Highlighted
Super Contributor.
Super Contributor.
947 views

Password Sync Initialization Failed

Hi There,

We are using IDM 4.7 on a windows system and have configured all the DC's through pass sync tool and all are running and even using pass sync utility tool i can see that user's password are there inside Driver machine cache. But when i am starting i get the following issue/error.

Error:
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver " version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<status level="warning" type="driver-status">
<description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
</status>
</input>
</nds>



and also see below driver information

[12/17/18 15:49:26.599]:adnew.log :  Name: ConnectedSystemName Value: ~drv.name~
[12/17/18 15:49:26.599]:adnew.log : Name: enable-password-subscribe Value: true
[12/17/18 15:49:26.600]:adnew.log : Name: enable-password-publish Value: true
[12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-nds Value: true
[12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-dp Value: false
[12/17/18 15:49:26.601]:adnew.log : Name: enforce-password-policy Value: true
[12/17/18 15:49:26.601]:adnew.log : Name: reset-external-password-on-failure Value: true
[12/17/18 15:49:26.601]:adnew.log : Name: notify-user-on-password-dist-failure Value: true
[12/17/18 15:49:26.602]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
[12/17/18 15:49:26.602]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
[12/17/18 15:49:26.602]:adnew.log : Name: service-account-dn Value:
[12/17/18 15:49:26.602]:adnew.log : Name: NOVLLIBLDAP.host Value: 127.0.0.1
[12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.port Value: 389
[12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.user Value: cn=admin,ou=sa,o=system
[12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.password Value: NOVLLIBLDAP.password
[12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.base Value: o=data
[12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.scope Value: sub
[12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.users Value: data\users
[12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.groups Value: data\groups
[12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
[12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.driverdn Value: \NTL_IDM_VAULT\system\driverset1\Active Directory Driver

<authentication-info>
<server>172.xxx.xx.x</server>
<user>domain/IdmAdmin</user>
<password><!-- content suppressed --></password>
</authentication-info>
<driver-options>
<auth-options display-name="Show authentication options">show</auth-options>
<auth-method display-name="Authentication Method">Negotiate</auth-method>
<signing display-name="Digitally sign communications">no</signing>
<sealing display-name="Digitally sign and seal communications">yes</sealing>
<use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">no</use-ssl>
<impersonation display-name="Logon and impersonate">yes</impersonation>
<xchg-options display-name="Show Exchange Management Options">hide</xchg-options>
<xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
<exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
<exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
<exch-api-type display-name="Exchange Management interface type">use-exch-2010</exch-api-type>
<exchange-server display-name="Exchange Server FQDN"></exchange-server>
<access-options display-name="Show access options">show</access-options>
<pollingInterval display-name="Driver Polling Interval">1</pollingInterval>
<pub-heartbeat-interval display-name="Publisher heartbeat interval">1</pub-heartbeat-interval>
<pub-password-expire-time display-name="Password Sync Timeout (minutes)">5</pub-password-expire-time>
<pub-filter-password-time-to-live display-name="DC Passwords TimeToLive (minutes)">5</pub-filter-password-time-to-live>
<search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
<advanced-options display-name="Show advanced options">show</advanced-options>
<enable-delete-protected-2008 display-name="Enable Deletion of protected objects in Windows server 2008">no</enable-delete-protected-2008>
<retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown error">no</retry-ldap-auth-unknown>
<enable-incremental-values display-name="Enable DirSync Incremental Values">no</enable-incremental-values>
</driver-options>
</init-params>
</input>
</nds>


Please guys help me out . What i'm doing wrong
Labels (1)
0 Likes
7 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Password Sync Initialization Failed

On 12/17/2018 04:14 AM, frankabhinav wrote:
>
> We are using IDM 4.7 on a windows system and have configured all the
> DC's through pass sync tool and all are running and even using pass sync
> utility tool i can see that user's password are there inside Driver
> machine cache. But when i am starting i get the following issue/error.
>
> Error:
>
> Code:
> --------------------
> <nds dtdversion="2.2">
> <source>
> <product build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver " version="4.0.2.1">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <status level="warning" type="driver-status">
> <description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
> </status>
> </input>
> </nds>
> --------------------


This appears to be IDM 4.7, perhaps with some patches; which version of
windows, and which domain functional level, do you have? It probably does
not matter much, but it would be nice to know.

> and also see below driver information


This is some good information, but full traces are better.

> Code:
> --------------------
> [12/17/18 15:49:26.599]:adnew.log : Name: ConnectedSystemName Value: ~drv.name~
> [12/17/18 15:49:26.599]:adnew.log : Name: enable-password-subscribe Value: true
> [12/17/18 15:49:26.600]:adnew.log : Name: enable-password-publish Value: true
> [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-nds Value: true


This looks like a backward setting, along with...

> [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-dp Value: false


this one. If you have not changed these, I would probably do so. Under
the driver config object's properties, under 'GCVs in particular in
Designer, there is a Password Sync tab, with a tool built in to help you
with the correct radio buttons and checkboxes (which in turn control the
usual GCV drop-downs, which normally you should not modify manually
anymore in lieu of that nice tool). Typically publishing to distribution
password is the way to go, not NDS passwords.

> [12/17/18 15:49:26.601]:adnew.log : Name: enforce-password-policy Value: true


I typically switch this to 'false' too, particularly as active directory
password policies have historically been a bit of a mess to match up with
eDirectory policies, and these days the focus is on length more than
complexity for actual security.

> [12/17/18 15:49:26.601]:adnew.log : Name: reset-external-password-on-failure Value: true


I'd also switch this one normally, since the reverse often fails in
microsoft active directory (MAD) due to password history on that side.

> [12/17/18 15:49:26.601]:adnew.log : Name: notify-user-on-password-dist-failure Value: true


I also do not lie this one with MAD, but again maybe just my
preference/experience.

> [12/17/18 15:49:26.602]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
> [12/17/18 15:49:26.602]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
> [12/17/18 15:49:26.602]:adnew.log : Name: service-account-dn Value:
> [12/17/18 15:49:26.602]:adnew.log : Name: NOVLLIBLDAP.host Value: 127.0.0.1
> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.port Value: 389
> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.user Value: cn=admin,ou=sa,o=system
> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.password Value: NOVLLIBLDAP.password
> [12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.base Value: o=data
> [12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.scope Value: sub
> [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.users Value: data\users
> [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.groups Value: data\groups
> [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
> [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.driverdn Value: \NTL_IDM_VAULT\system\driverset1\Active Directory Driver
>
> <authentication-info>
> <server>172.xxx.xx.x</server>


Normally when using the Negotiate method you should have either the Remote
Loader (RL) directly on a domain controller (DC), which is what I would
recommend, or else you need to point to a particular DC using its DNS
name, not its IP address. This could be part of your current symptom.

If you do put the RL on a DC, then you can clear out the authentication
context field entirely (by default the driver will talk locally, meaning
to the DC on which the RL is hosted, and then you can change sealing back
to 'no' as it is redundant.

> <user>domain/IdmAdmin</user>


The correct way to specify the domain and username is with a backslash,
not a slash (sometimes redundantly called a forward slash). This could be
part of your current symptom.

> <password><!-- content suppressed --></password>
> </authentication-info>
> <driver-options>
> <auth-options display-name="Show authentication options">show</auth-options>
> <auth-method display-name="Authentication Method">Negotiate</auth-method>
> <signing display-name="Digitally sign communications">no</signing>
> <sealing display-name="Digitally sign and seal communications">yes</sealing>
> <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">no</use-ssl>
> <impersonation display-name="Logon and impersonate">yes</impersonation>
> <xchg-options display-name="Show Exchange Management Options">hide</xchg-options>
> <xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
> <exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
> <exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
> <exch-api-type display-name="Exchange Management interface type">use-exch-2010</exch-api-type>
> <exchange-server display-name="Exchange Server FQDN"></exchange-server>
> <access-options display-name="Show access options">show</access-options>
> <pollingInterval display-name="Driver Polling Interval">1</pollingInterval>
> <pub-heartbeat-interval display-name="Publisher heartbeat interval">1</pub-heartbeat-interval>
> <pub-password-expire-time display-name="Password Sync Timeout (minutes)">5</pub-password-expire-time>
> <pub-filter-password-time-to-live display-name="DC Passwords TimeToLive (minutes)">5</pub-filter-password-time-to-live>
> <search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
> <advanced-options display-name="Show advanced options">show</advanced-options>
> <enable-delete-protected-2008 display-name="Enable Deletion of protected objects in Windows server 2008">no</enable-delete-protected-2008>
> <retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown error">no</retry-ldap-auth-unknown>
> <enable-incremental-values display-name="Enable DirSync Incremental Values">no</enable-incremental-values>
> </driver-options>
> </init-params>
> </input>
> </nds>
> --------------------


If you could post the full RL trace of the startup that may give more
information, but hopefully the suggestions above will resolve the issue.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password Sync Initialization Failed

ab <ab@no-mx.forums.microfocus.com> wrote:
> On 12/17/2018 04:14 AM, frankabhinav wrote:
>>
>> We are using IDM 4.7 on a windows system and have configured all the
>> DC's through pass sync tool and all are running and even using pass sync
>> utility tool i can see that user's password are there inside Driver
>> machine cache. But when i am starting i get the following issue/error.
>>
>> Error:
>>
>> Code:
>> --------------------
>> <nds dtdversion="2.2">
>> <source>
>> <product build="20170106_120000"
>> instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver "
>> version="4.0.2.1">AD</product>
>> <contact>NetIQ Corporation</contact>
>> </source>
>> <input>
>> <status level="warning" type="driver-status">
>> <description>Password Sync Initialization Failed: Password Sync has been
>> Disabled.</description>
>> </status>
>> </input>
>> </nds>
>> --------------------

>
> This appears to be IDM 4.7, perhaps with some patches; which version of
> windows, and which domain functional level, do you have? It probably does
> not matter much, but it would be nice to know.
>
>> and also see below driver information

>
> This is some good information, but full traces are better.
>
>> Code:
>> --------------------
>> [12/17/18 15:49:26.599]:adnew.log : Name: ConnectedSystemName Value: ~drv.name~
>> [12/17/18 15:49:26.599]:adnew.log : Name: enable-password-subscribe Value: true
>> [12/17/18 15:49:26.600]:adnew.log : Name: enable-password-publish Value: true
>> [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-nds Value: true

>
> This looks like a backward setting, along with...
>
>> [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-dp Value: false

>
> this one. If you have not changed these, I would probably do so. Under
> the driver config object's properties, under 'GCVs in particular in
> Designer, there is a Password Sync tab, with a tool built in to help you
> with the correct radio buttons and checkboxes (which in turn control the
> usual GCV drop-downs, which normally you should not modify manually
> anymore in lieu of that nice tool). Typically publishing to distribution
> password is the way to go, not NDS passwords.
>
>> [12/17/18 15:49:26.601]:adnew.log : Name: enforce-password-policy Value: true

>
> I typically switch this to 'false' too, particularly as active directory
> password policies have historically been a bit of a mess to match up with
> eDirectory policies, and these days the focus is on length more than
> complexity for actual security.
>
>> [12/17/18 15:49:26.601]:adnew.log : Name: reset-external-password-on-failure Value: true

>
> I'd also switch this one normally, since the reverse often fails in
> microsoft active directory (MAD) due to password history on that side.
>
>> [12/17/18 15:49:26.601]:adnew.log : Name:
>> notify-user-on-password-dist-failure Value: true

>
> I also do not lie this one with MAD, but again maybe just my
> preference/experience.
>
>> [12/17/18 15:49:26.602]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
>> [12/17/18 15:49:26.602]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
>> [12/17/18 15:49:26.602]:adnew.log : Name: service-account-dn Value:
>> [12/17/18 15:49:26.602]:adnew.log : Name: NOVLLIBLDAP.host Value: 127.0.0.1
>> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.port Value: 389
>> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.user Value: cn=admin,ou=sa,o=system
>> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.password Value:
>> NOVLLIBLDAP.password
>> [12/17/18 15:49:26.604]:adnew.log : Name:
>> NOVLLIBLDAP.base Value: o=data
>> [12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.scope Value: sub
>> [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.users Value: data\users
>> [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.groups Value: data\groups
>> [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
>> [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.driverdn Value:
>> \NTL_IDM_VAULT\system\driverset1\Active Directory Driver
>>
>> <authentication-info>
>> <server>172.xxx.xx.x</server>

>
> Normally when using the Negotiate method you should have either the Remote
> Loader (RL) directly on a domain controller (DC), which is what I would
> recommend, or else you need to point to a particular DC using its DNS
> name, not its IP address. This could be part of your current symptom.
>
> If you do put the RL on a DC, then you can clear out the authentication
> context field entirely (by default the driver will talk locally, meaning
> to the DC on which the RL is hosted, and then you can change sealing back
> to 'no' as it is redundant.
>
>> <user>domain/IdmAdmin</user>

>
> The correct way to specify the domain and username is with a backslash,
> not a slash (sometimes redundantly called a forward slash). This could be
> part of your current symptom.
>
>> <password><!-- content suppressed --></password>
>> </authentication-info>
>> <driver-options>
>> <auth-options display-name="Show authentication options">show</auth-options>
>> <auth-method display-name="Authentication Method">Negotiate</auth-method>
>> <signing display-name="Digitally sign communications">no</signing>
>> <sealing display-name="Digitally sign and seal communications">yes</sealing>
>> <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and
>> AD">no</use-ssl>
>> <impersonation display-name="Logon and
>> impersonate">yes</impersonation>
>> <xchg-options display-name="Show
>> Exchange Management Options">hide</xchg-options>
>> <xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
>> <exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
>> <exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
>> <exch-api-type display-name="Exchange Management interface
>> type">use-exch-2010</exch-api-type>
>> <exchange-server display-name="Exchange Server FQDN"></exchange-server>
>> <access-options display-name="Show access options">show</access-options>
>> <pollingInterval display-name="Driver Polling Interval">1</pollingInterval>
>> <pub-heartbeat-interval display-name="Publisher heartbeat
>> interval">1</pub-heartbeat-interval>
>> <pub-password-expire-time display-name="Password Sync Timeout
>> (minutes)">5</pub-password-expire-time>
>> <pub-filter-password-time-to-live display-name="DC Passwords TimeToLive
>> (minutes)">5</pub-filter-password-time-to-live>
>> <search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
>> <advanced-options display-name="Show advanced options">show</advanced-options>
>> <enable-delete-protected-2008 display-name="Enable Deletion of protected
>> objects in Windows server 2008">no</enable-delete-protected-2008>
>> <retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown
>> error">no</retry-ldap-auth-unknown>
>> <enable-incremental-values display-name="Enable DirSync Incremental
>> Values">no</enable-incremental-values>
>> </driver-options>
>> </init-params>
>> </input>
>> </nds>
>> --------------------

>
> If you could post the full RL trace of the startup that may give more
> information, but hopefully the suggestions above will resolve the issue.
>


Hi.

If you are runnoning the driver shim on a member server, this setting needs
to be set to yes as well for password sync to work.

<use-ssl display-name="Use SSL for LDAP connection between Driver Shim and
AD">no</use-ssl>

--
Best regards
Marcus
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Password Sync Initialization Failed

Hi There

The issue still remain the same. I have attached the full log

I can also view users inside HKLM\SOFTWARE\NOVELL\PwFilter

[12/28/18 18:48:49.469]:adnew.log :Trace Level: 5
[12/28/18 18:48:49.469]:adnew.log :Reading driver information from the \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS object.
[12/28/18 18:48:49.470]:adnew.log :Reading driver information from the \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS object.
[12/28/18 18:48:49.470]:adnew.log :Reading named passwords list.
[12/28/18 18:48:49.471]:adnew.log :Description : LDAP Search Password
[12/28/18 18:48:49.471]:adnew.log :Named passwords:
[12/28/18 18:48:49.471]:adnew.log : Name: NOVLLIBLDAP.password
[12/28/18 18:48:49.472]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-EngineControlValues.
[12/28/18 18:48:49.473]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/NOVLACOMSET-GCVs#DirXML-ConfigValues.
[12/28/18 18:48:49.475]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Library/NOVLLIBLDAP-ConnectionProfile#DirXML-ConfigValues.
[12/28/18 18:48:49.476]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/NOVLCOMSET-GCVs#DirXML-ConfigValues.
[12/28/18 18:48:49.477]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1#DirXML-ConfigValues.
[12/28/18 18:48:49.478]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADDCFG-GCVs#DirXML-ConfigValues.
[12/28/18 18:48:49.480]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADPWDSYN-GCVs#DirXML-ConfigValues.
[12/28/18 18:48:49.481]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ConfigValues.
[12/28/18 18:48:49.482]:adnew.log :Global Configuration Values:
[12/28/18 18:48:49.482]:adnew.log : Name: drv.domain.dns.name Value: IN.BITS-Tech.com
[12/28/18 18:48:49.482]:adnew.log : Name: drv.subPlacementType Value: mirrored
[12/28/18 18:48:49.483]:adnew.log : Name: drv.user.container Value: ou=IDM,DC=IN,DC=BITS-Tech,DC=com
[12/28/18 18:48:49.483]:adnew.log : Name: drv.pubPlacementType Value: mirrored
[12/28/18 18:48:49.483]:adnew.log : Name: name-map-display Value: hide
[12/28/18 18:48:49.484]:adnew.log : Name: FullNameMap Value: true
[12/28/18 18:48:49.484]:adnew.log : Name: LogonNameMap Value: true
[12/28/18 18:48:49.484]:adnew.log : Name: UpnMap Value: edir-name-auth
[12/28/18 18:48:49.484]:adnew.log : Name: ConnectedSystemName Value: ~drv.name~
[12/28/18 18:48:49.485]:adnew.log : Name: enable-password-subscribe Value: true
[12/28/18 18:48:49.485]:adnew.log : Name: enable-password-publish Value: true
[12/28/18 18:48:49.485]:adnew.log : Name: publish-password-to-nds Value: true
[12/28/18 18:48:49.485]:adnew.log : Name: publish-password-to-dp Value: true
[12/28/18 18:48:49.486]:adnew.log : Name: enforce-password-policy Value: false
[12/28/18 18:48:49.486]:adnew.log : Name: reset-external-password-on-failure Value: false
[12/28/18 18:48:49.486]:adnew.log : Name: notify-user-on-password-dist-failure Value: false
[12/28/18 18:48:49.487]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
[12/28/18 18:48:49.487]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
[12/28/18 18:48:49.487]:adnew.log : Name: service-account-dn Value:
[12/28/18 18:48:49.487]:adnew.log : Name: idv.dit.data.users Value: data\users
[12/28/18 18:48:49.488]:adnew.log : Name: idv.dit.data.groups Value: data\groups
[12/28/18 18:48:49.488]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
[12/28/18 18:48:49.488]:adnew.log : Name: dirxml.auto.driverdn Value: \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS
[12/28/18 18:48:49.489]:adnew.log : Name: dirxml.auto.driverguid Value: {8E5734C2-003A-463c-8B26-FFFADAB18C83}
[12/28/18 18:48:49.489]:adnew.log : Name: dirxml.auto.localserverdn Value: CN=BITS-TZ-MFIM-NDS,OU=servers,O=system
[12/28/18 18:48:49.490]:adnew.log :Using default reciprocal attribute map
[12/28/18 18:48:49.490]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-PersistentData.
[12/28/18 18:48:49.491]:adnew.log :Loaded persistent data
[12/28/18 18:48:49.491]:adnew.log :
<persistent-data>
<op-counters last-reset-time="1544698959819">
<subscriber/>
<publisher>
<counters index="0">
<status>26</status>
<init-params>21</init-params>
</counters>
<counters index="1">
<status>26</status>
<init-params>21</init-params>
</counters>
<counters index="2">
<status>26</status>
<init-params>21</init-params>
</counters>
<counters index="3">
<status>26</status>
<init-params>21</init-params>
</counters>
<counters index="4">
<status>47</status>
</counters>
</publisher>
</op-counters>
</persistent-data>
[12/28/18 18:48:49.668]:adnew.log :Found subscriber system\driverset1\Active Directory Driver BITS\Subscriber.
[12/28/18 18:48:49.864]:adnew.log :Found publisher system\driverset1\Active Directory Driver BITS\Publisher.
[12/28/18 18:48:49.865]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-DriverFilter.
[12/28/18 18:48:49.866]:adnew.log :Loaded filter.
[12/28/18 18:48:49.866]:adnew.log :
<filter>
<filter-class class-name="User" publisher="sync" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="ignore">
<filter-attr attr-name="nspmDistributionPassword" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
<filter-attr attr-name="CN" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Description" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="DirXML-ADAliasName" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Facsimile Telephone Number" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Full Name" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Given Name" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Initials" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Internet EMail Address" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="L" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Login Allowed Time Map" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Login Disabled" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
<filter-attr attr-name="Login Expiration Time" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
<filter-attr attr-name="Physical Delivery Office Name" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Postal Code" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Postal Office Box" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="S" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="SA" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Surname" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Telephone Number" publisher="sync" subscriber="ignore"/>
<filter-attr attr-name="Title" publisher="sync" subscriber="ignore"/>
</filter-class>
<filter-class class-name="Organizational Unit" publisher="sync" subscriber="ignore">
<filter-attr attr-name="Description" publisher="sync" subscriber="sync"/>
<filter-attr attr-name="OU" publisher="ignore" subscriber="ignore"/>
</filter-class>
</filter>
[12/28/18 18:48:49.874]:adnew.log :Creating subscriber thread.
[12/28/18 18:48:50.023]:adnew.log ST:Subscriber thread starting.
[12/28/18 18:48:50.074]:adnew.log ST:Initializing driver shim.
[12/28/18 18:48:50.075]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ApplicationSchema.
[12/28/18 18:48:50.112]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ConfigManifest.
[12/28/18 18:48:50.115]:adnew.log ST:Loading native shim addriver.dll.
[12/28/18 18:48:50.152]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ShimConfigInfo.
[12/28/18 18:48:50.154]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-DriverStorage.
[12/28/18 18:48:50.155]:adnew.log ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
<authentication-info>
<server>BITS-tz-dc3.in.BITS-tech.com</server>
<user>INBITS-TECH\IdmAdmin</user>
<password><!-- content suppressed --></password>
</authentication-info>
<driver-options>
<auth-options display-name="Show authentication options">show</auth-options>
<auth-method display-name="Authentication Method">Negotiate</auth-method>
<signing display-name="Digitally sign communications">no</signing>
<sealing display-name="Digitally sign and seal communications">yes</sealing>
<use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">yes</use-ssl>
<impersonation display-name="Logon and impersonate">yes</impersonation>
<xchg-options display-name="Show Exchange Management Options">hide</xchg-options>
<xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
<exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
<exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
<exch-api-type display-name="Exchange Management interface type">use-exch-2010</exch-api-type>
<exchange-server display-name="Exchange Server FQDN"></exchange-server>
<access-options display-name="Show access options">show</access-options>
<pollingInterval display-name="Driver Polling Interval">3</pollingInterval>
<pub-heartbeat-interval display-name="Publisher heartbeat interval">3</pub-heartbeat-interval>
<pub-password-expire-time display-name="Password Sync Timeout (minutes)">15</pub-password-expire-time>
<pub-filter-password-time-to-live display-name="DC Passwords TimeToLive (minutes)">15</pub-filter-password-time-to-live>
<search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
<advanced-options display-name="Show advanced options">hide</advanced-options>
<enable-delete-protected-2008 display-name="Enable Deletion of protected objects in Windows server 2008">no</enable-delete-protected-2008>
<retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown error">no</retry-ldap-auth-unknown>
<enable-incremental-values display-name="Enable DirSync Incremental Values">no</enable-incremental-values>
</driver-options>
</init-params>
</input>
</nds>
[12/28/18 18:48:50.164]:adnew.log ST:ADDriver: Driver::init
[12/28/18 18:48:50.164]:adnew.log ST:ADDriver: MadDriver::onInit()
[12/28/18 18:48:50.164]:adnew.log ST:ADDriver: MadConnMgr::initialize
[12/28/18 18:48:50.165]:adnew.log ST:DriverShim.init() returned:
[12/28/18 18:48:50.165]:adnew.log ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success"/>
</output>
</nds>
[12/28/18 18:48:50.199]:adnew.log ST:Initializing subscriber system\driverset1\Active Directory Driver BITS\Subscriber for \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS.
[12/28/18 18:48:50.200]:adnew.log ST:Loading startup policies.
[12/28/18 18:48:50.200]:adnew.log ST:Policy not found.
[12/28/18 18:48:50.200]:adnew.log ST:Loading shutdown policies.
[12/28/18 18:48:50.201]:adnew.log ST:Policy not found.
[12/28/18 18:48:50.201]:adnew.log ST:Loading Subscriber input transformation policies.
[12/28/18 18:48:50.201]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADDCFG-itp-SubscriberUserAdd#XmlData.
[12/28/18 18:48:50.202]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.203]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADDCFG-itp-FormatConversions#XmlData.
[12/28/18 18:48:50.204]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.206]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLPWDSYNC-itp-EmailOnFailedPwdSub#XmlData.
[12/28/18 18:48:50.207]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.208]:adnew.log ST:Loading Subscriber output transformation policies.
[12/28/18 18:48:50.209]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADDCFG-otp-FormatConversions#XmlData.
[12/28/18 18:48:50.210]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.211]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADDCFG-otp-ExchangeEntitlementQuery#XmlData.
[12/28/18 18:48:50.212]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.213]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLPWDSYNC-otp-EmailOnFailedPwdPub#XmlData.
[12/28/18 18:48:50.214]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.215]:adnew.log ST:Loading Subscriber schema mapping policies.
[12/28/18 18:48:50.215]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADDCFG-smp#XmlData.
[12/28/18 18:48:50.216]:adnew.log ST:Found schema map.
[12/28/18 18:48:50.217]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/NOVLADDCFG-smp#XmlData.
[12/28/18 18:48:50.218]:adnew.log ST:Found schema map.
[12/28/18 18:48:50.218]:adnew.log ST:Loading policies.
[12/28/18 18:48:50.219]:adnew.log ST:Loading Subscriber event transformation policies.
[12/28/18 18:48:50.219]:adnew.log ST:Policy not found.
[12/28/18 18:48:50.219]:adnew.log ST:Loading Subscriber object matching policies.
[12/28/18 18:48:50.220]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-mp-Scoping#XmlData.
[12/28/18 18:48:50.221]:adnew.log ST:Global Configuration Value replacements made in vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-mp-Scoping#XmlData:
[12/28/18 18:48:50.222]:adnew.log ST:
<policy xmlns:jstring="http://www.novell.com/nxsl/java/java.lang.String">
<description>Find matching object in Active Directory</description>
<rule>
<description>remember relative position in hierarchy</description>
<comment xml:space="preserve">This rule marks events in the given containers for processing by adding the unmached-src-dn and attempt-to-match operation properties. You can add subtrees in the Identity Vault for inclusion by adding if-src-dn conditionals here. If you are using mirrored placement, the unmatched-src-dn is used later in the placement rule. The attempt-to-match property determines whether the matching policies following this initializing policy should try to match the object or whether its out of scope.</comment>
<conditions>
<and>
<if-src-dn op="in-subtree">data\users</if-src-dn>
<if-op-property mode="nocase" name="attempt-to-match" op="not-equal">false</if-op-property>
</and>
</conditions>
<actions>
<do-set-op-property name="unmatched-src-dn">
<arg-string>
<token-unmatched-src-dn convert="true"/>
</arg-string>
</do-set-op-property>
<do-set-op-property name="attempt-to-match">
<arg-string>
<token-text xml:space="preserve">true</token-text>
</arg-string>
</do-set-op-property>
</actions>
</rule>
</policy>
[12/28/18 18:48:50.226]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.227]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-mp#XmlData.
[12/28/18 18:48:50.228]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.229]:adnew.log ST:Loading Subscriber object creation policies.
[12/28/18 18:48:50.229]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-cp-Users#XmlData.
[12/28/18 18:48:50.230]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.231]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-cp-Groups#XmlData.
[12/28/18 18:48:50.232]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.233]:adnew.log ST:Loading Subscriber object placement policies.
[12/28/18 18:48:50.233]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-pp#XmlData.
[12/28/18 18:48:50.234]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.235]:adnew.log ST:Loading Subscriber command transformation policies.
[12/28/18 18:48:50.235]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-ctp-GroupMemberResolution#XmlData.
[12/28/18 18:48:50.236]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.237]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-ctp-HandleMovesAndRenames#XmlData.
[12/28/18 18:48:50.238]:adnew.log ST:Global Configuration Value replacements made in vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-ctp-HandleMovesAndRenames#XmlData:
[12/28/18 18:48:50.239]:adnew.log ST:
<policy>
<rule>
<description>associate mirror root</description>
<comment xml:space="preserve">In a mirrored configuration, it is important to have the two mirror roots (the one in the IDV and the one in AD) associated with one another. If the roots are not associated, objects cannot be moved into the mirror root on the publisher channel.</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">move</if-operation>
<if-xpath op="true">translate(./parent/@src-dn,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')=translate('\NTL_IDM_VAULT\data\users','ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')</if-xpath>
<if-global-variable mode="nocase" name="drv.subPlacementType" op="equal">mirrored</if-global-variable>
<if-local-variable name="mirrorRootAssociated" op="not-available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="mirrorRootInstance" scope="policy">
<arg-node-set>
<token-query datastore="src" scope="entry">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="parentAsso">
<arg-string>
<token-xpath expression="$mirrorRootInstance/association/text()"/>
</arg-string>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-local-variable name="parentAsso"/>
</arg-string>
</do-trace-message>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="parentAsso" op="not-equal">.+</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="adRootInstance" scope="policy">
<arg-node-set>
<token-query scope="entry">
<arg-dn>
<token-global-variable name="drv.user.container"/>
</arg-dn>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-add-association direct="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
<arg-association>
<token-xpath expression="$adRootInstance/association/text()"/>
</arg-association>
</do-add-association>
<do-append-xml-element expression="parent" name="association"/>
<do-append-xml-text expression="parent/association">
<arg-string>
<token-xpath expression="$adRootInstance/association/text()"/>
</arg-string>
</do-append-xml-text>
</arg-actions>
<arg-actions/>
</do-if>
<do-set-local-variable name="mirrorRootAssociated" scope="driver">
<arg-string>
<token-text xml:space="preserve">true</token-text>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
</policy>
[12/28/18 18:48:50.248]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.249]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLADDCFG-sub-ctp-UserNameMap#XmlData.
[12/28/18 18:48:50.251]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.252]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLPWDSYNC-sub-ctp-TransformDistPwd#XmlData.
[12/28/18 18:48:50.253]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.254]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLPWDSYNC-sub-ctp-DefaultPwd#XmlData.
[12/28/18 18:48:50.255]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.256]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLPWDSYNC-sub-ctp-CheckPwdGCV#XmlData.
[12/28/18 18:48:50.257]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.258]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Subscriber/NOVLPWDSYNC-sub-ctp-AddPwdPayload#XmlData.
[12/28/18 18:48:50.259]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.260]:adnew.log ST:Mapping sensitive attribute names to application space
[12/28/18 18:48:50.262]:adnew.log ST:Initializing subscriber shim.
[12/28/18 18:48:50.264]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ShimConfigInfo.
[12/28/18 18:48:50.265]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-DriverStorage.
[12/28/18 18:48:50.266]:adnew.log ST:Applying policy: %+C%14CNOVLADDCFG-smp%-C.
[12/28/18 18:48:50.266]:adnew.log ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
<authentication-info>
<server>BITS-tz-dc3.in.BITS-tech.com</server>
<user>INBITS-TECH\IdmAdmin</user>
<password><!-- content suppressed --></password>
</authentication-info>
<driver-filter/>
</init-params>
</input>
</nds>
[12/28/18 18:48:50.268]:adnew.log ST:ADDriver: Subscriber::init
[12/28/18 18:48:50.269]:adnew.log ST:SubscriptionShim.init() returned:
[12/28/18 18:48:50.269]:adnew.log ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success"/>
</output>
</nds>
[12/28/18 18:48:50.270]:adnew.log ST:Applying input transformation policies.
[12/28/18 18:48:50.270]:adnew.log ST:Applying policy: %+C%14CNOVLADDCFG-itp-SubscriberUserAdd%-C.
[12/28/18 18:48:50.271]:adnew.log ST: Applying to status #1.
[12/28/18 18:48:50.271]:adnew.log ST: Evaluating selection criteria for rule 'Populate DirXML-ADContext on initial user add'.
[12/28/18 18:48:50.272]:adnew.log ST: (if-operation equal "add-association") = FALSE.
[12/28/18 18:48:50.272]:adnew.log ST: Rule rejected.
[12/28/18 18:48:50.272]:adnew.log ST:Policy returned:
[12/28/18 18:48:50.272]:adnew.log ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success"/>
</output>
</nds>
[12/28/18 18:48:50.273]:adnew.log ST:Applying policy: %+C%14CNOVLADDCFG-itp-FormatConversions%-C.
[12/28/18 18:48:50.274]:adnew.log ST: Applying to status #1.
[12/28/18 18:48:50.274]:adnew.log ST: Evaluating selection criteria for rule 'streetAddress: Convert CR-LF to LF'.
[12/28/18 18:48:50.274]:adnew.log ST: Rule selected.
[12/28/18 18:48:50.275]:adnew.log ST: Applying rule 'streetAddress: Convert CR-LF to LF'.
[12/28/18 18:48:50.275]:adnew.log ST: Action: do-reformat-op-attr("streetAddress",token-replace-all("\r\n","\r",token-local-variable("current-value"))).
[12/28/18 18:48:50.275]:adnew.log ST: Evaluating selection criteria for rule 'logonHours: Convert to Login Allowed Time Map form'.
[12/28/18 18:48:50.276]:adnew.log ST: Rule selected.
[12/28/18 18:48:50.276]:adnew.log ST: Applying rule 'logonHours: Convert to Login Allowed Time Map form'.
[12/28/18 18:48:50.276]:adnew.log ST: Action: do-reformat-op-attr("logonHours",token-xpath("jadutil:translateTimeMap2eDir($current-value)")).
[12/28/18 18:48:50.277]:adnew.log ST: Evaluating selection criteria for rule 'accountExpires: Convert to Identity Vault time format'.
[12/28/18 18:48:50.277]:adnew.log ST: Rule selected.
[12/28/18 18:48:50.278]:adnew.log ST: Applying rule 'accountExpires: Convert to Identity Vault time format'.
[12/28/18 18:48:50.278]:adnew.log ST: Action: do-reformat-op-attr("accountExpires",token-xpath("jadutil:translateFileTime2Epoch($current-value)")).
[12/28/18 18:48:50.278]:adnew.log ST: Evaluating selection criteria for rule 'lockedByIntruder: Enable Locked By Intruder'.
[12/28/18 18:48:50.279]:adnew.log ST: (if-operation equal "modify") = FALSE.
[12/28/18 18:48:50.279]:adnew.log ST: Rule rejected.
[12/28/18 18:48:50.279]:adnew.log ST: Evaluating selection criteria for rule 'lockedByIntruder: Disable Locked By Intruder'.
[12/28/18 18:48:50.280]:adnew.log ST: (if-operation equal "modify") = FALSE.
[12/28/18 18:48:50.280]:adnew.log ST: Rule rejected.
[12/28/18 18:48:50.280]:adnew.log ST: Evaluating selection criteria for rule 'lockoutTime: Convert to Identity Vault time format'.
[12/28/18 18:48:50.281]:adnew.log ST: Rule selected.
[12/28/18 18:48:50.281]:adnew.log ST: Applying rule 'lockoutTime: Convert to Identity Vault time format'.
[12/28/18 18:48:50.281]:adnew.log ST: Action: do-reformat-op-attr("lockoutTime",token-xpath("jadutil:translateFileTime2Epoch($current-value)")).
[12/28/18 18:48:50.282]:adnew.log ST:Policy returned:
[12/28/18 18:48:50.282]:adnew.log ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success"/>
</output>
</nds>
[12/28/18 18:48:50.283]:adnew.log ST:Applying policy: %+C%14CNOVLPWDSYNC-itp-EmailOnFailedPwdSub%-C.
[12/28/18 18:48:50.283]:adnew.log ST: Applying to status #1.
[12/28/18 18:48:50.284]:adnew.log ST: Evaluating selection criteria for rule 'Send e-mail on a failure when subscribing to passwords'.
[12/28/18 18:48:50.284]:adnew.log ST: (if-global-variable 'notify-user-on-password-dist-failure' equal "true") = FALSE.
[12/28/18 18:48:50.285]:adnew.log ST: Rule rejected.
[12/28/18 18:48:50.285]:adnew.log ST: Evaluating selection criteria for rule 'Send e-mail on failure to reset connected system password using the Identity Vault password'.
[12/28/18 18:48:50.285]:adnew.log ST: (if-global-variable 'notify-user-on-password-dist-failure' equal "true") = FALSE.
[12/28/18 18:48:50.286]:adnew.log ST: Rule rejected.
[12/28/18 18:48:50.286]:adnew.log ST:Policy returned:
[12/28/18 18:48:50.286]:adnew.log ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success"/>
</output>
</nds>
<policy>
<rule>
<description>break if not a move or rename</description>
<comment xml:space="preserve">Make sure we got a move or rename event.</comment>
<conditions>
<and>
<if-operation mode="regex" op="not-equal">move|rename</if-operation>
</and>
</conditions>
<actions>
<do-break/>
</actions>
</rule>
<rule>
<description>setup for move validation</description>
<comment>Gather information needed for move validation.</comment>
<conditions>
<and>
<if-operation op="equal">move</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="cached-object-value">
<arg-string>
<token-parse-dn length="-2" start="0">
<token-dest-attr name="DirXML-ADContext"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="current-object-value">
<arg-string>
<token-src-dn convert="true" length="-2" start="0"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>setup for rename validation</description>
<comment xml:space="preserve">Gather information needed for rename validation.</comment>
<conditions>
<and>
<if-operation op="equal">rename</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="cached-object-value">
<arg-string>
<token-parse-dn start="-1">
<token-dest-attr name="DirXML-ADContext"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="current-object-value">
<arg-string>
<token-src-dn convert="true" start="-1"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>move or rename validation</description>
<comment>The driver shim cannot tell the difference between a move and a rename in Active Directory so publishes both. The last known object DN is cached in the Identity Vault and then used to decide whether a given move or rename operation is real. This rule will veto moves and renames that are already reflected in the cached value.</comment>
<conditions>
<and>
<if-local-variable mode="regex" name="cached-object-value" op="equal">.*</if-local-variable>
<if-local-variable mode="nocase" name="cached-object-value" op="equal">$current-object-value$</if-local-variable>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>move or rename cached context update</description>
<comment xml:space="preserve">Update cached context when move or rename is valid.</comment>
<conditions>
<and>
<if-local-variable mode="regex" name="cached-object-value" op="equal">.*</if-local-variable>
</and>
</conditions>
<actions>
<do-set-dest-attr-value direct="true" name="DirXML-ADContext">
<arg-value>
<token-src-dn/>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule>
<description>veto moves for container classes</description>
<comment xml:space="preserve">eDirectory does not support moves of a container object unless it is its own partition but even then moves come with a risk. This policy will simply veto moves of all container classes regardless of whether they are partition roots or not.</comment>
<conditions>
<and disabled="true">
<if-class-name mode="regex" op="equal">User|Group|Organization Unit|Organization|domain</if-class-name>
</and>
<and>
<if-class-name mode="regex" op="not-equal">User|Group</if-class-name>
<if-dest-attr mode="nocase" name="Object Class" op="equal">ndsContainerLoginProperties</if-dest-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>associate mirror root</description>
<comment xml:space="preserve">In a mirrored configuration, it is important to have the two mirror roots (the one in the IDV and the one in AD) associated with one another. If the roots are not associated, objects cannot be moved into the mirror root on the publisher channel.</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">move</if-operation>
<if-xpath op="true">translate(./parent/@src-dn,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')=translate('ou=IDM,DC=IN,DC=BITS-Tech,DC=com','ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')</if-xpath>
<if-global-variable mode="nocase" name="drv.pubPlacementType" op="equal">mirrored</if-global-variable>
<if-local-variable name="mirrorRootAssociated" op="not-available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="mirrorRootInstance" scope="policy">
<arg-node-set>
<token-query scope="entry">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-xpath op="not-true">$mirrorRootInstance/association/text()</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-add-association direct="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
<arg-association>
<token-xpath expression="./parent/association"/>
</arg-association>
</do-add-association>
</arg-actions>
<arg-actions/>
</do-if>
<do-set-local-variable name="mirrorRootAssociated" scope="driver">
<arg-string>
<token-text xml:space="preserve">true</token-text>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
</policy>
[12/28/18 18:48:50.967]:adnew.log ST:Found DirXMLScript policy.
[12/28/18 18:48:50.969]:adnew.log ST:Loading Publisher object matching policies.
[12/28/18 18:48:50.970]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Publisher/NOVLADDCFG-pub-mp-Scoping#XmlData.
[12/28/18 18:48:50.971]:adnew.log ST:Global Configuration Value replacements made in vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS/Publisher/NOVLADDCFG-pub-mp-Scoping#XmlData:
[12/28/18 18:48:50.972]:adnew.log ST:
<policy>
">
<source>
<product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success">Configured publisher polling interval to 3</status>
<status level="success">Configured heartbeat interval to 3</status>
<status level="success">Configured Password Expiration Time to 15</status>
</output>
</nds>


</nds>
[12/28/18 18:48:56.237]:adnew.log PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="success"><application>DirXML</application>
<module>Active Directory Driver BITS</module>
<object-dn></object-dn>
<component>Publisher</component>
</status>
</output>
</nds>
[12/28/18 18:48:56.238]:adnew.log PT:ADDriver: rootDSE information needed.

[12/28/18 18:48:56.239]:adnew.log PT:ADDriver: Make unauthenticated connection to rootDSE

[12/28/18 18:48:57.709]:adnew.log PT:ADDriver: unauthenticated connection to rootDSE succeeded

[12/28/18 18:48:57.709]:adnew.log PT:ADDriver: read rootDSE information
[12/28/18 18:48:57.731]:adnew.log PT:ADDriver:
LDAP Session Information

LDAP version: 3
Domain DNS name:
Server DNS name: BITS-TZ-DC3.IN.BITS-Tech.com
Host reachable: 1
Using SSL: 1

Naming contexts & RootDSE Properties:
CN=Configuration,DC=BITS-Tech,DC=com
CN=Schema,CN=Configuration,DC=BITS-Tech,DC=com
DC=ForestDnsZones,DC=BITS-Tech,DC=com
DC=IN,DC=BITS-Tech,DC=com
DC=DomainDnsZones,DC=IN,DC=BITS-Tech,DC=com
default naming context: DC=IN,DC=BITS-Tech,DC=com
schema naming context: CN=Schema,CN=Configuration,DC=BITS-Tech,DC=com
configuration naming context: CN=Configuration,DC=BITS-Tech,DC=com
root domain naming context: DC=BITS-Tech,DC=com
forest functional level: Windows Server 2008 R2 Forest Mode
[12/28/18 18:48:57.740]:adnew.log PT:ADDriver: Connect using ldap_bind: user=IdmAdmin, domain=INBITS-TECH, password=***, method=negotiate, server=BITS-tz-dc3.in.BITS-tech.com, sign=no, seal=yes ssl=yes

[12/28/18 18:48:58.657]:adnew.log PT:ADDriver: ldap_bind connection succeeded

[12/28/18 18:48:58.657]:adnew.log PT:ADDriver: MadPublisherPassSync::initialize()..Calling PasswordSync_new. Domain: IN.BITS-Tech.com User: INBITS-TECH\IdmAdmin
[12/28/18 18:48:58.658]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::PassSyncCache()

[12/28/18 18:48:58.658]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetPublicKey()

[12/28/18 18:48:58.659]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer()

[12/28/18 18:48:58.659]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName()

[12/28/18 18:48:58.661]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName() returned 0X00000000

[12/28/18 18:48:59.129]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer() returned 0x00000000

[12/28/18 18:48:59.129]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetPublicKey() returned 0x00000000

[12/28/18 18:48:59.130]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer()

[12/28/18 18:48:59.130]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName()

[12/28/18 18:48:59.131]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName() returned 0X00000000

[12/28/18 18:48:59.133]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer() returned 0x00000000

[12/28/18 18:48:59.134]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::CacheInit()

[12/28/18 18:48:59.134]:adnew.log PT:ADDriver: PassSyncCache::StartInitDomainThread()

[12/28/18 18:48:59.134]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::StartInitDomainThread() returned 0x00000000


[12/28/18 18:48:59.135]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::CacheInit() returned 0x00000005

[12/28/18 18:48:59.136]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache() - Error initializing cache 0x00000005

[12/28/18 18:48:59.137]:adnew.log PT:Receiving DOM document from application.
[12/28/18 18:48:59.137]:adnew.log PT:
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<status level="warning" type="driver-status">
<description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
</status>
</input>
</nds>
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Password Sync Initialization Failed

On 12/28/2018 07:04 AM, frankabhinav wrote:
>
> The issue still remain the same. I have attached the full log


I see the engine-side log here, and it looks like you do NOT have a Remote
Loader (RL) involved, which is unusual, but if your engine is on windows
(also unusual) then that's probably okay, though I'd recommend using the
RL anytime you can, and in this particular case by putting it on the
domain controller (DC) itself where you are currently pointing IDM,
specifically BITS-tz-dc3.in.BITS-tech.com

If BITS-tz-dc3.in.BITS-tech.com happens to be the IDM engine host (this
machine), then clear that authentication context field entirely so it is
now empty, and try again. If you are running on a DC in the domain
to/from which you are synchronizing you do not need to specify anything at
all, since normally the driver shim will talk to the local machine if
nothing else is specified, and this typically works best, which is part of
the reason most places (in my experience) run the Remote Loader on a DC.

> I can also view users inside HKLM\SOFTWARE\NOVELL\PwFilter


Based on this key I presume you mean on a DC; which one? If this current
machine, then this machine itself is a DC, in which case see above. If
some other machine, then knowing which, and how many you have, may be nice.

Also, I presume if the engine host is NOT a DC in the domain that it is at
least a member server in the domain, not just some standalone box, and tat
you have had your microsoft active directory (MAD) admins setup
relationships properly so that it is trusted by DCs. I do not know the
steps to do that properly, but the IDM MAD driver docs point to something
from microsoft to help with that. Better yet, run on a DC itself, but not
the IDM engine, rather the RL.

> <filter>
> <filter-class class-name="User" publisher="sync" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="ignore">
> <filter-attr attr-name="nspmDistributionPassword" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>


Why do you have nspmDistributionPassword changed to 'Sync' from 'Notify'?
That is incorrect; please put it back.

> <filter-attr attr-name="CN" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Description" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="DirXML-ADAliasName" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Facsimile Telephone Number" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Full Name" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Given Name" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Initials" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Internet EMail Address" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="L" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Login Allowed Time Map" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Login Disabled" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
> <filter-attr attr-name="Login Expiration Time" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
> <filter-attr attr-name="Physical Delivery Office Name" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Postal Code" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Postal Office Box" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="S" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="SA" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Surname" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Telephone Number" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Title" publisher="sync" subscriber="ignore"/>
> </filter-class>
> <filter-class class-name="Organizational Unit" publisher="sync" subscriber="ignore">
> <filter-attr attr-name="Description" publisher="sync" subscriber="sync"/>
> <filter-attr attr-name="OU" publisher="ignore" subscriber="ignore"/>
> </filter-class>
> </filter>
> [12/28/18 18:48:49.874]:adnew.log :Creating subscriber thread.
> [12/28/18 18:48:50.023]:adnew.log ST:Subscriber thread starting.
> [12/28/18 18:48:50.074]:adnew.log ST:Initializing driver shim.
> [12/28/18 18:48:50.075]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ApplicationSchema.
> [12/28/18 18:48:50.112]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ConfigManifest.
> [12/28/18 18:48:50.115]:adnew.log ST:Loading native shim addriver.dll.
> [12/28/18 18:48:50.152]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ShimConfigInfo.
> [12/28/18 18:48:50.154]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-DriverStorage.
> [12/28/18 18:48:50.155]:adnew.log ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.6.0.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
> <authentication-info>
> <server>BITS-tz-dc3.in.BITS-tech.com</server>


This IDM engine, on whatever box, is trying to reach out to
BITS-tz-dc3.in.BITS-tech.com, which is a different box and a DC, to
authenticate with a user in the INBITS-TECH domain named IdmAdmin and that
is all fine, assuming it is true. If any of that statement is not true,
then you need to fix settings.

> <user>INBITS-TECH\IdmAdmin</user>
> <password><!-- content suppressed --></password>
> </authentication-info>
> <driver-options>
> <auth-options display-name="Show authentication options">show</auth-options>
> <auth-method display-name="Authentication Method">Negotiate</auth-method>
> <signing display-name="Digitally sign communications">no</signing>
> <sealing display-name="Digitally sign and seal communications">yes</sealing>
> <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">yes</use-ssl>


Sadly I can never remember all the situations for SSL and Sealing to be
used between the MAD shim (addriver.dll) and the DC. If you are running
on a DC itself, you turn all of these to 'no' and clear out the
Authentication Context field above and it just works nicely. Luckily the
documentation covers this, so if you have gone through that I suppose it's
fine; others may give better pointers here.

How many DCs do you have in this domain? I this a test or Production domain?

> [12/28/18 18:48:56.238]:adnew.log PT:ADDriver: rootDSE information needed.
>
> [12/28/18 18:48:56.239]:adnew.log PT:ADDriver: Make unauthenticated connection to rootDSE
>
> [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: unauthenticated connection to rootDSE succeeded
>
> [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: read rootDSE information
> [12/28/18 18:48:57.731]:adnew.log PT:ADDriver:
> LDAP Session Information
>
> LDAP version: 3
> Domain DNS name:
> Server DNS name: BITS-TZ-DC3.IN.BITS-Tech.com
> Host reachable: 1
> Using SSL: 1
>
> Naming contexts & RootDSE Properties:
> CN=Configuration,DC=BITS-Tech,DC=com
> CN=Schema,CN=Configuration,DC=BITS-Tech,DC=com
> DC=ForestDnsZones,DC=BITS-Tech,DC=com
> DC=IN,DC=BITS-Tech,DC=com
> DC=DomainDnsZones,DC=IN,DC=BITS-Tech,DC=com
> default naming context: DC=IN,DC=BITS-Tech,DC=com
> schema naming context: CN=Schema,CN=Configuration,DC=BITS-Tech,DC=com
> configuration naming context: CN=Configuration,DC=BITS-Tech,DC=com
> root domain naming context: DC=BITS-Tech,DC=com
> forest functional level: Windows Server 2008 R2 Forest Mode
> [12/28/18 18:48:57.740]:adnew.log PT:ADDriver: Connect using ldap_bind: user=IdmAdmin, domain=INBITS-TECH, password=***, method=negotiate, server=BITS-tz-dc3.in.BITS-tech.com, sign=no, seal=yes ssl=yes
>
> [12/28/18 18:48:58.657]:adnew.log PT:ADDriver: ldap_bind connection succeeded


Things look good this far at least.

> [12/28/18 18:48:58.657]:adnew.log PT:ADDriver: MadPublisherPassSync::initialize()..Calling PasswordSync_new. Domain: IN.BITS-Tech.com User: INBITS-TECH\IdmAdmin
> [12/28/18 18:48:58.658]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::PassSyncCache()
>
> [12/28/18 18:48:58.658]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetPublicKey()
>
> [12/28/18 18:48:58.659]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer()
>
> [12/28/18 18:48:58.659]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName()
>
> [12/28/18 18:48:58.661]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName() returned 0X00000000
>
> [12/28/18 18:48:59.129]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer() returned 0x00000000
>
> [12/28/18 18:48:59.129]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetPublicKey() returned 0x00000000
>
> [12/28/18 18:48:59.130]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer()
>
> [12/28/18 18:48:59.130]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName()
>
> [12/28/18 18:48:59.131]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName() returned 0X00000000
>
> [12/28/18 18:48:59.133]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer() returned 0x00000000
>
> [12/28/18 18:48:59.134]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::CacheInit()
>
> [12/28/18 18:48:59.134]:adnew.log PT:ADDriver: PassSyncCache::StartInitDomainThread()
>
> [12/28/18 18:48:59.134]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::StartInitDomainThread() returned 0x00000000
>
> [12/28/18 18:48:59.135]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::CacheInit() returned 0x00000005
>
> [12/28/18 18:48:59.136]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache() - Error initializing cache 0x00000005
>
> [12/28/18 18:48:59.137]:adnew.log PT:Receiving DOM document from application.
> [12/28/18 18:48:59.137]:adnew.log PT:
> <nds dtdversion="2.2">
> <source>
> <product build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <status level="warning" type="driver-status">
> <description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
> </status>
> </input>
> </nds>
>
> --------------------


This makes me wonder if the problem may be related to how eDirectory runs
on windows, an area where I lack a ton of experience since most run on
Linux these days. By default the Remote Loader (RL) runs as SYSTEM, i.e.
the super-privileged-no-kidding user on any given windows system, but we
are not dealing with just local access, as we need to move around the
domain, and I have been told that SYSTEM is not powerful other than on the
local system. As a result, in the RL world we often change the RL service
to run as a particular service account, e.g. svc-mad-driver which is then
setup in the Administrators and Domain Admins groups, and sometimes given
other specific rights, but that usually does it. In your case, without
the RL involved, you are using IdmAdmin for access to the domain, but I
wonder if the rights of the account running the shim (in your case in the
engine directly) also come into play.

I wish I knew the answer for sure, but that's where I would probably poke
next. The reasoning (if reason has anything to do with it) is that your
password sync troubleshooting tool seems to work, but that's not running
as SYSTEM (as I suspect eDirectory itself is) but is running as your user
(probably a privileged user, maybe even privileged in the same way as
IdmAdmin), so that is a difference in how the various bits are running,
one as one user, the other as another.

On the box running the driver shim (i.e. addriver.dll, so in your case the
engine right now) there should be a HKLM/Software/Novell/PassSync key,
similar to the HKLM/Software/Novell/PwFilter key that is present on the
DCs configured for password synchronization. Another old common problem
is that rights in this area can become munged, particularly if somebody
tries to go in there and "fix" them. Under PassSync is a domain-named key
as I recall, and under that should be 'data', and you will likely not see
all of that, and it's just fine; don't try to fix it, but if you have gone
and changed rights in there, then perhaps that is the problem.

The only reliable way I know of to see all of this without breaking
publisher password synchronization is to run regedit (or equivalent) as
SYSTEM, which is tricky since it is not a real account. A lesser user
(e.g. Administrator) can change rights there and make things visible, both
under PassSync on the driver box or PwFitler on the DCs), but doing so
used to break password sync annoyingly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Password Sync Initialization Failed

ab;2492998 wrote:
On 12/28/2018 07:04 AM, frankabhinav wrote:
>
> The issue still remain the same. I have attached the full log


I see the engine-side log here, and it looks like you do NOT have a Remote
Loader (RL) involved, which is unusual, but if your engine is on windows
(also unusual) then that's probably okay, though I'd recommend using the
RL anytime you can, and in this particular case by putting it on the
domain controller (DC) itself where you are currently pointing IDM,
specifically BITS-tz-dc3.in.BITS-tech.com

If BITS-tz-dc3.in.BITS-tech.com happens to be the IDM engine host (this
machine), then clear that authentication context field entirely so it is
now empty, and try again. If you are running on a DC in the domain
to/from which you are synchronizing you do not need to specify anything at
all, since normally the driver shim will talk to the local machine if
nothing else is specified, and this typically works best, which is part of
the reason most places (in my experience) run the Remote Loader on a DC.

> I can also view users inside HKLM\SOFTWARE\NOVELL\PwFilter


Based on this key I presume you mean on a DC; which one? If this current
machine, then this machine itself is a DC, in which case see above. If
some other machine, then knowing which, and how many you have, may be nice.

Also, I presume if the engine host is NOT a DC in the domain that it is at
least a member server in the domain, not just some standalone box, and tat
you have had your microsoft active directory (MAD) admins setup
relationships properly so that it is trusted by DCs. I do not know the
steps to do that properly, but the IDM MAD driver docs point to something
from microsoft to help with that. Better yet, run on a DC itself, but not
the IDM engine, rather the RL.

> <filter>
> <filter-class class-name="User" publisher="sync" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="ignore">
> <filter-attr attr-name="nspmDistributionPassword" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>


Why do you have nspmDistributionPassword changed to 'Sync' from 'Notify'?
That is incorrect; please put it back.

> <filter-attr attr-name="CN" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Description" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="DirXML-ADAliasName" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Facsimile Telephone Number" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Full Name" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Given Name" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Initials" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Internet EMail Address" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="L" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Login Allowed Time Map" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Login Disabled" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
> <filter-attr attr-name="Login Expiration Time" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
> <filter-attr attr-name="Physical Delivery Office Name" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Postal Code" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Postal Office Box" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="S" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="SA" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Surname" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Telephone Number" publisher="sync" subscriber="ignore"/>
> <filter-attr attr-name="Title" publisher="sync" subscriber="ignore"/>
> </filter-class>
> <filter-class class-name="Organizational Unit" publisher="sync" subscriber="ignore">
> <filter-attr attr-name="Description" publisher="sync" subscriber="sync"/>
> <filter-attr attr-name="OU" publisher="ignore" subscriber="ignore"/>
> </filter-class>
> </filter>
> [12/28/18 18:48:49.874]:adnew.log :Creating subscriber thread.
> [12/28/18 18:48:50.023]:adnew.log ST:Subscriber thread starting.
> [12/28/18 18:48:50.074]:adnew.log ST:Initializing driver shim.
> [12/28/18 18:48:50.075]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ApplicationSchema.
> [12/28/18 18:48:50.112]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ConfigManifest.
> [12/28/18 18:48:50.115]:adnew.log ST:Loading native shim addriver.dll.
> [12/28/18 18:48:50.152]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-ShimConfigInfo.
> [12/28/18 18:48:50.154]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active+Directory+Driver+BITS#DirXML-DriverStorage.
> [12/28/18 18:48:50.155]:adnew.log ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.6.0.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
> <authentication-info>
> <server>BITS-tz-dc3.in.BITS-tech.com</server>


This IDM engine, on whatever box, is trying to reach out to
BITS-tz-dc3.in.BITS-tech.com, which is a different box and a DC, to
authenticate with a user in the INBITS-TECH domain named IdmAdmin and that
is all fine, assuming it is true. If any of that statement is not true,
then you need to fix settings.

> <user>INBITS-TECH\IdmAdmin</user>
> <password><!-- content suppressed --></password>
> </authentication-info>
> <driver-options>
> <auth-options display-name="Show authentication options">show</auth-options>
> <auth-method display-name="Authentication Method">Negotiate</auth-method>
> <signing display-name="Digitally sign communications">no</signing>
> <sealing display-name="Digitally sign and seal communications">yes</sealing>
> <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">yes</use-ssl>


Sadly I can never remember all the situations for SSL and Sealing to be
used between the MAD shim (addriver.dll) and the DC. If you are running
on a DC itself, you turn all of these to 'no' and clear out the
Authentication Context field above and it just works nicely. Luckily the
documentation covers this, so if you have gone through that I suppose it's
fine; others may give better pointers here.

How many DCs do you have in this domain? I this a test or Production domain?

> [12/28/18 18:48:56.238]:adnew.log PT:ADDriver: rootDSE information needed.
>
> [12/28/18 18:48:56.239]:adnew.log PT:ADDriver: Make unauthenticated connection to rootDSE
>
> [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: unauthenticated connection to rootDSE succeeded
>
> [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: read rootDSE information
> [12/28/18 18:48:57.731]:adnew.log PT:ADDriver:
> LDAP Session Information
>
> LDAP version: 3
> Domain DNS name:
> Server DNS name: BITS-TZ-DC3.IN.BITS-Tech.com
> Host reachable: 1
> Using SSL: 1
>
> Naming contexts & RootDSE Properties:
> CN=Configuration,DC=BITS-Tech,DC=com
> CN=Schema,CN=Configuration,DC=BITS-Tech,DC=com
> DC=ForestDnsZones,DC=BITS-Tech,DC=com
> DC=IN,DC=BITS-Tech,DC=com
> DC=DomainDnsZones,DC=IN,DC=BITS-Tech,DC=com
> default naming context: DC=IN,DC=BITS-Tech,DC=com
> schema naming context: CN=Schema,CN=Configuration,DC=BITS-Tech,DC=com
> configuration naming context: CN=Configuration,DC=BITS-Tech,DC=com
> root domain naming context: DC=BITS-Tech,DC=com
> forest functional level: Windows Server 2008 R2 Forest Mode
> [12/28/18 18:48:57.740]:adnew.log PT:ADDriver: Connect using ldap_bind: user=IdmAdmin, domain=INBITS-TECH, password=***, method=negotiate, server=BITS-tz-dc3.in.BITS-tech.com, sign=no, seal=yes ssl=yes
>
> [12/28/18 18:48:58.657]:adnew.log PT:ADDriver: ldap_bind connection succeeded


Things look good this far at least.

> [12/28/18 18:48:58.657]:adnew.log PT:ADDriver: MadPublisherPassSync::initialize()..Calling PasswordSync_new. Domain: IN.BITS-Tech.com User: INBITS-TECH\IdmAdmin
> [12/28/18 18:48:58.658]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::PassSyncCache()
>
> [12/28/18 18:48:58.658]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetPublicKey()
>
> [12/28/18 18:48:58.659]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer()
>
> [12/28/18 18:48:58.659]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName()
>
> [12/28/18 18:48:58.661]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName() returned 0X00000000
>
> [12/28/18 18:48:59.129]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer() returned 0x00000000
>
> [12/28/18 18:48:59.129]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetPublicKey() returned 0x00000000
>
> [12/28/18 18:48:59.130]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer()
>
> [12/28/18 18:48:59.130]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName()
>
> [12/28/18 18:48:59.131]:adnew.log PT:ADDriver: [PWD] PwdCrypt::GetCspName() returned 0X00000000
>
> [12/28/18 18:48:59.133]:adnew.log PT:ADDriver: [PWD] PwdCrypt::CreateKeyContainer() returned 0x00000000
>
> [12/28/18 18:48:59.134]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::CacheInit()
>
> [12/28/18 18:48:59.134]:adnew.log PT:ADDriver: PassSyncCache::StartInitDomainThread()
>
> [12/28/18 18:48:59.134]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::StartInitDomainThread() returned 0x00000000
>
> [12/28/18 18:48:59.135]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache::CacheInit() returned 0x00000005
>
> [12/28/18 18:48:59.136]:adnew.log PT:ADDriver: [PWD 8204] PassSyncCache() - Error initializing cache 0x00000005
>
> [12/28/18 18:48:59.137]:adnew.log PT:Receiving DOM document from application.
> [12/28/18 18:48:59.137]:adnew.log PT:
> <nds dtdversion="2.2">
> <source>
> <product build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <status level="warning" type="driver-status">
> <description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
> </status>
> </input>
> </nds>
>
> --------------------


This makes me wonder if the problem may be related to how eDirectory runs
on windows, an area where I lack a ton of experience since most run on
Linux these days. By default the Remote Loader (RL) runs as SYSTEM, i.e.
the super-privileged-no-kidding user on any given windows system, but we
are not dealing with just local access, as we need to move around the
domain, and I have been told that SYSTEM is not powerful other than on the
local system. As a result, in the RL world we often change the RL service
to run as a particular service account, e.g. svc-mad-driver which is then
setup in the Administrators and Domain Admins groups, and sometimes given
other specific rights, but that usually does it. In your case, without
the RL involved, you are using IdmAdmin for access to the domain, but I
wonder if the rights of the account running the shim (in your case in the
engine directly) also come into play.

I wish I knew the answer for sure, but that's where I would probably poke
next. The reasoning (if reason has anything to do with it) is that your
password sync troubleshooting tool seems to work, but that's not running
as SYSTEM (as I suspect eDirectory itself is) but is running as your user
(probably a privileged user, maybe even privileged in the same way as
IdmAdmin), so that is a difference in how the various bits are running,
one as one user, the other as another.

On the box running the driver shim (i.e. addriver.dll, so in your case the
engine right now) there should be a HKLM/Software/Novell/PassSync key,
similar to the HKLM/Software/Novell/PwFilter key that is present on the
DCs configured for password synchronization. Another old common problem
is that rights in this area can become munged, particularly if somebody
tries to go in there and "fix" them. Under PassSync is a domain-named key
as I recall, and under that should be 'data', and you will likely not see
all of that, and it's just fine; don't try to fix it, but if you have gone
and changed rights in there, then perhaps that is the problem.

The only reliable way I know of to see all of this without breaking
publisher password synchronization is to run regedit (or equivalent) as
SYSTEM, which is tricky since it is not a real account. A lesser user
(e.g. Administrator) can change rights there and make things visible, both
under PassSync on the driver box or PwFitler on the DCs), but doing so
used to break password sync annoyingly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


yes ab my IDM engine is installed on a windows 2012 and i have done the changes you told me to.

The MAD team won't allow us to install RL on DC and I don't think we need to install RL directly on DC . Furthermore my DC server is on production and firewall is closed only the Mcafee is running. I have checked the Macfee log it was blaocking from reading registery but now we have white-listed .

Is there anywhere else to look into.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Password Sync Initialization Failed

On 01/03/2019 01:14 AM, frankabhinav wrote:
>
> yes *ab* my IDM engine is installed on a windows 2012 and i have done
> the changes you told me to.


I presume the problem persists; perhaps it is time for updated traces, then.

> The MAD team won't allow us to install RL on DC and I don't think we
> need to install RL directly on DC . Furthermore my DC server is on
> production and firewall is closed only the Mcafee is running. I have
> checked the Macfee log it was blaocking from reading registery but now
> we have white-listed .


Care to explain exactly how you whitelisted things, in case others hit the
same thing, or what you saw in the McAfee product's logs? Was this on all
DCs, or somehow system-wide, I presume? Was it also on the box where the
driver (shim) is running, which in your case is the engine box, but to the
PassSync (vs. PwFilter) key?

> Is there anywhere else to look into.


Traces are usually the key. Alternatively, this is all using microsoft's
RPC for communication among boxes, so the logs there can sometimes help
along with the password sync troubleshooting tool, but usually traces
(level five (5)) give sufficient information for most environments and issues.

Another option may be to have a test setup, sans things like McAfee and
other GPO-based changes, to see that things work prior to outside
interference. If so, then it is possible for you (or the McAfee folks, or
the MAD admins) to re-impose changes, one at a time perhaps, to see when
things break.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Password Sync Initialization Failed

frankabhinav;2493094 wrote:
yes ab my IDM engine is installed on a windows 2012 and i have done the changes you told me to.

The MAD team won't allow us to install RL on DC and I don't think we need to install RL directly on DC . Furthermore my DC server is on production and firewall is closed only the Mcafee is running. I have checked the Macfee log it was blaocking from reading registery but now we have white-listed .

Is there anywhere else to look into.


In addition to everything else, with eDir on Windows, be sure to configure the A/V software not to interfere with any file access under the c:\netiq (or wherever) path. If the A/V software starts getting in the middle of disk i/o for the DIB, you will have problems.

Same for the remote loader, when in use.

I've worked with Mcafee before, and it was ok with a simple configuration setting for that. I had a client with Kaspersky that absolutely would not stop interfering with the disk i/o, no matter how they configured it.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.