Chris Mosentine Super Contributor.
Super Contributor.
553 views

Need help with vetoed passward change

Hi all: I am having trouble with my eDit-to-MAD setup. Everything is working and I can make any change I want on the eDir side and it gets properly sync'ed into AD - except for the password. I have a level 5 trace on the remote loader side of the equation. I see an issue with decryptobjectpassword but I have no idea what that really means. Can you help? Her is the pertinent are of the log:

ADDriver: [PWD 4476] GetPwdInfo() - get the next entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPwdInfo() - get password and time for user MOSENTIN.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::GetPasswordInformation()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - open the cache entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - Registry UserEnumIndex[0] Passed EnumIndex[0].
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - read the cache data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - allocate 140 byte buffer
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - read the data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::QueryValue() returned 0x00000000
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
Labels (1)
0 Likes
6 Replies
Chris Mosentine Super Contributor.
Super Contributor.

Re: Need help with vetoed passward change

Sorry for the above included log file snippet. The forum will not let me submit the log file output - something about too many images.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Need help with vetoed passward change

cmosentine wrote:

> The forum will not let
> me submit the log file output


Try https://paste.opensuse.org/ or https://pastebin.com/ and post a link here.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Chris Mosentine Super Contributor.
Super Contributor.

Re: Need help with vetoed passward change

Hi all: Just getting back to this post. I discovered that the veto I was seeing was the filter vetoing the password change coming back to eDir. I only sync one way, from eDir to AD, so that makes sense. I have the publishing channel set to "no sync" Groups, OU and User objects; I have left any parameters under these untouched.

What does not make sense is why the driver is even trying to send the change back to eDir in the first place. This could create an infinite loop - eDir changes AD followed by AD changing eDir; I don't know if this will spin and have not tried.

Thanks all for the help, Chris.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Need help with vetoed passward change

Hi Chris,
You can change password synchronization behavior by changing password synchronization driver settings in Designer or in iManager.

What does not make sense is why the driver is even trying to send the change back to eDir in the first place. This could create an infinite loop - eDir changes AD followed by AD changing eDir; I don't know if this will spin and have not tried.

The real root cause of this situation in AD architecture: AD LDAP doesn't provide modifier information, thus almost no simple way to have loopback detection.
Installed on AD domain password filter detect password change and pass it back (by default) to Publisher channel.

You also can adjust password flow in the driver filter (nspmDistributionPassword settings)

Warning: please be careful, when you change your driver password settings.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Need help with vetoed passward change

cmosentine;2499601 wrote:
I see an issue with decryptobjectpassword but I have no idea what that really means. Can you help? Her is the pertinent are of the log


Where you can see the issue with decryptobjectpassword?
Your remoteloader log show event on Publisher side (that not really relevant here), if you want to sync password from eDir to AD.

Could you please describe again what is your password synchronization direction?
0 Likes
Chris Mosentine Super Contributor.
Super Contributor.

Re: Need help with vetoed passward change

Hi all: It turns out I had removed the user's context from our password policy object. Once I put it back into the policy the veto stopped.

Thanks, Chris.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.