Anonymous_User Absent Member.
Absent Member.
425 views

AD password sync: two events issue for AD users only


A password change on A.D. is sent to IDM and then an password event is
coming back for IDM.
So this change password event is happening two times, and on this
trigger we send the enduser a password change notification.
To avoid sending this email two times we implemented code that is
checking on the pwdchangedtime in IDM. If this is in a configured
timeslot there will be a break.
This code is working fine for users who are in AD and in IDM. But there
are also users who are not in IDM, only in A.D.
Then the code cannot read the pwdchangedtime in IDM (because user does
not exist), and then there will be no break.
This users recieve this change password notification email two times.

Does anyone know to solve this issue for users who are only in A.D.

Here the code we use to break:
<rule>
<description>xxx</description>
<comment xml:space="preserve">xxx</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">modify-password</if-operation>
<if-class-name mode="nocase" op="equal">user</if-class-name>
<if-association op="available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="now" scope="policy">
<arg-string>
<token-time format="!CTIME" tz="UTC"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lastchange" scope="policy">
<arg-string>
<token-dest-attr name="pwdChangedTime"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="tdiff" scope="policy">
<arg-string>
<token-xpath expression="$now - $lastchange"/>
</arg-string>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-local-variable name="tdiff"/>
</arg-string>
</do-trace-message>
<do-if>
<arg-conditions>
<or>
<if-xpath op="true">$tdiff <= 30</if-xpath>
<if-xpath op="true">$tdiff = 14904362</if-xpath>
</or>
</arg-conditions>
<arg-actions>
<do-break/>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>
<rule>


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=49568

Labels (1)
0 Likes
10 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only

On Tue, 24 Dec 2013 11:54:01 +0000, gschouten32 wrote:

> A password change on A.D. is sent to IDM and then an password event is
> coming back for IDM.


Post a level 3 trace so we can see what you're talking about?

Is this just the usual feature, where any change sent to MAD from the
Subscriber subsequently appears on the Publisher?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD password sync: two events issue for AD users only

On 12/24/2013 10:00 AM, David Gersic wrote:
> On Tue, 24 Dec 2013 11:54:01 +0000, gschouten32 wrote:
>
>> A password change on A.D. is sent to IDM and then an password event is
>> coming back for IDM.

>
> Post a level 3 trace so we can see what you're talking about?
>
> Is this just the usual feature, where any change sent to MAD from the
> Subscriber subsequently appears on the Publisher?


To expand: AD does not report who made the change. Thus the native
loopback protection eDir has (If the driver made the change in eDir, do
not forward it back into the same driver to reprocess. This can be
turned off in an ECV if you need it), does not exist in the AD driver.

This leads to complicated trace reading. As well as complicated
handling of attribute conversions.

Be nice if the docs talked about some concrete examples of this issue to
make it better understood to newcomers. Hmm, is that in my Newcomers to
IDM series?

http://www.novell.com/communities/node/13053/common-mistakes-newcomers-idm-make-part-1
http://www.novell.com/communities/node/13057/common-mistakes-newcomers-idm-make-part-2
http://www.novell.com/communities/node/13058/common-mistakes-newcomers-idm-make-part-3
http://www.novell.com/communities/node/13125/common-mistakes-newcomers-idm-make-part-4
http://www.novell.com/communities/node/13126/common-mistakes-newcomers-idm-make-part-5
http://www.novell.com/communities/node/13302/common-mistakes-newcomers-idm-make-part-6
http://www.novell.com/communities/node/13316/common-mistakes-newcomers-idm-make-part-7
http://www.novell.com/communities/node/13347/common-mistakes-newcomers-idm-make-part-8
http://www.novell.com/communities/node/13383/common-mistakes-newcomers-idm-make-part-9
http://www.novell.com/communities/node/13486/common-mistakes-newcomers-idm-make-part-10
http://www.netiq.com/communities/coolsolutions/common-mistakes-newcomers-to-idm-make-part-11/

I think it is in article 6:
http://www.novell.com/communities/node/13302/common-mistakes-newcomers-idm-make-part-6

(If you are new to IDM, can I recommend perusing these articles? Full
of good stuff the docs should contain, but do not. and lots of fluff,
and my mouth running off (fingers running off?), but I suspect much
helpful in there).

Anyway, optimize modify is used when the event from eDir is written to
AD on the Sub channel, and 20 seconds later loops back on the Pub
channel. The change is identical to the value in eDir, ergo, no-op, and
kill the event.

So your description is backwards. The original post suggests it is eDir
that is looping back th eevent, which seems unlikely. More likely it is
misreading of trace...


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only


Thanks for the support and information. But it's not really clear for
me.
We do only pwm changes from A.D. -> IDM and not the other way
(configured in the password synchronization, deselected: "application
accept password (subscriber)")
I also cannot see ST events coming back in de trace.
Here is a trace from a pwm change in A.D.
http://tinyurl.com/mjky29b


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=49568

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only

On 12/24/2013 04:54 AM, gschouten32 wrote:
>
> A password change on A.D. is sent to IDM and then an password event is
> coming back for IDM.


I'm not sure what you mean by this. You make it sound like the password
event is coming back out of the engine to microsoft active directory (MAD)
for some of these users, which is almost certainly not the case for any
users, and is certainly not default behavior (unless you have added policy
to do it somehow) for a user that does not exist in IDM, as IDM is
event-driven and without a corresponding object in the vault there can be
no event to drive IDM.

> So this change password event is happening two times, and on this
> trigger we send the enduser a password change notification.


Both events are coming from the application. Password changes from MAD
are sent immediately but can also be picked up during polling if the user
is otherwise picked up by the polling. If no association exists when
doing any processing is wasting time unless that processing can lead to an
association.

> To avoid sending this email two times we implemented code that is
> checking on the pwdchangedtime in IDM. If this is in a configured
> timeslot there will be a break.


Good idea, though I think you're treating a symptom instead of the real
problem of the e-mail operation happening for an unassociated user.

> This code is working fine for users who are in AD and in IDM. But there
> are also users who are not in IDM, only in A.D.


It is a little strange that this would happen or be handled via IDM, but okay.

> Then the code cannot read the pwdchangedtime in IDM (because user does
> not exist), and then there will be no break.
> This users recieve this change password notification email two times.


You could add logic to break if the user cannot be found in eDirectory.
In fact, this should be implicit I think if you place the policy correctly
in the driver config.

> Does anyone know to solve this issue for users who are only in A.D.


Per your trace at http://tinyurl.com/mjky29b the problems to me is that
you are doing transformation of the event in the input transformation
policyset. The place that would make the most sense to me would be to
place and execute this logic in the Event Transformation or Command
Transformation policyset. By doing so you'll get rid of all of these
password events that do not actually synchronize passwords due to a lack
of an association with a real user in the vault. You should also be able
to naturally avoid duplicate events since if the first password actually
synchronizes (meaning it is an associated user) the engine will tell the
application to purge that value from the source system, so it will not be
sent again.

If for some reason you really need IDM to report on unsynchronized objects
and want to avoid the duplicates you still at least need to do a proper
check to see if the association is a valid one or just whatever would
become the association if you were to let the object synchronize (as you
should). It's a bit of work but you're trying to work around the
framework in this case instead of working with it.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only


Great info.

I think I figured out what is causing these symptoms.
This (test) AD domain contains two DC's. Both DC's have a password
filter and there is one DC with the RL.
So AD synchronizes the changed password also to the other DC and there
it's again in the pwfilter, so there is the event again.


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=49568

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only

On 12/31/2013 06:14 AM, gschouten32 wrote:
>
> I think I figured out what is causing these symptoms.
> This (test) AD domain contains two DC's. Both DC's have a password
> filter and there is one DC with the RL.
> So AD synchronizes the changed password also to the other DC and there
> it's again in the pwfilter, so there is the event again.


Good theory, but no, that is not it. Once the DC receives the password
from the source of the password change (somebody in AD Users and Computers
on a DC, or somebody on a workstation, or somebody via LDAP) it is hashed
on that DC using NTLM/LanMan/whatever and then replicated o other DCs, so
there is no way that a password can be captured after it leaves the
original DC. Also, the password filters work using a microsoft API that
is made to capture passwords, which will only be used on the system where
the password is originally changed (vs. all other DCs to which the
password is replicated).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only


Ab jou are right, did some futher tests and my suggestion was not
correct.
Unfortunately moving the code to the event transformation does not solve
my problem.
I'd like to have one password mod event for unassociated objects and I
see one solution: check the pwdlastset of the object in A.D., and if
that’s in a specific time frame then it indicates that’s a
duplicate event.

Still cannot imagine why this event is coming twice


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=49568

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only

On 12/31/2013 07:30 AM, gschouten32 wrote:
>
> Ab jou are right, did some futher tests and my suggestion was not
> correct.


It happens sometimes... rarely.

> Unfortunately moving the code to the event transformation does not solve
> my problem.
> I'd like to have one password mod event for unassociated objects and I
> see one solution: check the pwdlastset of the object in A.D., and if
> that’s in a specific time frame then it indicates that’s a
> duplicate event.


Not exactly the same as yours, but you may find some good help in this thread:

https://forums.netiq.com/archive/index.php/t-47502.html

this may also be interesting:

https://forums.netiq.com/archive/index.php/t-6878.html

> Still cannot imagine why this event is coming twice


As mentioned before, the filter send passwords right away, but you also
have a polling interval that runs (by default) once per minute, and if it
sees a new password change out there, it will try to send it too. As a
result in trace you should see varying times (between 0 seconds and the
length of your polling interval) between the first and second password
events. Also, if the password synchronizes, you should not see the second
event since it will be purged from the application side so the polling
interval will not find that password to be sent anymore.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only


I'm having the same issue with IDM 402, just wondering if you ever found
a way to solve this ?


--
pplante
------------------------------------------------------------------------
pplante's Profile: https://forums.netiq.com/member.php?userid=3310
View this thread: https://forums.netiq.com/showthread.php?t=49568

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD password sync: two events issue for AD users only

pplante wrote:

> I'm having the same issue with IDM 402, just wondering if you ever found
> a way to solve this ?


I think both of you are looking at this slightly incorrectly. There likely is a way to do this within the AD driver (but you have to workaround the lack of loopback protection), but maybe this is better off implemented as a separate Null driver.
Then you can reliably notify on password changes without the risk of double notifications.

If your null driver is on the same server as your AD driver, then you can look at the eventID to get a hint as to which driver caused the password change. Note that password changes replicated from another server (or made via a non IDM mechanism) will only show the server name, not the driver.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.