Anonymous_User Absent Member.
Absent Member.
244 views

Another AD to eDir password sync issue thread


IDM 3.6 is running on Windows 2008 R2 domain controller. eDirectory is
installed on the DC and it has a replica of all partitions. The driver
is configured as Native - not as a remote loader. There is nothing in
the Authentication ID or Authentication context fields. Attributes
synchronize fine in both directions except for the password, which is
not synchronizing from AD to eDir. The password filter is installed and
shows as Running on all DCs. "Application accepts passwords from
Identity Manager" and "Identity Manager accepts passwords from
application" are set to True. "Publish passwords to NDS password" is
false, "Publish passwords to Distribution Password" is true. The UP
policy assigned to the user in eDir has "Synchronize NDS password when
setting Universal Password" checked. I tried changing "Publish passwords
to NDS password" to true in the driver, but it didn't make a
difference.

A level 5 trace from the driver shows:

[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: Publisher Poll
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: get object changes -
0x0000
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: process object change
entry
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: Processing change from AD:
isDeleted: NULL, whenCreated NULL, name NULL
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: Publisher MODIFY
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: Publisher Modify-
effectiveClassQuery dn=CN=test
test,OU=Migration,OU=Users,OU=CALDOJ,DC=<redacted>,DC=<redacted>,DC=local
className=user
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: description
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: dirxml-uACAccountDisable
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: displayName
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: extensionAttribute1
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: facsimileTelephoneNumber
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: givenName
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: initials
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: l
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: logonHours
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver: mail
[05/28/13 15:04:20.782]:IDV2AUTH PT:ADDriver:
physicalDeliveryOfficeName
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: postOfficeBox
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: postalCode
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: sAMAccountName
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: sn
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: st
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: streetAddress
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: telephoneNumber
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: title
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: userPrincipalName
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD]
PasswordSync::getUserData()
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD]
PasswordSync::getUserData().... checking that RPC Server is listening
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD]
PasswordSync::getUserData().... checking that RPC Server is listening
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::GetPwdInfoByUser()
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::GetPwdInfoByUser() Looking for specific Username[testb]
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - open the cache. Key =
SOFTWARE\Novell\PassSync\Data\<domain name redacted>
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - acquire the mutex.
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - mutex acquired.
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - get number of registry keys.
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - dwSubKeys[0] dwPrefMaxEntries[1]
*lpdwResumeHandle[0] lpszUserName[testb].
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - release the mutex.
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - mutex released.
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
GetPwdInfoByUser() - close the cache.
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::GetPwdInfoByUser() returned 0x00000000
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD]
PasswordSync::getUserData() returned 0x00000000
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::FreeSyncData()
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::FreeSyncData() returned.
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD] PasswordSync::
DataEnum()
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD] PasswordSync::
DataEnum().... checking that RPC Server is listening
[05/28/13 15:04:20.798]:IDV2AUTH PT:ADDriver: [PWD] PasswordSync::
DataEnum().... checking that RPC Server is listening
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::GetPwdInfo()
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::GetPwdInfo() Looking for specific Username[(null)]
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008]
PassSyncCache::GetPwdInfo() Logging Success to eventlog
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
open the cache. Key = SOFTWARE\Novell\PassSync\Data\<domain name
redacted>
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
acquire the mutex.
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
mutex acquired.
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
get number of registry keys.
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
dwSubKeys[0] dwPrefMaxEntries[-2] *lpdwResumeHandle[0]
lpszUserName[(null)].
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
Query only returned 0.
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
release the mutex.
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD 6008] GetPwdInfo() -
mutex released.
[05/28/13 15:04:20.813]:IDV2AUTH PT:ADDriver: [PWD] PasswordSync::
DataEnum() returned 0x00000000

I am unsure if the level 5 trace is indicating a problem or not. Any
suggestions?


--
ambradley
------------------------------------------------------------------------
ambradley's Profile: https://forums.netiq.com/member.php?userid=177
View this thread: https://forums.netiq.com/showthread.php?t=47854

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Another AD to eDir password sync issue thread

> IDM 3.6 is running on Windows 2008 R2 domain controller. eDirectory is
> installed on the DC and it has a replica of all partitions. The driver


Wow.... that's, different. Not unsupported or anything necessarily, but
that's a busy DC.

> is configured as Native - not as a remote loader. There is nothing in
> the Authentication ID or Authentication context fields. Attributes


Try putting Administrator in the Authentication ID field and set the
Application Password to the administrator user's password.

The good news is that the filter appears to be picking up stuff for test0;
as a result, I'm optimistic that specifying credentials will allow the
driver to connect to MAD and pull things out. It may be nice to see a
startup trace for this to see how that authentication is working.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Another AD to eDir password sync issue thread

On Tue, 28 May 2013 22:24:01 +0000, ambradley wrote:

> IDM 3.6 is running on Windows 2008 R2 domain controller. eDirectory is
> installed on the DC and it has a replica of all partitions. The driver
> is configured as Native - not as a remote loader. There is nothing in
> the Authentication ID or Authentication context fields.


Fix that. The driver needs an authenticated connection to MAD for it to
pick up passwords from the filters.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Another AD to eDir password sync issue thread


Thanks to both who replied. This morning I checked another (working)
environment set up virtually the same and it has an administrator name,
password, and the name of a DC in the Authentication context, just as
you suggested. I will add to this driver and see if it works.


--
ambradley
------------------------------------------------------------------------
ambradley's Profile: https://forums.netiq.com/member.php?userid=177
View this thread: https://forums.netiq.com/showthread.php?t=47854

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Another AD to eDir password sync issue thread

On 29.05.2013 17:54, ambradley wrote:
>
> Thanks to both who replied. This morning I checked another (working)
> environment set up virtually the same and it has an administrator name,
> password, and the name of a DC in the Authentication context, just as
> you suggested. I will add to this driver and see if it works.


You shouldn't need the name of the DC, just the administrator account name.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.