Anonymous_User Absent Member.
Absent Member.
144 views

Password is not sync to AD


Guys,

I just upgrade the eDirectory driver of the main tree to IDM 4.0.2,
account and password are sync b/n eDirectory and ID Vault without any
issue.

Unless I associated the unviersal password policy to user ID the account
and password are not sync automatically from ID vault to MAD.

Before the upgrade account and password are sync from ID vault to MAD
without assocating to universal password policy. The container hold the
user account is already associated to the unversal password policy.


Any idea please let me know.


--
Talemayehu
------------------------------------------------------------------------
Talemayehu's Profile: https://forums.netiq.com/member.php?userid=2808
View this thread: https://forums.netiq.com/showthread.php?t=46160

Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Password is not sync to AD

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I just upgrade the eDirectory driver of the main tree to IDM 4.0.2,
> account and password are sync b/n eDirectory and ID Vault without
> any issue.


That's good.

> Unless I associated the unviersal password policy to user ID the
> account and password are not sync automatically from ID vault to MAD.
>

The location of the password policy's assignment in the tree is
irrelevant to IDM. All IDM cares about is that the password value
changes in a way it can pick up (must change, must hold appropriate
replicas, must have rights to see it, etc.). It may seem that the
location of the policy's assignment matters, but that's a red herring
which may point us, somewhat, toward the real problem.

> Before the upgrade account and password are sync from ID vault to
> MAD without assocating to universal password policy. The container
> hold the user account is already associated to the unversal password
> policy.


I'll take your word on it, but it's not how things work; perhaps this is
some kind of new bug in NMAS, but that's the only way I can see things
happening as described. Slight alternatives may include a change in
tree partitioning which also happened near the upgrade time (changing
things in a way not noticed until after the upgrade), or perhaps the
policy being applied directly to users is different from the one applied
at the container (and it works while the one applied to the container
does not, maybe because the one applied to users properly synchronizes
with the distribution password), or else corruption within eDirectory
may be happening but that seems the least likely of all.

The biggest thing thing often missed is that a Universal Password (UP)
policy does not flow down through containers. It can be applied at a
container and it will then apply to any user directly within that
container, but it will NOT apply to sub-containers. As a result a
partitioning change in the tree (such as merging a previously-defined
partition into the parent partition) can break UP policy assignments, or
at least make them behave in ways that are not expected at the time of
the partition merge.

Please show where in the tree your policy is applied, along with the DN
of that policy. Next show the DN of the policy applied to the user.
Finally, if you can somehow let us know the polic(y's/ies')
rules/definition that may be useful so we can verify it/they work(s)
correctly.

Oh, one more option. Depending on how you change passwords (and
specifics really, really matter here) it could be a coincidence. If you
change it on the server (via LDAP for example) then it should normally
be setting the Universal Password for you. If you change it from the
client, then it is a little harder to prove that the client is using
NMAS since it needs the NMAS client to be both installed (as it is by
default) and enabled (as it is by default), but often one of those is
undone or foregone by the administrator. As a result you can get
intermittent results depending on the workstation used to change the
password.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQo/3IAAoJEF+XTK08PnB5FtEP/0qeVVhRKlS8lVusUqhKb6CQ
bhsrDTDfeSbnj4pbCv+qO33El2HcJflCFZCoLmZ7vfu32HjDrZlKMfXwQXPVUZc0
VDf8dT1EtitknU30L8tdPO3Xs8Yuf+W0e8rLHKiP7ndTznev/aUPGFqvebQwieqG
bJZKMJPMmunKZd9uxTi21ndtHcxGqUjhYP3HeiEmxcsAeAg5oxJRQZwR5PFrCpbg
DXaYj0zQvnTysSvSum/6GAaAZDjaeTzdK2EXOJAc3fSBJqnNPMoU3naj/Qt4zfVp
RppB8r6ViDS+bLJNiNVsirTGcg7UbxKk97dwzaCY5l7bH1vM8cqFEAN+Ljk79n5e
JUNEPjyBj3Ffc6WH5igvF+1WrEOHAWYEhbRBPwvxM7/BUFjHfwuYuscgQwedGvcC
HKoqtNWv6hdJQvV0YIfvId5AQ9D3To3508GG9loUzxdfiQmn0d/FqDKOO3w9OGX2
Z2uZVh6hpNiSRiDTyUyl9Vvjyl3IaH6rOBNVHwiNyGfSmA25km8plS4tYR1JCpbp
L9+/paMR8xpYr7heLDxKSthz+4wu4q3YlRtKmmqDNzsOtJykmI2oxPrtLyVRgAGo
QBC95cam1Q0TVPZwyQHmylP9gxH7UjULHosjwPsysuYUjWa8Qo60tnzmwYuMneaT
8cykBAEwojQrg0+x9bP2
=vD7Y
-----END PGP SIGNATURE-----
0 Likes
Knowledge Partner
Knowledge Partner

Re: Password is not sync to AD

I think I hit that post submitted to NNTP and lost...

I sent:


On 11/14/2012 2:34 PM, Talemayehu wrote:
>
> Guys,
>
> I just upgrade the eDirectory driver of the main tree to IDM 4.0.2,
> account and password are sync b/n eDirectory and ID Vault without any
> issue.
>
> Unless I associated the unviersal password policy to user ID the account
> and password are not sync automatically from ID vault to MAD.


Do you know how to enable and read Dstrace output for your driver?

If so, consider finding such an example case and posting what you see in
your driver. (Post the minor relevant snippet to this forum, but the
full trace of the event to pastebin.org since attachments are not allowed).

The root cause is likely a rule in the Sub-Create of the AD driver,
which expects an nspmDistributionPassword (aka the Universal Password)
on the user before creating in AD.

Associating a policy to the user is needed to add this password type to
a user.

> Before the upgrade account and password are sync from ID vault to MAD
> without assocating to universal password policy. The container hold the
> user account is already associated to the unversal password policy.


The password policies inherit from an OU down one level, unless that OU
marks a partition boundary.

So did that possibly change? An OU where the policy is associated
changed from a Partition boundary to not? (Merge a partition into its
parent?)


>
>
> Any idea please let me know.
>
>




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password is not sync to AD

On Wed, 14 Nov 2012 19:34:01 +0000, Talemayehu wrote:

> Unless I associated the unviersal password policy to user ID the account
> and password are not sync automatically from ID vault to MAD.


Trace?

--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.