This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Chris Mosentine
Commodore
Commodore
‎2019-05-11 14:45
649 views

Need help with vetoed passward change

Hi all: I am having trouble with my eDit-to-MAD setup. Everything is working and I can make any change I want on the eDir side and it gets properly sync'ed into AD - except for the password. I have a level 5 trace on the remote loader side of the equation. I see an issue with decryptobjectpassword but I have no idea what that really means. Can you help? Her is the pertinent are of the log:

ADDriver: [PWD 4476] GetPwdInfo() - get the next entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPwdInfo() - get password and time for user MOSENTIN.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::GetPasswordInformation()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - open the cache entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - Registry UserEnumIndex[0] Passed EnumIndex[0].
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - read the cache data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - allocate 140 byte buffer
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - read the data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::QueryValue() returned 0x00000000
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
6 Replies
Chris Mosentine
Commodore
Commodore
‎2019-05-11 15:02

Sorry for the above included log file snippet. The forum will not let me submit the log file output - something about too many images.
0 Likes
Reply
Report Inappropriate Content
lhaeger
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-05-11 17:56

cmosentine wrote:

> The forum will not let
> me submit the log file output

Try https://paste.opensuse.org/ or https://pastebin.com/ and post a link here.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Reply
Report Inappropriate Content
Chris Mosentine
Commodore
Commodore
‎2019-05-13 19:45

Hi all: Just getting back to this post. I discovered that the veto I was seeing was the filter vetoing the password change coming back to eDir. I only sync one way, from eDir to AD, so that makes sense. I have the publishing channel set to "no sync" Groups, OU and User objects; I have left any parameters under these untouched.

What does not make sense is why the driver is even trying to send the change back to eDir in the first place. This could create an infinite loop - eDir changes AD followed by AD changing eDir; I don't know if this will spin and have not tried.

Thanks all for the help, Chris.
0 Likes
Reply
Report Inappropriate Content
al_b
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-05-14 05:42

Hi Chris,
You can change password synchronization behavior by changing password synchronization driver settings in Designer or in iManager.

What does not make sense is why the driver is even trying to send the change back to eDir in the first place. This could create an infinite loop - eDir changes AD followed by AD changing eDir; I don't know if this will spin and have not tried.

The real root cause of this situation in AD architecture: AD LDAP doesn't provide modifier information, thus almost no simple way to have loopback detection.
Installed on AD domain password filter detect password change and pass it back (by default) to Publisher channel.

You also can adjust password flow in the driver filter (nspmDistributionPassword settings)

Warning: please be careful, when you change your driver password settings.
0 Likes
Reply
Report Inappropriate Content
al_b
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-05-11 16:59

cmosentine;2499601 wrote:
I see an issue with decryptobjectpassword but I have no idea what that really means. Can you help? Her is the pertinent are of the log


Where you can see the issue with decryptobjectpassword?
Your remoteloader log show event on Publisher side (that not really relevant here), if you want to sync password from eDir to AD.

Could you please describe again what is your password synchronization direction?
0 Likes
Reply
Report Inappropriate Content
Chris Mosentine
Commodore
Commodore
‎2019-05-16 17:55

Hi all: It turns out I had removed the user's context from our password policy object. Once I put it back into the policy the veto stopped.

Thanks, Chris.
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.