ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.

Workaround for Event-Hold Script Problem

0 0 2,373


I am trying to sync passwords from NIS to the ID Vault using the bi-directional driver. All modifications from NIS work fine expect for the password change. What I have figured out is that the script looks for deltas in the maps and when it finds a change, submits this as an event to the changelog. The Publisher shim picks this up and creates an event for processing by the IDM engine and then deletes the file in the changelog. So far so good.

However, I find that after installing the PAM module, when the password is changed in NIS using the passwd command on the NIS Master, the "event" is submitted as a "hold" file in the changelog (e.g., hold20060816 ...) If I rename this file to begin with "event20060816 ...", the password change is processed correctly by the publisher shim, so I know that the actual password change is showing up from PAM. To confirm, I submitted other events and saw that they always enter the changelog with the event prefix before they are processed and then cleaned out.

So presumably the password change (PAM module) should not be submitting as a "hold" file. Anybody know anything about this?


You are indeed correct on all your observations. The "hold" technique was designed so that "modify password" events would not enter the changelog before a potential "add" event for a new user that may have been created. Otherwise, the user would be created, then if the password
was changed by PAM, the password event could enter the changelog first. Then the poll script would pick up the add and put it in later.

However, the script should be doing a "--release", which instructs nxclh to release all events on hold. This is done after it scans for the deltas.

Looking at the nis/ myself, I can see where this is a problem. It seems that the "--release" was added to the files/, but not the nis/ or nisplus/

To fix this, simply edit nis/ and add the line:

  # if the changelog has any "hold" events, release them
$CHANGELOG --release

right before it checks $YPGROUP (the group map) for changes. This will be updated in the field patches.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.