Chris Mosentine

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-11
14:45
649 views
Need help with vetoed passward change
Hi all: I am having trouble with my eDit-to-MAD setup. Everything is working and I can make any change I want on the eDir side and it gets properly sync'ed into AD - except for the password. I have a level 5 trace on the remote loader side of the equation. I see an issue with decryptobjectpassword but I have no idea what that really means. Can you help? Her is the pertinent are of the log:
ADDriver: [PWD 4476] GetPwdInfo() - get the next entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPwdInfo() - get password and time for user MOSENTIN.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::GetPasswordInformation()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - open the cache entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - Registry UserEnumIndex[0] Passed EnumIndex[0].
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - read the cache data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - allocate 140 byte buffer
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - read the data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::QueryValue() returned 0x00000000
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
ADDriver: [PWD 4476] GetPwdInfo() - get the next entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPwdInfo() - get password and time for user MOSENTIN.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::GetPasswordInformation()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - open the cache entry.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - Registry UserEnumIndex[0] Passed EnumIndex[0].
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] GetPasswordInformation() - read the cache data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - allocate 140 byte buffer
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] QueryValue() - read the data.
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] PassSyncCache::QueryValue() returned 0x00000000
DirXML: [05/11/19 09:17:11.08]: ADDriver: [PWD 4476] - PassSyncCache::QueryValue()
6 Replies
Chris Mosentine

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-11
15:02
Sorry for the above included log file snippet. The forum will not let me submit the log file output - something about too many images.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-11
17:56
cmosentine wrote:
> The forum will not let
> me submit the log file output
Try https://paste.opensuse.org/ or https://pastebin.com/ and post a link here.
--
http://www.is4it.de/en/solution/identity-access-management/
(If you find this post helpful, please click on the star below.)
> The forum will not let
> me submit the log file output
Try https://paste.opensuse.org/ or https://pastebin.com/ and post a link here.
--
http://www.is4it.de/en/solution/identity-access-management/
(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
https://www.is4it.de/identity-access-management
Chris Mosentine

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-13
19:45
Hi all: Just getting back to this post. I discovered that the veto I was seeing was the filter vetoing the password change coming back to eDir. I only sync one way, from eDir to AD, so that makes sense. I have the publishing channel set to "no sync" Groups, OU and User objects; I have left any parameters under these untouched.
What does not make sense is why the driver is even trying to send the change back to eDir in the first place. This could create an infinite loop - eDir changes AD followed by AD changing eDir; I don't know if this will spin and have not tried.
Thanks all for the help, Chris.
What does not make sense is why the driver is even trying to send the change back to eDir in the first place. This could create an infinite loop - eDir changes AD followed by AD changing eDir; I don't know if this will spin and have not tried.
Thanks all for the help, Chris.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-14
05:42
Hi Chris,
You can change password synchronization behavior by changing password synchronization driver settings in Designer or in iManager.
The real root cause of this situation in AD architecture: AD LDAP doesn't provide modifier information, thus almost no simple way to have loopback detection.
Installed on AD domain password filter detect password change and pass it back (by default) to Publisher channel.
You also can adjust password flow in the driver filter (nspmDistributionPassword settings)
Warning: please be careful, when you change your driver password settings.
You can change password synchronization behavior by changing password synchronization driver settings in Designer or in iManager.
What does not make sense is why the driver is even trying to send the change back to eDir in the first place. This could create an infinite loop - eDir changes AD followed by AD changing eDir; I don't know if this will spin and have not tried.
The real root cause of this situation in AD architecture: AD LDAP doesn't provide modifier information, thus almost no simple way to have loopback detection.
Installed on AD domain password filter detect password change and pass it back (by default) to Publisher channel.
You also can adjust password flow in the driver filter (nspmDistributionPassword settings)
Warning: please be careful, when you change your driver password settings.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-11
16:59
cmosentine;2499601 wrote:
I see an issue with decryptobjectpassword but I have no idea what that really means. Can you help? Her is the pertinent are of the log
Where you can see the issue with decryptobjectpassword?
Your remoteloader log show event on Publisher side (that not really relevant here), if you want to sync password from eDir to AD.
Could you please describe again what is your password synchronization direction?
Chris Mosentine

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-16
17:55
Hi all: It turns out I had removed the user's context from our password policy object. Once I put it back into the policy the veto stopped.
Thanks, Chris.
Thanks, Chris.