vm_luotonen1 Absent Member.
Absent Member.
315 views

Bi-Directional Edir driver - Password cannot be readen toIDM


Hi

I have a problem with Bi-Directional Edirectory driver.
I should migrate Production Edir accounts with password into IDM Edir,
But Driver cannot read distribution password.

I have double checked that password policy have "Allow Admin to retrieve
password and also User which is used by driver is there.
IDM driver user have full rights from root of Prod Tree.

When I start Migrate into Edir following happens:
Error message is: "ERROR : Unexpected error while retreiving password
information. Reason :"


<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.5.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="CN">
<value>migtest</value>
</search-attr>
</query>
</input>
</nds>



<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20160425_0222" instance="Bi-directional eDirectory"
version="4.0.2.0">Identity Manager Bi-directional Driver for
eDirectory</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance class-name="inetOrgPerson" event-id="0"
src-dn="cn=MigTest,ou=IDM-Migraatio-Test,o=KPA">
<association
state="associated">635A3459111F134DCB99635A3459111F</association>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>


<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.5.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="entry">
<association>635A3459111F134DCB99635A3459111F</association>
<read-attr attr-name="assistant"/>
<read-attr attr-name="assistantPhone"/>
<read-attr attr-name="businessCategory"/>
<read-attr attr-name="children"/>
<read-attr attr-name="city"/>
<read-attr attr-name="CN"/>
<read-attr attr-name="co"/>
<read-attr attr-name="company"/>
<read-attr attr-name="costCenter"/>
<read-attr attr-name="costCenterDescription"/>
<read-attr attr-name="departmentNumber"/>
<read-attr attr-name="Description"/>
<read-attr attr-name="directReports"/>
<read-attr attr-name="EMail Address"/>
<read-attr attr-name="employeeStatus"/>
<read-attr attr-name="employeeType"/>
<read-attr attr-name="Equivalent To Me"/>
<read-attr attr-name="Facsimile Telephone Number"/>
<read-attr attr-name="Full Name"/>
<read-attr attr-name="Generational Qualifier"/>
<read-attr attr-name="Given Name"/>
<read-attr attr-name="Group Membership"/>
<read-attr attr-name="homeCity"/>
<read-attr attr-name="homeEmailAddress"/>
<read-attr attr-name="homeFax"/>
<read-attr attr-name="homePhone"/>
<read-attr attr-name="homePostalAddress"/>
<read-attr attr-name="homeState"/>
<read-attr attr-name="homeZipCode"/>
<read-attr attr-name="Initials"/>
<read-attr attr-name="instantMessagingID"/>
<read-attr attr-name="Internet EMail Address"/>
<read-attr attr-name="jackNumber"/>
<read-attr attr-name="jobCode"/>
<read-attr attr-name="L"/>
<read-attr attr-name="Language"/>
<read-attr attr-name="Login Disabled"/>
<read-attr attr-name="Mailbox ID"/>
<read-attr attr-name="Mailbox Location"/>
<read-attr attr-name="mailstop"/>
<read-attr attr-name="manager"/>
<read-attr attr-name="managerWorkforceID"/>
<read-attr attr-name="mobile"/>
<read-attr attr-name="NSCP:employeeNumber"/>
<read-attr attr-name="nspmDistributionPassword"/>
<read-attr attr-name="nsRoleDN"/>
<read-attr attr-name="O"/>
<read-attr attr-name="otherPhoneNumber"/>
<read-attr attr-name="OU"/>
<read-attr attr-name="pager"/>
<read-attr attr-name="personalMobile"/>
<read-attr attr-name="personalTitle"/>
<read-attr attr-name="photo"/>
<read-attr attr-name="Physical Delivery Office Name"/>
<read-attr attr-name="Postal Address"/>
<read-attr attr-name="Postal Code"/>
<read-attr attr-name="Postal Office Box"/>
<read-attr attr-name="preferredDeliveryMethod"/>
<read-attr attr-name="preferredName"/>
<read-attr attr-name="registeredAddress"/>
<read-attr attr-name="roomNumber"/>
<read-attr attr-name="S"/>
<read-attr attr-name="SA"/>
<read-attr attr-name="Security Equals"/>
<read-attr attr-name="See Also"/>
<read-attr attr-name="siteLocation"/>
<read-attr attr-name="spouse"/>
<read-attr attr-name="Surname"/>
<read-attr attr-name="Telephone Number"/>
<read-attr attr-name="teletexTerminalIdentifier"/>
<read-attr attr-name="telexNumber"/>
<read-attr attr-name="Timezone"/>
<read-attr attr-name="Title"/>
<read-attr attr-name="tollFreePhoneNumber"/>
<read-attr attr-name="UID"/>
<read-attr attr-name="uniqueID"/>
<read-attr attr-name="userCertificate"/>
<read-attr attr-name="vehicleInformation"/>
<read-attr attr-name="workforceID"/>
</query>
</input>
</nds>


[06/08/16 19:36:06.838]:Bi-directional eDirectory ST:Bi-directional
eDirectory: LDAP Search
base=O=nn
scope=2
filter=guid=\63\5A\34\59\11\1F\13\4D\CB\99\63\5A\34\59\11\1F
attrs=[dn]
attrsOnly=false
[06/08/16 19:36:06.875]:Bi-directional eDirectory ST:Bi-directional
eDirectory: LDAP Search
base=cn=MigTest,ou=IDM-Migraatio-Test,o=nn
scope=0
filter=(objectclass=*)
attrs=[assistant, assistantPhone, businessCategory, children, city,
cn, co, company, costCenter, costCenterDescription, departmentNumber,
description, directReports, eMailAddress, employeeStatus, employeeT
ype, equivalentToMe, facsimiletelephonenumber, fullName,
generationQualifier, givenname, groupMembership, homeCity,
homeEmailAddress, homeFax, homePhone, homePostalAddress, homeState,
homeZipCode, initials,
instantMessagingID, mail, jackNumber, jobCode, l, Language,
loginDisabled, mailboxID, mailboxLocation, mailstop, manager,
managerWorkforceID, mobile, NSCP:employeeNumber, nsRoleDN, O,
otherPhoneNumber, ou, p
ager, personalMobile, personalTitle, photo, physicalDeliveryOfficeName,
postaladdress, postalCode, postOfficeBox, preferredDeliveryMethod,
preferredName, registeredAddress, roomNumber, st, street, securityEq
uals, See Also, siteLocation, spouse, sn, telephonenumber,
teletexTerminalIdentifier, telexNumber, Timezone, title,
tollFreePhoneNumber, UID, uid, usercertificate, vehicleInformation,
workforceID, objectclas
s]
attrsOnly=false
[06/08/16 19:36:06.894]:Bi-directional eDirectory ST:Bi-directional
eDirectory: Query.queryOperation() result=dn:
cn=MigTest,ou=IDM-Migraatio-Test,o=nn
securityEquals: cn=Everyone,o=nn
securityEquals: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
ou: Tenholantien toimipaikka
eMailAddress: 7#Veli-Matti.Luotonen@nnn.fi
cn: MigTest
l: Tenholantie
UID: migtest
mail: Testaus.migraatio@keskuspuisto.fi
description: IDM-projektin perustunnus Test Migration
groupMembership: cn=Everyone,o=nn
groupMembership: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
sn: Migraatio
fullName: Testaus Migraatio
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: ndsLoginProperties
objectclass: Person
objectclass: Top
objectclass: DirXML-Identity
objectclass: DirXML-PasswordSyncStatusUser
givenname: Testaus



[06/08/16 19:36:06.957]:Bi-directional eDirectory ST:Bi-directional
eDirectory: Querying for the GUID : GUID is
1EFE040D352B994070951EFE040D352B
[06/08/16 19:36:06.962]:Bi-directional eDirectory ST:Bi-directional
eDirectory: *ERROR : Unexpected error while retreiving password
information. Reason 😘
[06/08/16 19:36:06.964]:Bi-directional eDirectory
ST:SubscriptionShim.execute() returned:
[06/08/16 19:36:06.965]:Bi-directional eDirectory ST:



So User gets the default password -
So I am stuck now in the migration in this step 😞
What could cause this ?


Kind Regards
Veli-Matti


--
vm_luotonen
------------------------------------------------------------------------
vm_luotonen's Profile: https://forums.netiq.com/member.php?userid=2726
View this thread: https://forums.netiq.com/showthread.php?t=56003

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Bi-Directional Edir driver - Password cannot be readen t

Do the user have an distribution password? Have a look at the password policy and verify.
0 Likes
vm_luotonen1 Absent Member.
Absent Member.

Re: Bi-Directional Edir driver - Password cannot be readen toIDM


Hi
I didn't find out the reason why I didn't get passowrd migrate to work
with distribution passoword - but I changed sync to NDS password and I
solved the issue that way.


--
vm_luotonen
------------------------------------------------------------------------
vm_luotonen's Profile: https://forums.netiq.com/member.php?userid=2726
View this thread: https://forums.netiq.com/showthread.php?t=56003

0 Likes
Knowledge Partner
Knowledge Partner

Re: Bi-Directional Edir driver - Password cannot be readen toIDM

vm luotonen <vm_luotonen@no-mx.forums.microfocus.com> wrote:
>

Hi
> I didn't find out the reason why I didn't get passowrd migrate to work

with distribution passoword - but I changed sync to NDS password and I
solved the issue that way.

Did you have SSL setup to protect the connection from engine to shim?

Some of the shims won't let passwords be synchronised in clear-text
(unencrypted)

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Bi-Directional Edir driver - Password cannot be readen toIDM

> I have a problem with Bi-Directional Edirectory driver.
> I should migrate Production Edir accounts with password into IDM Edir,
> But Driver cannot read distribution password.


So you need to see an error to troubleshoot. It sounds dumb, but do the
users actually have a UP set? Get Jim Willeke's DumpUP tool and check
what the health of the users in questions UP actually is.

Next, on the server running the engine, in more standard dstrace (either
ndstrace on Linux, dstrace.dlm on Winders, or iMonitor's dstrace) enable
+NMAS and try that again, perhaps you will see a hint of an error in the
NMAS trace as it tries to read the password.

Once you have an actual error it is easier to figure out.

"Reason" and then nothing is what is known as a 'sucky' error message to
return. 🙂


> I have double checked that password policy have "Allow Admin to retrieve
> password and also User which is used by driver is there.
> IDM driver user have full rights from root of Prod Tree.
>
> When I start Migrate into Edir following happens:
> Error message is: "ERROR : Unexpected error while retreiving password
> information. Reason :"
>
>
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.3.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <query class-name="User" scope="subtree">
> <search-class class-name="User"/>
> <search-attr attr-name="CN">
> <value>migtest</value>
> </search-attr>
> </query>
> </input>
> </nds>
>
>
>
> <nds dtdversion="2.0" ndsversion="8.x">
> <source>
> <product build="20160425_0222" instance="Bi-directional eDirectory"
> version="4.0.2.0">Identity Manager Bi-directional Driver for
> eDirectory</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <instance class-name="inetOrgPerson" event-id="0"
> src-dn="cn=MigTest,ou=IDM-Migraatio-Test,o=KPA">
> <association
> state="associated">635A3459111F134DCB99635A3459111F</association>
> </instance>
> <status event-id="0" level="success"/>
> </output>
> </nds>
>
>
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.3.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <query class-name="User" scope="entry">
> <association>635A3459111F134DCB99635A3459111F</association>
> <read-attr attr-name="assistant"/>
> <read-attr attr-name="assistantPhone"/>
> <read-attr attr-name="businessCategory"/>
> <read-attr attr-name="children"/>
> <read-attr attr-name="city"/>
> <read-attr attr-name="CN"/>
> <read-attr attr-name="co"/>
> <read-attr attr-name="company"/>
> <read-attr attr-name="costCenter"/>
> <read-attr attr-name="costCenterDescription"/>
> <read-attr attr-name="departmentNumber"/>
> <read-attr attr-name="Description"/>
> <read-attr attr-name="directReports"/>
> <read-attr attr-name="EMail Address"/>
> <read-attr attr-name="employeeStatus"/>
> <read-attr attr-name="employeeType"/>
> <read-attr attr-name="Equivalent To Me"/>
> <read-attr attr-name="Facsimile Telephone Number"/>
> <read-attr attr-name="Full Name"/>
> <read-attr attr-name="Generational Qualifier"/>
> <read-attr attr-name="Given Name"/>
> <read-attr attr-name="Group Membership"/>
> <read-attr attr-name="homeCity"/>
> <read-attr attr-name="homeEmailAddress"/>
> <read-attr attr-name="homeFax"/>
> <read-attr attr-name="homePhone"/>
> <read-attr attr-name="homePostalAddress"/>
> <read-attr attr-name="homeState"/>
> <read-attr attr-name="homeZipCode"/>
> <read-attr attr-name="Initials"/>
> <read-attr attr-name="instantMessagingID"/>
> <read-attr attr-name="Internet EMail Address"/>
> <read-attr attr-name="jackNumber"/>
> <read-attr attr-name="jobCode"/>
> <read-attr attr-name="L"/>
> <read-attr attr-name="Language"/>
> <read-attr attr-name="Login Disabled"/>
> <read-attr attr-name="Mailbox ID"/>
> <read-attr attr-name="Mailbox Location"/>
> <read-attr attr-name="mailstop"/>
> <read-attr attr-name="manager"/>
> <read-attr attr-name="managerWorkforceID"/>
> <read-attr attr-name="mobile"/>
> <read-attr attr-name="NSCP:employeeNumber"/>
> <read-attr attr-name="nspmDistributionPassword"/>
> <read-attr attr-name="nsRoleDN"/>
> <read-attr attr-name="O"/>
> <read-attr attr-name="otherPhoneNumber"/>
> <read-attr attr-name="OU"/>
> <read-attr attr-name="pager"/>
> <read-attr attr-name="personalMobile"/>
> <read-attr attr-name="personalTitle"/>
> <read-attr attr-name="photo"/>
> <read-attr attr-name="Physical Delivery Office Name"/>
> <read-attr attr-name="Postal Address"/>
> <read-attr attr-name="Postal Code"/>
> <read-attr attr-name="Postal Office Box"/>
> <read-attr attr-name="preferredDeliveryMethod"/>
> <read-attr attr-name="preferredName"/>
> <read-attr attr-name="registeredAddress"/>
> <read-attr attr-name="roomNumber"/>
> <read-attr attr-name="S"/>
> <read-attr attr-name="SA"/>
> <read-attr attr-name="Security Equals"/>
> <read-attr attr-name="See Also"/>
> <read-attr attr-name="siteLocation"/>
> <read-attr attr-name="spouse"/>
> <read-attr attr-name="Surname"/>
> <read-attr attr-name="Telephone Number"/>
> <read-attr attr-name="teletexTerminalIdentifier"/>
> <read-attr attr-name="telexNumber"/>
> <read-attr attr-name="Timezone"/>
> <read-attr attr-name="Title"/>
> <read-attr attr-name="tollFreePhoneNumber"/>
> <read-attr attr-name="UID"/>
> <read-attr attr-name="uniqueID"/>
> <read-attr attr-name="userCertificate"/>
> <read-attr attr-name="vehicleInformation"/>
> <read-attr attr-name="workforceID"/>
> </query>
> </input>
> </nds>
>
>
> [06/08/16 19:36:06.838]:Bi-directional eDirectory ST:Bi-directional
> eDirectory: LDAP Search
> base=O=nn
> scope=2
> filter=guid=\63\5A\34\59\11\1F\13\4D\CB\99\63\5A\34\59\11\1F
> attrs=[dn]
> attrsOnly=false
> [06/08/16 19:36:06.875]:Bi-directional eDirectory ST:Bi-directional
> eDirectory: LDAP Search
> base=cn=MigTest,ou=IDM-Migraatio-Test,o=nn
> scope=0
> filter=(objectclass=*)
> attrs=[assistant, assistantPhone, businessCategory, children, city,
> cn, co, company, costCenter, costCenterDescription, departmentNumber,
> description, directReports, eMailAddress, employeeStatus, employeeT
> ype, equivalentToMe, facsimiletelephonenumber, fullName,
> generationQualifier, givenname, groupMembership, homeCity,
> homeEmailAddress, homeFax, homePhone, homePostalAddress, homeState,
> homeZipCode, initials,
> instantMessagingID, mail, jackNumber, jobCode, l, Language,
> loginDisabled, mailboxID, mailboxLocation, mailstop, manager,
> managerWorkforceID, mobile, NSCP:employeeNumber, nsRoleDN, O,
> otherPhoneNumber, ou, p
> ager, personalMobile, personalTitle, photo, physicalDeliveryOfficeName,
> postaladdress, postalCode, postOfficeBox, preferredDeliveryMethod,
> preferredName, registeredAddress, roomNumber, st, street, securityEq
> uals, See Also, siteLocation, spouse, sn, telephonenumber,
> teletexTerminalIdentifier, telexNumber, Timezone, title,
> tollFreePhoneNumber, UID, uid, usercertificate, vehicleInformation,
> workforceID, objectclas
> s]
> attrsOnly=false
> [06/08/16 19:36:06.894]:Bi-directional eDirectory ST:Bi-directional
> eDirectory: Query.queryOperation() result=dn:
> cn=MigTest,ou=IDM-Migraatio-Test,o=nn
> securityEquals: cn=Everyone,o=nn
> securityEquals: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
> ou: Tenholantien toimipaikka
> eMailAddress: 7#Veli-Matti.Luotonen@nnn.fi
> cn: MigTest
> l: Tenholantie
> UID: migtest
> mail: Testaus.migraatio@keskuspuisto.fi
> description: IDM-projektin perustunnus Test Migration
> groupMembership: cn=Everyone,o=nn
> groupMembership: cn=Migraatio-testi,ou=IDM-Migraatio-Test,o=nn
> sn: Migraatio
> fullName: Testaus Migraatio
> objectclass: inetOrgPerson
> objectclass: organizationalPerson
> objectclass: ndsLoginProperties
> objectclass: Person
> objectclass: Top
> objectclass: DirXML-Identity
> objectclass: DirXML-PasswordSyncStatusUser
> givenname: Testaus
>
>
>
> [06/08/16 19:36:06.957]:Bi-directional eDirectory ST:Bi-directional
> eDirectory: Querying for the GUID : GUID is
> 1EFE040D352B994070951EFE040D352B
> [06/08/16 19:36:06.962]:Bi-directional eDirectory ST:Bi-directional
> eDirectory: *ERROR : Unexpected error while retreiving password
> information. Reason 😘
> [06/08/16 19:36:06.964]:Bi-directional eDirectory
> ST:SubscriptionShim.execute() returned:
> [06/08/16 19:36:06.965]:Bi-directional eDirectory ST:
>
>
>
> So User gets the default password -
> So I am stuck now in the migration in this step 😞
> What could cause this ?
>
>
> Kind Regards
> Veli-Matti
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.