am using the sample password policy setup by the IDM 4 integration
>> install
>>
>> Everytime I create an ID in the Vault it creates the ID in AD disabled.
>>
>> Both the Windows server and IDM servers are default setup
>>
>> I wanted to just do a default setup of both Win2008R2 and IDM in the lab
>> and just installed the AD driver. Made it flat and placement is under
>> the specific OU (TESTUSERS)
>>
>> So after setting all up using defaults except for flat tree the ID gets
>> created disabled
>>
>> I am confused...very confused

>
> Check that the OU in the IDVault has universal password policy applied.
> Also ensure that the users you are trying to sync have passwords set
> (after the universal password policy was applied)
>
> Check your password policies on the AD side -
> http://technet.microsoft.com/en-us/library/cc264456.aspx
>
> The most common reasons for an account being disabled after creation by
> IDM are all password related.
>
> 1. Password not supplied (no universal password policy on IDV OU)
> 2. Password sync not enabled in the driver.
> 3. The AD DC rejects the password supplied in the Add document because
> it doesn't meet the default AD password policies (minimum length,
> complexity etc)


0 Likes
Knowledge Partner
Knowledge Partner

Re: AD ID created disabled every time

When looking at the AD side errors, look at this line:

<server-err-ex win32-rc="8333"/>

Look up 8333, at this link:
http://msdn.microsoft.com/en-us/library/ms681390%28VS.85%29.aspx

Which in this case, it literally means object not found. Like eDir's
601 error.


On 11/7/2011 9:24 AM, IDM Learning wrote:
> Thank you for your quick reply
>
> I have a password policy assigned to the IDV USERS OU
>
> Password sync is enabled on the AD Driver
>
> I have turned off Microsft Password Complexity
>
> The password I am using as my test password is Maple123
>
> I use the HELPDESK TASK CREATE USER in the IDVAULT Imanager and create
> the ID and set the password then.
>
> I cant find ANY error/warning on that relates to password in either the
> IDVAULT or the AD Remote Loader. Trace is set to 3.
>
> Only error is LDAP_NO_SUCH_OBJECT
>
> <output>
> <status level="warning" type="driver-general"
> event-id="TESTIDV#20111107140850#1#2:1d19ed99-40c6-4e46-91bc-99ed191dc640">
> <ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
> <client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such
> Object</client-err>
> <server-err>0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT),
> data 0, best match of:
> ''
> </server-err>
> <server-err-ex win32-rc="8333"/>
> </ldap-err>
> </status>
> </output>
>
>
> On 07/11/2011 8:05 AM, Alex McHugh wrote:
>> On 07.11.2011 13:39, IDM Learning wrote:
>>> Hello
>>>
>>> Using IDM 4. Win2008R2 with Remote Loader. Win box is DC
>>>
>>> I am using the sample password policy setup by the IDM 4 integration
>>> install
>>>
>>> Everytime I create an ID in the Vault it creates the ID in AD disabled.
>>>
>>> Both the Windows server and IDM servers are default setup
>>>
>>> I wanted to just do a default setup of both Win2008R2 and IDM in the lab
>>> and just installed the AD driver. Made it flat and placement is under
>>> the specific OU (TESTUSERS)
>>>
>>> So after setting all up using defaults except for flat tree the ID gets
>>> created disabled
>>>
>>> I am confused...very confused

>>
>> Check that the OU in the IDVault has universal password policy applied.
>> Also ensure that the users you are trying to sync have passwords set
>> (after the universal password policy was applied)
>>
>> Check your password policies on the AD side -
>> http://technet.microsoft.com/en-us/library/cc264456.aspx
>>
>> The most common reasons for an account being disabled after creation by
>> IDM are all password related.
>>
>> 1. Password not supplied (no universal password policy on IDV OU)
>> 2. Password sync not enabled in the driver.
>> 3. The AD DC rejects the password supplied in the Add document because
>> it doesn't meet the default AD password policies (minimum length,
>> complexity etc)

>


0 Likes
Knowledge Partner
Knowledge Partner

Re: AD ID created disabled every time

On 07.11.2011 15:24, IDM Learning wrote:

>
> Only error is LDAP_NO_SUCH_OBJECT
>
> <output>
> <status level="warning" type="driver-general"
> event-id="TESTIDV#20111107140850#1#2:1d19ed99-40c6-4e46-91bc-99ed191dc640">
> <ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
> <client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such
> Object</client-err>
> <server-err>0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT),
> data 0, best match of:
> ''
> </server-err>
> <server-err-ex win32-rc="8333"/>
> </ldap-err>
> </status>
> </output>


You need to provide more details (post the level 3 trace for the whole
add operation from start transaction to end transaction)

Based on the limited trace here: my first guess is that your placement
rules are generating a placement to an OU that isn't physically present
in AD.

Look at Geoffrey's article
http://www.novell.com/communities/node/8304/active-directory-driver-error-messages-part-3
the specific section is "Active Directory version of eDirectory 601
error" for an explanation of this error.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD ID created disabled every time

On Mon, 07 Nov 2011 14:24:32 +0000, IDM Learning wrote:

> I cant find ANY error/warning on that relates to password in either the
> IDVAULT or the AD Remote Loader. Trace is set to 3.


Let's see the entire level 3 trace of the object create.


> Only error is LDAP_NO_SUCH_OBJECT
>
> <output>
> <status level="warning" type="driver-general"
> event-

id="TESTIDV#20111107140850#1#2:1d19ed99-40c6-4e46-91bc-99ed191dc640">
> <ldap-err ldap-rc="32" ldap-rc-

name="LDAP_NO_SUCH_OBJECT">
> <client-err ldap-rc="32" ldap-rc-

name="LDAP_NO_SUCH_OBJECT">No Such
> Object</client-err>
> <server-err>0000208D: NameErr:

DSID-031001E5, problem 2001
> (NO_OBJECT), data 0, best match of:
> ''
> </server-err>
> <server-err-ex win32-rc="8333"/>
> </ldap-err>
> </status>
> </output>


That's a good clue, but without seeing the rest of the trace, we can't
tell you what it means.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.