Highlighted
Absent Member.
Absent Member.
887 views

Password sync issue between edir and AD

We have IDM 4.5.2 syncing users between eDir and AD, and have password sync through that driver. If we have the user pwd expiring from eDir and the user logs into Groupwise they are prompted to change their password and that password change syncs. On the other hand, if we have the password expired in AD and the user is prompted from their Windows workstation to change their password, that does not sync. If the password in AD is not set to expire but the user changes their password on their workstation it syncs as it is supposed to.
What seems to be the problem is when the user is forced to change their password by AD. On a user object in iManager if I check their password status under those circumstances, it will display the following:

"Not Synchronized. Check password connection validation.Bind failed because of one or more of the following errors.The user's password must be changed before logging on the first time.Invalid Credentials"

Is this something to be expected? I do not have GroupWise accounts for all users so I cannot fall back to having eDir be the only place where their password would expire - I have to have AD do it.

Any feedback would be appreciated

-Dan
Labels (1)
0 Likes
5 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Password sync issue between edir and AD

No, and most-likely the symptoms are a coincidence.

All password changes in MAD go to a DC, no matter what causes them, or who
changes them, or anything else. The selection of DCs is almost always
random, so you MUST have a filter running properly on all DCs. The
most-likely cause for a password synchronizing less-than 100% of the time
is one or more DCs missing the filter, so the password is only
synchronized from MAD to eDirectory/vault when the user's workstation
happens to hit DCs that do have the filter running properly.

For more troubleshooting, post a level five (5) trace from the Remote
Loader (RL) side at the time of the password change that is working, as
well as the time of a password change that is expected to fail.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password sync issue between edir and AD

All DCs in the domain have the filter. I will post a trace either later today or tomorrow
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Password sync issue between edir and AD


dpbrant;265456 Wrote:
> All DCs in the domain have the filter. I will post a trace either later
> today or tomorrow
>
>
> --
> dpbrant
> ------------------------------------------------------------------------
> dpbrant's Profile: https://forums.novell.com/member.php?userid=8261
> View this thread: https://forums.novell.com/showthread.php?t=497018


Hi Dan,
From your explanation looks like user changed expired "local" user
account (not domain user account).
In this case it is logical, that password filters on any DCs didn't
capture any password change.

Could you confirm, that it was domain user case?
Could you repeat same steps again and provide RL logs?


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55419

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password sync issue between edir and AD

Yes, this was a user in AD. BTW, this behavior seems to have started shortly after applying MS patches on the DC that the remote loader is on.
We also noticed that, while the engine was at the 4.5 release, the RL was at 4.0.2. We have resolved the issue at this point by upgrading the Remote loader to 4.5.3 as well as applying 4.5.3 Engine update. The password sync and AD driver were at the latest version already

Lesson to be learned here for me is to keep the whole environment up-to-date at the same time

Thanks for the quick feedback!
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Password sync issue between edir and AD


Thank you for your feedback, dpbrant!
> Lesson to be learned here for me is to keep the whole environment
> up-to-date at the same time

This is can be good advice to everybody! 🙂

From my personal experience, I prefer to have RL version is same or
higher than Engine version.
Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55419

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.