Noel_G Absent Member.
Absent Member.

Re: Sync Password from AD to eDir

Thanks to everyone for your help so far. So I can finally see an AD password change appear in the Loader trace. After I started looking at the registry permissions for PassSync/Data and PwFilter/Data, I noticed that system did not have any access. I apologize, I can't remember what one exactly, but I changed permissions so SYSTEM has full access now. After doing that, I could finally see the trace data.

Now, The password doesn't seem to be changing in eDir. I'm trying to look at dstrace output for +DXML +DVRS and +AUTH but it seems like all I can see is the heartbeat between IDM and the Remote Loader. In the Loader trace, it looks like it creates the XML:

<nds dtdversion="2.2">
<source>
<product build="20150311_120000" instance="\TYDEN_TREE\US\VIKING\eDir2AD\Active Directory Driver" version="4.0.1.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify-password event-id="Active Directory Driver##15c7dc4300a##0" class-name="user" src-dn="CN=Test 12,OU=GN,OU=eDir,DC=ad,DC=vikinggroupinc,DC=com" password-admin-reset="false">
<association>449322019fa72b49a5ea3206e181507e</association>
<password><!-- content suppressed --></password>
</modify-password>
</input>
</nds>


Not sure where to check from here.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

Hi Noel. I wouldn't recommend using DSTRACE for troubleshooting drivers. It is a great tool for NDS but when it comes to IDM drivers it makes everything really hard to read.

First off I'd recommend you set a trace file specific for that AD driver with a trace level of at least 3. This trace will be saved locally in the IDM server running the driver. You can do so by editing the driver properties in either iManager or Designer as stated by the documentation https://www.netiq.com/documentation/idm402/idm_common_driver/data/b94pslt.html

Second, I'd recommend that you keep your Remote Loader trace level at 5, since that's the level that shows password synchronization happening between the client PSFs and the server PSF. You can do that by stopping your remote loader and editing it to change the trace level: https://www.netiq.com/documentation/idm402/idm_remoteloader/data/bs35pjh.html

Now, password synchronization requires your user to be enabled to use universal password. IDM uses the Distribute Password, represented by the nspmDistributePassword attribute, to synchronize the password back and forth between eDirectory and the connected systems. If by chance your user doesn't have a password policy applied that copies the Universal Password to the Distributed Password the change might be getting to the Identity Vault but not going through to the actual user password. For a more through and specific description of how this all works please refer to the documentation at https://www.netiq.com/documentation/idm402/idm_password_management/data/brm8p3a.html

Regards!
Emmanuel
0 Likes
Noel_G Absent Member.
Absent Member.

Re: Sync Password from AD to eDir

So I'll work this in reverse here. For the Universal password, I do have a policy associated to this user and I do also have "Synchronize Distribution Password when setting Universal Password" and "Synchronize NDS password when setting Universal Password" enabled. I guess I thought this was the correct settings since I have password sync from eDir to AD without any trouble.

I have my Remote Loader in Trace level 5. Maybe I'm not identifying errors correctly in the trace? I haven't seen any warning or errors pop up.

I will set my driver to a level 3 trace and maybe that will point me in the right direction.

Thanks so much for your help!
0 Likes
Highlighted
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

Well, it looks like the password policy settings are correct.

Regarding the Remote Loader trace, it is kind of hard to see errors for the PSF side of things since these are not usually highlighted so you have to be extra careful when reading it. Another thing you can check to see if the password is actually getting through are the registry keys.

I'm not sure how this works in a code level so I'll take the "black box" approach with this one, meaning the following is based on my personal observation and experience. You have three steps between the client PSFs and the server PSF.


  1. The client PSF captures the password change. At this point a registry key is generated under HKLM/SOFTWARE/Novell/PwFilter/Data with the username and inside it there are values with some information regarding the change.
  2. The client PSF informs the change to the server PSF. Then the HKLM/SOFTWARE/Novell/PwFilter/Data/<username>/ key is deleted in the DC where the change originated from and a new key is generated in the DC with the remote loader for the same username under HKLM/SOFTWARE/Novell/PassSync/Data. At this point you should see some activity in the Remote Loader trace.
  3. After some time, usually a few seconds, a new event will be generated and the password will flow through the driver's publisher channel into the IDV. You should first see some PSF activity here and then the actual XDS document. At this point the HKLM/SOFTWARE/Novell/PassSync/Data/<username>/ should be deleted, if it's not then there are some permission issues with the SYSTEM account, usually the lack of permissions over subkeys in the parent key.


    Other than that, check if the password you are using on the AD side of things matches the requirements set by your password policy on the eDir side of things.

    Regards!
    Emmanuel
0 Likes
Noel_G Absent Member.
Absent Member.

Re: Sync Password from AD to eDir

I think I found the smoking gun. So after looking through the trace on the driver this is what I found.

[06/06/17 11:29:09.624]:Active Directory Driver PT:Applying policy: %+C%14CNOVLPWDSYNC-pub-ctp-CheckPwdGCV%-C.
[06/06/17 11:29:09.624]:Active Directory Driver PT: Applying to modify-password #1.
[06/06/17 11:29:09.625]:Active Directory Driver PT: Evaluating selection criteria for rule 'Block publishing passwords to the Identity Vault when adding an object'.
[06/06/17 11:29:09.625]:Active Directory Driver PT: (if-global-variable 'enable-password-publish' equal "false") = TRUE.
[06/06/17 11:29:09.625]:Active Directory Driver PT: (if-operation equal "add") = FALSE.
[06/06/17 11:29:09.625]:Active Directory Driver PT: Rule rejected.
[06/06/17 11:29:09.625]:Active Directory Driver PT: Evaluating selection criteria for rule 'Block sending modify-password changes to the Identity Vault'.
[06/06/17 11:29:09.625]:Active Directory Driver PT: (if-global-variable 'enable-password-publish' equal "false") = TRUE.
[06/06/17 11:29:09.625]:Active Directory Driver PT: (if-operation equal "modify-password") = TRUE.
[06/06/17 11:29:09.625]:Active Directory Driver PT: Rule selected.
[06/06/17 11:29:09.626]:Active Directory Driver PT: Applying rule 'Block sending modify-password changes to the Identity Vault'.
[06/06/17 11:29:09.626]:Active Directory Driver PT: Action: do-veto().

[06/06/17 11:29:09.626]:Active Directory Driver PT:Policy returned:
[06/06/17 11:29:09.626]:Active Directory Driver PT:



I've colored the text greet to show what I think the problem is. So I went to check out the transformation policy: NOVLPWDSYNC-pub-ctp-CheckPwdGCV and then I went over to the "Global Config Values" in the Driver Set Properties. There isn't anything there in GCV, only in common Settings. Should there be something in here by default, or do I need to create the variable "enable-password-publish" and set it to true.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

Noel_G;2459032 wrote:
I think I found the smoking gun. So after looking through the trace on the driver this is what I found.



I've colored the text greet to show what I think the problem is. So I went to check out the transformation policy: NOVLPWDSYNC-pub-ctp-CheckPwdGCV and then I went over to the "Global Config Values" in the Driver Set Properties. There isn't anything there in GCV, only in common Settings. Should there be something in here by default, or do I need to create the variable "enable-password-publish" and set it to true.


I'd recommend you first check the driver GCVs. The way it works is that Driver GCVs take precedence to Driver Set GCVs, so you can have a global configuration for all drivers (Driver Set GCV) and then override it for each driver (Driver CGV). If the GCV doesn't exist at driver level then you could try and create it there so you don't affect the global configuration of the driver set.

Edit: Since we are in the subject this might come in handy https://www.netiq.com/communities/cool-solutions/explaining-gcvs-part-1/ 😉
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password from AD to eDir

Noel G <Noel_G@no-mx.forums.microfocus.com> wrote:
> think I found the smoking gun. So after looking


> do I need to create the variable "enable-password-publish"


You should not need to. There is a separate option in Designer to configure
password sync when you right click on a driver.






Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Noel_G Absent Member.
Absent Member.

Re: Sync Password from AD to eDir

Thanks to everyone for your help. My passwords are now syncing bi-directional. It's been a few years since I set it up, and forgot about all of the GCV options on the driver itself. I set enable-password-publish to true and all was good.

If I remember correctly, I only used the designer to install the driverset/driver, then I configured everything else though iManager.

Thanks again!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password from AD to eDir

Noel G wrote:

> Thanks to everyone for your help. My passwords are now syncing
> bi-directional. It's been a few years since I set it up, and forgot
> about all of the GCV options on the driver itself. I set
> enable-password-publish to true and all was good.
>


Thanks for reporting back, glad you got it to work
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.