Noel_G Absent Member.
Absent Member.
1748 views

Sync Password from AD to eDir

Hello! I'm using IDM 4.0.2 and I have successfully been using it to sync accounts and password from eDir to AD. I can also modify groups in AD and those changes sync back to eDir. My new challenge is to have bi-directional password sync working. I updated the driver to notify on password changes in both directions, but still no luck. Passwords still sync from eDir to AD but not the other way around. Any ideas, or things for me to check?

AD is a 2012 R2 functional level
eDir is Agent Build Number 20810.20
Labels (1)
0 Likes
20 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

Hello Noel. Password sync in the AD driver requires a secure connection and the installation of password sync filters on the AD Domain Controllers.

Correct me if I'm wrong, but I believe you are already using a secure connection in your driver since you are currently able to synchronize passwords through the subscriber channel (eDir to AD).

Now, have you installed and configured the password sync filter in all of the AD Domain Controllers? Also, is your remote loader installed in a domain controller or a member server?

BTW, this portion of the documentation might come in handy: https://www.netiq.com/documentation/idm402drivers/ad/data/bow0k51.html

Regards!
0 Likes
Noel_G Absent Member.
Absent Member.

Re: Sync Password from AD to eDir

Thanks for the quick response.
I do indeed have the secure connection configured.

I have the filter installed and running on both of my DCs. Just confirmed by looking at the IDM PassSync control panel. My remote loader is installed directly on a domain control as well.

I'll have a look though that documentation.
0 Likes
Noel_G Absent Member.
Absent Member.

Re: Sync Password from AD to eDir

I just discovered this gem. Going to try and go though this process. When I manually looked into the registry a while ago, I never saw anything going into Software\Novell\PwFilter\Data. At that time, I thought maybe the filter install was messed up, so I uninstalled the filter, rebooted, and installed the filter and rebooted again. I got side tracked after that, but now I'm back at it.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password from AD to eDir

On 6/5/2017 10:14 AM, Noel G wrote:
>
> I just discovered this 'gem'
> (https://www.netiq.com/communities/cool-solutions/active-directory-password-troubleshooter-tool-part-1/).


Hope this helps you. The tool is really nice to have.

One side note, are you running in Negotiate or Simple mode? Passwords
only flow on Pub channel in Negotiate not Simple mode.

That one bit me a few months back.


> Going to try and go though this process. When I manually looked into
> the registry a while ago, I never saw anything going into
> Software\Novell\PwFilter\Data. At that time, I thought maybe the filter
> install was messed up, so I uninstalled the filter, rebooted, and
> installed the filter and rebooted again. I got side tracked after that,
> but now I'm back at it.
>
>


0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

geoffc's guides are the best! Half of what I know comes from them. I was actually writing a lengthy reply with each step I would go through but I believe he covered all of it.

One thing I'm gonna add is that you should check that the SYSTEM account has the correct permissions over the HKLM/SOFTWARE/Novell/PassSync/Data key and subkeys in the Remote Loader DC. I've seen instances where the client PSF (Password Sync Filter) captures the password change and sends it to the server PSF in the Remote Loader but then the Remote Loader can't process the password change since it doesn't have the correct permissions. Granted, I've seen this in a set-up with 4.5.x where the Remote Loader was in a Member Server but you never know.
0 Likes
Noel_G Absent Member.
Absent Member.

Re: Sync Password from AD to eDir

I just completed the PassSync Trouble Shooting Tool. To me, it looks like everything is correct. I have in one instance where the case is different in a host name value, but I don't think that would have an effect. Correct me if I'm wrong though. The other thing I noticed, is the version of the driver isn't what I thought it was. The AD driver version is 4.0.1. The Engine is running 4.0.2 according to the Version Inspector in iManager. I seem to recall reading about some problems with the AD driver at one point. Can I put the latest 4.5.x driver on my DCs and expect that it will work with the 4.0.2 back end? I'm not usually a fan of mismatched versions like this, but I'm curious about your thoughts.

I did verify on the Remote Loader DC that SYSTEM has full control access to HKLM/SOFTWARE/Novell/PassSync/Data and to PwFilter/DATA. It looks like the filter isn't actually picking up the password change as nothing ever ends up in PwFilter/DATA on either DC.

EDIT: Forgot to add, that I am in negotiate mode, and not simple mode for the drivers authentication options.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

Noel_G;2458930 wrote:
I just completed the PassSync Trouble Shooting Tool. To me, it looks like everything is correct. I have in one instance where the case is different in a host name value, but I don't think that would have an effect. Correct me if I'm wrong though. The other thing I noticed, is the version of the driver isn't what I thought it was. The AD driver version is 4.0.1. The Engine is running 4.0.2 according to the Version Inspector in iManager. I seem to recall reading about some problems with the AD driver at one point. Can I put the latest 4.5.x driver on my DCs and expect that it will work with the 4.0.2 back end? I'm not usually a fan of mismatched versions like this, but I'm curious about your thoughts.


Well I wouldn't recommend it. There were some changes between 4.0.2 and 4.5.x that make them incompatible, namely SSL support was dropped due to the POODLE vulnerability and TLS was made the default secure connection mode. So if you used the 4.5.x Remote Loader, the engine 4.0.2 wouldn't be able to communicate with Remote Loader.

Noel_G;2458930 wrote:
I did verify on the Remote Loader DC that SYSTEM has full control access to HKLM/SOFTWARE/Novell/PassSync/Data and to PwFilter/DATA. It looks like the filter isn't actually picking up the password change as nothing ever ends up in PwFilter/DATA on either DC.


Actually, by default you shouldn't see anything. You must first add permissions on the key and subkey levels for the user you are running regedit with, otherwise you won't be able to read the keys and subkeys. Remember to remove the permissions after the troubleshooting is done for security reasons.

BTW, this TID might come in handy: https://www.novell.com/support/kb/doc.php?id=3614450

You could also set the trace level of your remote loader up to 5, this will give you additional insight in the password synchronization process. Remember to disable it after the issue has been resolved since tracing has a significant performance impact on the remote loader.

And also check that the DNS name you entered in the Domain Controllers is correctly resolved by each DC. I've had an instance where we migrated the server PSF and the DNS name wasn't correctly updated, so nothing got sent.

Regards!
Emmanuel
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password from AD to eDir

On 6/5/2017 10:34 AM, EPedros wrote:
>
> geoffc's guides are the best! Half of what I know comes from them. I was
> actually writing a lengthy reply with each step I would go through but I
> believe he covered all of it.


So let me offer you an idea. Any topics you want to see covered? I am
a little low on ideas of what to write currently. (Also, not taking the
bus/subway as much, I have been biking into the office lately).

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

geoffc;2458935 wrote:
So let me offer you an idea. Any topics you want to see covered? I am
a little low on ideas of what to write currently. (Also, not taking the
bus/subway as much, I have been biking into the office lately).


Well, first of all I'd like to give you a VERY big THANK YOU for all the things you have covered so far. I guess you get this a lot but your guides have been REALLY helpful since I started working with IDM a few year ago.

Now, from the top of my head, and after checking the wiki just in case https://wiki.microfocus.com/index.php?title=Geoffrey_Carman's_personal_collection a walk-through of the REST driver would be nice and useful. Also covering what java extensions for drivers (Like Delimited Text, SOAP, REST, etc) are and how to use them. I've had to make a ByteArrayModifier to get rid of the is-sensitive="true" in a SOAP XML before sending it to a webservice and it was kind of challenging due to lack of documentation. I mean, there is are the javadocs but I've found them kind of lacking.

Regards!
Emmanuel
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password from AD to eDir

On 6/5/2017 12:46 PM, EPedros wrote:
>
> geoffc;2458935 Wrote:
>> So let me offer you an idea. Any topics you want to see covered? I am
>> a little low on ideas of what to write currently. (Also, not taking the
>> bus/subway as much, I have been biking into the office lately).

>
> Well, first of all I'd like to give you a VERY big THANK YOU for all the
> things you have covered so far. I guess you get this a lot but your
> guides have been REALLY helpful since I started working with IDM a few
> year ago.
>
> Now, from the top of my head, and after checking the wiki just in case
> https://wiki.microfocus.com/index.php?title=Geoffrey_Carman's_personal_collection
> a walk-through of the REST driver would be nice and useful. Also


Been meaning to get started on that one.

> covering what java extensions for drivers (Like Delimited Text, SOAP,
> REST, etc) are and how to use them. I've had to make a ByteArrayModifier
> to get rid of the is-sensitive="true" in a SOAP XML before sending it to
> a webservice and it was kind of challenging due to lack of
> documentation. I mean, there is are the javadocs but I've found them
> kind of lacking.


It is a bit easier if you can get your hands on the skeleton, where you
see there are really 4 or so points where you can do 'stuff'. The data
comes in, either you do something or nothing.

You could probably fix that issue in policy if it was ok to show in trace...


0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Sync Password from AD to eDir

geoffc;2458943 wrote:
It is a bit easier if you can get your hands on the skeleton, where you
see there are really 4 or so points where you can do 'stuff'. The data
comes in, either you do something or nothing.

You could probably fix that issue in policy if it was ok to show in trace...


Well, it was one of those situations where the client relies on trace more as an operations tool than as a debug tool, which they shouldn't since it hinders performance but you know how it is. So showing the password in trace was a big "no no". I ended up figuring out how to make it work using the SOAP extension, eclipse created the skeletal structure you are referring to and after some thorough googling I filled in the blanks. After that I believe the other use case I found was with a webservice appending a header and a footer to a SOAP response which made the XML invalid, at least for the driver so I just stripped it in the ByteArrayModifier.

If you are willing to, it would be nice to have an article about it for newcomers.

Anyways, I don't want to get too off-topic. If you have a thread for "wanted topics" let me know and I'll hit you up if anything else comes to mind 🙂
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.