garima_aggarwal Absent Member.
Absent Member.
959 views

Sync Password on User Migration from AD to eDir


Hi

When migrating users from AD to eDir for the first time, passwords are not getting synced.

Passwords starts syncing only when we change the password after user migration.

Is there any way or workaround that we can force the passwords to be synced during the initial user migration from AD to eDir.

--Dinesh
Labels (1)
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: Sync Password on User Migration from AD to eDir

There is no way to extract the LANMAN/NTLM hashes to other systems, which
is why you must have password filters to intercept passwords as they are
set on every DC in the domain.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password on User Migration from AD to eDir

ab <ab@no-mx.forums.microfocus.com> wrote:
> There is no way to extract the LANMAN/NTLM hashes to other systems, which
> is why you must have password filters to intercept passwords as they are
> set on every DC in the domain.
>


An option is to identify those who are without a known by IDM password in
AD and set pwdLastSet=0 so these users must change their password on next
login in AD. If your pw filters are configured, then IDM will be updated
with user's current AD password at that point.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
garima_aggarwal Absent Member.
Absent Member.

Re: Sync Password on User Migration from AD to eDir


Situation is , we have IDM 4.0.1 setup and we are upgrading to 4.5.0.

We configured new servers, and now we are ready to migrate users from AD to new eDir and we can't ask each and every user to change the password.

All i need is, the way we can migrate the password as well, along with initial user migration. After that password sync can take care of password migration, if password is changed.
0 Likes
joer999 Absent Member.
Absent Member.

Re: Sync Password on User Migration from AD to eDir

garima_aggarwal;2451946 wrote:

Situation is , we have IDM 4.0.1 setup and we are upgrading to 4.5.0.

We configured new servers, and now we are ready to migrate users from AD to new eDir and we can't ask each and every user to change the password.

All i need is, the way we can migrate the password as well, along with initial user migration. After that password sync can take care of password migration, if password is changed.

Is migrating accounts from IDM 4.0.1 to 4.5.0 with ICE (eDirectory Maintenance) an option? I have done so from 4.0.2 tot 4.5.3. Don't know if the passwords also migrate though because I didn't need them. The associations for the AD driver migrated ok.
0 Likes
garima_aggarwal Absent Member.
Absent Member.

Re: Sync Password on User Migration from AD to eDir

joer999;2451947 wrote:
Is migrating accounts from IDM 4.0.1 to 4.5.0 with ICE (eDirectory Maintenance) an option? I have done so from 4.0.2 tot 4.5.3. Don't know if the passwords also migrate though because I didn't need them. The associations for the AD driver migrated ok.


Migrating using ICE is an option but this Utility don't migrate passwords.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password on User Migration from AD to eDir

This is a really odd, and hard, way to get to new servers. The easy ways
that will work for you are any of the following:

1. Upgrade the existing servers.
2. Build new servers with new code, but with the IPs and hostnames of the
old servers, and move the eDirectory instance from old-server-a to
new-server-a, old-server-b to new-server-b, one at a time.

or you can still do it your way:

3. Continue with your current plan, but only sync users when the password
change comes, initially, from MAD.

But it is impossible to get a password from a system that does not have
the password, and MAD does not store the password, by default, in any way
that will be useful to eDirectory or any other non-MAD system, just like
eDirectory, by default, does not store the password in a way that is
useful for other systems. Universal Password (UP) adds that password
synchronization function, in particular when coupled with IDM, but it's
something you setup.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Password on User Migration from AD to eDir

garima_aggarwal;2451953 wrote:


Migrating using ICE is an option but this Utility don't migrate passwords.


ICE it just another tool, that allows to work with LDAP extracts.
eDir and AD didn't allow to "export" password via LDAP, but allows to import (update) object password.

You can use next trick for user "sync" from AD to eDir: you can "temporary" add to your publisher filter notify for lastLogonTimestamp.
It will initiate user add event, when user logged to AD (logon time stamp changed) for all "non-associated" users.

Alex
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.