Morgan Leecy Absent Member.
Absent Member.
3183 views

Password Sync filter settings AD / eDir

We have had IDM in place for a number of years now but the password sync is eDir -> AD only (one way)

We have now moved to Office 365 and we now have full AD licensing and we want the password sync to be both ways.

I have checked the server variables, and the settings match those in the documentation, I have verified all the domain controllers are ready for sync and now I just need to set up the filter.

Currently the filter set to

Publisher -> Ignore
Subscriber - Notify
Merge Authority - Default
Optimize modifications to Identity Vault -> No

Logically, I would be setting this to Sync, Sync, Vault, No and restarting the driver but this does not sync the password though there are no obvious messages in the trace

Can anyone advise what the correct settings for TWO WAY sync would be (with the last reset on either side being the password used)
Labels (1)
0 Likes
25 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

leecymj wrote:

> Publisher -> Ignore
> Subscriber - Notify
> Merge Authority - Default
> Optimize modifications to Identity Vault -> No
>
> Logically, I would be setting this to Sync, Sync, Vault, No and
> restarting the driver but this does not sync the password though there
> are no obvious messages in the trace
>
> Can anyone advise what the correct settings for TWO WAY sync would be
> (with the last reset on either side being the password used)



Aside from that, you need to ensure that the password sync GCVs are
correctly set.

This is "Identity manager accepts passwords (Publisher Channel)"

https://www.netiq.com/support/kb/doc.php?id=3614450

If you also choose to set "use the distribution password for password
synchronization" then you should set:

You have Merge Authority - None and
Optimize modifications to Identity Vault - True

for nspmDistributionPassword in the driver filter.
0 Likes
Morgan Leecy Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

wonderful detail, checking it all now
0 Likes
Morgan Leecy Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

I have gone through every single setting on the articles for troubleshooting and can see no difference.

I am seeing reg entries being added when an AD password is attempted, and they are not getting stuck but the password is not going to eDir

However.. i have taken a look at the driver overview.. and I see that there is a 'Publisher Event Transformation Policy' of 'Veto Users' which basically looks like we have done a massive VETO of all object data coming from AD to VAULT of Class User

or is this again a default setting / red herring
0 Likes
Morgan Leecy Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

I disabled the VETO now passwords are both ways
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

leecymj wrote:

>
> I disabled the VETO now passwords are both ways


You might want to rework that veto rule so it allows password sync, but
nothing else.

This is exactly why we always prefer a level 3 trace (engine + remote
loader) showing driver startup plus the relevant issue. This allows us
to far more quickly pinpoint the underlying cause.
0 Likes
Morgan Leecy Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

I celebrated too soon.. even though I was able to do ONE successful AD -> eDir sync, now they have stopped working again, though eDir -> AD is still fine (so everything is running).

I will have to revisit tomorrow and pull off new XML traces to try and find out why...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Sync filter settings AD / eDir

leecymj;2424272 wrote:
I celebrated too soon.. even though I was able to do ONE successful AD -> eDir sync, now they have stopped working again, though eDir -> AD is still fine (so everything is running).

I will have to revisit tomorrow and pull off new XML traces to try and find out why...

Did you see any "password event" on Remote Loader side and in Publisher Input Transformation trace (engine side)?
0 Likes
Morgan Leecy Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

Well the day just went from bad to worst

eDir to AD is no longer working

I put everything back to what it was when I started, restarted the driver (all green), restarted the RL (all ok), check PassSyn status on other DC's (all running)

Passwords are now not going either way

I am seeing the following error

'Code(-9006) The driver returned a "retry" status indicating that the operation should be retried later. Detail from driver: No connection to remote loader'

Which I can find a few docs on, and will need to look later when I get home
0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Sync filter settings AD / eDir

leecymj;2424283 wrote:
Well the day just went from bad to worst

eDir to AD is no longer working

I put everything back to what it was when I started, restarted the driver (all green), restarted the RL (all ok), check PassSyn status on other DC's (all running)

Passwords are now not going either way

I am seeing the following error

'Code(-9006) The driver returned a "retry" status indicating that the operation should be retried later. Detail from driver: No connection to remote loader'

Which I can find a few docs on, and will need to look later when I get home


It can be one of the situations, when RL "froze" and RL port didn't listening. It can start work again after windows restart.
Do you have FW on your RL box? Do you have FW exclusion for your RL port?

You can check status of your "open" ports with netstat.
netstat -an
0 Likes
Morgan Leecy Absent Member.
Absent Member.

Re: Password Sync filter settings AD / eDir

OK, in a much better place.

QUick overview of the infrastructure

NOVELL Primary server running IDM (old zen bundled version)

Primary domain controller (ADC01) with the remote loader

5 Domain controllers (2 in AZURE) all showing as RUNNING in the IDM Pass sync control panel applet


- If I do a reset on eDir is goes to AD - PAssword Sync in iManager shows as Synchronised
- If i do a reset on ADC01 it goes to eDir - However looking at PAssword Sync in iManager it shows as Not Synchronised

At this point I do see an Red LDAP error 42 in DirXML trace which I see other people have documented where sync works well BUT shows as out of sync if you do the reset on AD

- If I do a reset on ANY OTHER DC rather than ADC01 the password does not sync to eDir

I see lots of activity on the DirXML feed, but nothing in red.

Do I need to do more than push out the setting from Control Panel applet and reboot to make sync work?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Sync filter settings AD / eDir

Sounds like your other DCs are not configured correctly then. Every DC in
the domain MUST have a filter, and installing it requires a restart, so
try that part again for those DCs. The rest of IDM, from the Remote
Loader (RL) box through the engine is clearly working bidirectionally, so
it's down to filter configuration.

A trace, level five (5), from the Remote Loader, showing driver startup
and the time when passwords are changed on other DCs, could still help.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Sync filter settings AD / eDir


ab;266528 Wrote:
> Sounds like your other DCs are not configured correctly then. Every DC
> in
> the domain MUST have a filter, and installing it requires a restart, so
> try that part again for those DCs. The rest of IDM, from the Remote
> Loader (RL) box through the engine is clearly working bidirectionally,
> so
> it's down to filter configuration.
>
> A trace, level five (5), from the Remote Loader, showing driver startup
> and the time when passwords are changed on other DCs, could still help.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


>
> I see lots of activity on the DirXML feed, but nothing in red.


Hi leecymj,
I will repeat my previous question that still didn't answered yet (and
Aaron also repeated same question, just with different wording 😉 )
When you change your password in AD,
1. did you see any password change event in your RemoteLoader trace?
2. did you see any password change event in Publisher Input
Transformation trace (engine side)?


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55625

0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Sync filter settings AD / eDir


Hi leecymj,
Do you have answers on these questions?


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55625

0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Sync filter settings AD / eDir

On 03/30/2016 10:36 AM, leecymj wrote:
>
> Well the day just went from bad to worst
>
> eDir to AD is no longer working
>
> I put everything back to what it was when I started, restarted the
> driver (all green), restarted the RL (all ok), check PassSyn status on
> other DC's (all running)
>
> Passwords are now not going either way


All you did originally, I think, was remove an action/rule/policy that
vetoed everything on the Publisher channel. Removing that would not cause
this, so what else did you change? Did you try to add something back in
that blocked everything other than password changes? Doing that on the
Publisher channel can, if done incorrectly, stop a driver from starting.
A trace would show clearly.

> I am seeing the following error
>
> 'Code(-9006) The driver returned a "retry" status indicating that the
> operation should be retried later. Detail from driver: No connection to
> remote loader'


The text is pretty clear, though it can be caused by more things than you
might imagine. Again, trace. Trace trace trace. If you want to post the
Remote Loader (RL) trace, that may be useful, since if you see ANY
activity there, then the problem is probably with the connection settings
(username, password, etc.) rather than an actual connection (networking,
firewall, etc.) problem.

Perhaps start a new thread, describe your current symptom (connection
issue), and then post traces.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.