Anonymous_User Absent Member.
Absent Member.
263 views

Password sync from AD to eDir

I have (eventually) IDM 3.6.1 working with no problems from eDir to AD

I would expect that the other way it should also work, but it seems that the
password changed in AD does not make it to eDirectory

Any ideas?

Seb


Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Password sync from AD to eDir

On 5/1/2013 9:23 AM, Sebastian Cerazy wrote:
> I have (eventually) IDM 3.6.1 working with no problems from eDir to AD
>
> I would expect that the other way it should also work, but it seems that the
> password changed in AD does not make it to eDirectory
>
> Any ideas?
>
> Seb
>
>

Have you installed the password filters onto the domain controllers?

https://www.netiq.com/documentation/idm402drivers/ad/data/bow0k9b.html


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password sync from AD to eDir

Does that also apply for 3.6.1 ?

Seb

"Will Schneider" <descent@no-mx.forums.netiq.com> wrote in message
news:jX9gt.1688$8q1.1541@kozak.provo.novell.com...
> On 5/1/2013 9:23 AM, Sebastian Cerazy wrote:
>> I have (eventually) IDM 3.6.1 working with no problems from eDir to AD
>>
>> I would expect that the other way it should also work, but it seems that
>> the
>> password changed in AD does not make it to eDirectory
>>
>> Any ideas?
>>
>> Seb
>>
>>

> Have you installed the password filters onto the domain controllers?
>
> https://www.netiq.com/documentation/idm402drivers/ad/data/bow0k9b.html
>
>



0 Likes
Knowledge Partner
Knowledge Partner

Re: Password sync from AD to eDir

On 5/2/2013 12:03 PM, Sebastian Cerazy wrote:
> Does that also apply for 3.6.1 ?
>
> Seb
>
> "Will Schneider" <descent@no-mx.forums.netiq.com> wrote in message
> news:jX9gt.1688$8q1.1541@kozak.provo.novell.com...
>> On 5/1/2013 9:23 AM, Sebastian Cerazy wrote:
>>> I have (eventually) IDM 3.6.1 working with no problems from eDir to AD
>>>
>>> I would expect that the other way it should also work, but it seems that
>>> the
>>> password changed in AD does not make it to eDirectory
>>>
>>> Any ideas?
>>>
>>> Seb
>>>
>>>

>> Have you installed the password filters onto the domain controllers?
>>
>> https://www.netiq.com/documentation/idm402drivers/ad/data/bow0k9b.html


Yes. AD model of functionality has not changed since 3.6.1. In 4.02
there a cool extra feature about using a psuedo attr PSexecute (I think)
that lets you send in PowerShell commands within the Exchange and AD
management cmdlet set.

But that has nothing to do with password sync and filters, which are the
same since IDM 2 I think.

Filters are the only way to catch password changes in AD.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password sync from AD to eDir

Thanks.

But what I do not get is in the docs

The Active Directory driver must be configured to run on only one Windows
machine. However, for password synchronization to occur, you must install a
password filter (pwFilter.dll) on each domain controller and configure the
registry to capture passwords to send to the Identity Vault.

I have 2 servers doing AD (2 Domain controllers)

One with Remote Loader

On this one I have no problem configuring pwFilter.dll as per docs

But how would I install (do I really need it?) pwFilter.dll on the second
Domain controller

Docs state: "On the domain controller, use the Identity Manager Installation
to install only the Identity Manager Driver for Active Directory."

That simply is NOT possible, one need to also install Remote Loader & lots
of other drivers (that can be not configured/not used)

And why the need to have it installed on every DC? AD is distrubuted, so the
changes propagate (unless it is the action of change that needs to be
"noticed & send to the ID driver - am I right?)

Seb


"Geoffrey Carman" <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote in message
news:cewgt.1781$8q1.1220@kozak.provo.novell.com...
> On 5/2/2013 12:03 PM, Sebastian Cerazy wrote:
>> Does that also apply for 3.6.1 ?
>>
>> Seb
>>
>> "Will Schneider" <descent@no-mx.forums.netiq.com> wrote in message
>> news:jX9gt.1688$8q1.1541@kozak.provo.novell.com...
>>> On 5/1/2013 9:23 AM, Sebastian Cerazy wrote:
>>>> I have (eventually) IDM 3.6.1 working with no problems from eDir to AD
>>>>
>>>> I would expect that the other way it should also work, but it seems
>>>> that
>>>> the
>>>> password changed in AD does not make it to eDirectory
>>>>
>>>> Any ideas?
>>>>
>>>> Seb
>>>>
>>>>
>>> Have you installed the password filters onto the domain controllers?
>>>
>>> https://www.netiq.com/documentation/idm402drivers/ad/data/bow0k9b.html

>
> Yes. AD model of functionality has not changed since 3.6.1. In 4.02
> there a cool extra feature about using a psuedo attr PSexecute (I think)
> that lets you send in PowerShell commands within the Exchange and AD
> management cmdlet set.
>
> But that has nothing to do with password sync and filters, which are the
> same since IDM 2 I think.
>
> Filters are the only way to catch password changes in AD.
>
>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password sync from AD to eDir

On 03.05.2013 11:26, Sebastian Cerazy wrote:
> The Active Directory driver must be configured to run on only one Windows
> machine. However, for password synchronization to occur, you must install a
> password filter (pwFilter.dll) on each domain controller and configure the
> registry to capture passwords to send to the Identity Vault.
>
> I have 2 servers doing AD (2 Domain controllers)
>
> One with Remote Loader
>
> On this one I have no problem configuring pwFilter.dll as per docs
>
> But how would I install (do I really need it?) pwFilter.dll on the second
> Domain controller
>
> Docs state: "On the domain controller, use the Identity Manager Installation
> to install only the Identity Manager Driver for Active Directory."


On the DC where the remote loader is installed, there is a control panel
that you can use to configure and install password filters.

See:
https://www.netiq.com/documentation/idm402drivers/ad/data/bow0k9b.html#b94lpf6
in the documentation (the procedure is the same for 3.6.1)

Look at step 10 - where you select one or more DCs and click "add" to
install the password sync filter. Then reboot each DC to activate the
passsword filter.

You should NOT need to log onto each DC.

> That simply is NOT possible, one need to also install Remote Loader & lots
> of other drivers (that can be not configured/not used)
>
> And why the need to have it installed on every DC? AD is distrubuted, so the
> changes propagate (unless it is the action of change that needs to be
> "noticed & send to the ID driver - am I right?)


The password is encrypted (using a non reversible encryption) and only
the encrypted value is propagated.

The only way IDM can capture the unencrypted password is to use the
password filter.

This is why the password filter needs to be installed on each DC - as
password changes can be processed by any read-write DC.



--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password sync from AD to eDir

3.6.1 docs are here:

http://www.novell.com/documentation/idm36drivers/ad/?page=/documentation/idm36drivers/ad/data/bktitle.html

Seb

"Will Schneider" <descent@no-mx.forums.netiq.com> wrote in message
news:jX9gt.1688$8q1.1541@kozak.provo.novell.com...
> On 5/1/2013 9:23 AM, Sebastian Cerazy wrote:
>> I have (eventually) IDM 3.6.1 working with no problems from eDir to AD
>>
>> I would expect that the other way it should also work, but it seems that
>> the
>> password changed in AD does not make it to eDirectory
>>
>> Any ideas?
>>
>> Seb
>>
>>

> Have you installed the password filters onto the domain controllers?
>
> https://www.netiq.com/documentation/idm402drivers/ad/data/bow0k9b.html
>
>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password sync from AD to eDir

On Wed, 01 May 2013 14:23:05 +0000, Sebastian Cerazy wrote:

> I have (eventually) IDM 3.6.1 working with no problems from eDir to AD
>
> I would expect that the other way it should also work, but it seems that
> the password changed in AD does not make it to eDirectory


The documentation covers setting up password synchronization from MAD to
eDir. Have you followed it?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.