This scenario is fairly complicated, I will try to make it as clear as
possible.

We use a User App workflow for self-service account provisioning and
maintenance. For self-service provisioning, a user object must already
exist in an 'inactive accounts' OU. When the user enters their
information, if a match is found in the 'inactive' OU, they are able to
choose an account name and password.

The name/password are captured in eDirectory attributes. A loopback
driver then sets the password (and clears the attribute that held it)
and re-names the user object in the inactive OU. After the rename, a
different driver moves the user object into the users OU.

Once in the users OU, several other drivers sync the user object into
connected systems. One of them is an eDirectory driver that syncs users
into a different tree used for LDAP authentication.

This is my issue: New accounts get synced into the connected eDirectory
tree without a password, and the user is unable to log in to any
services that use this tree to authenticate. I know the password is set
in the IDVault, because the UserApp authenticates against that directory
and they are able to log in to the account maintenance pages. If they do
so, and change their password, the new password gets synced by the eDir
driver into the connected LDAP tree. It's only on the initial 'add' into
the users container that the password is not available to be processed
by the eDirectory driver.

Below are parts of log files from two drivers, wherein you can see the
move event complete, and three seconds later, the sync driver processing
the account and failing to see the password:

[04/26/10 18:51:53.140]:null ST: (if-src-attr 'ugaMyID' available)
= TRUE.
[04/26/10 18:51:53.140]:null ST: Rule selected.
[04/26/10 18:51:53.140]:null ST: Applying rule 'Set local variable
for ugaMyID'.
[04/26/10 18:51:53.140]:null ST: Action:
do-set-local-variable("lvMyID",scope="policy",token-src-attr("ugaMyID")).
[04/26/10 18:51:53.141]:null ST:
arg-string(token-src-attr("ugaMyID"))
[04/26/10 18:51:53.141]:null ST: token-src-attr("ugaMyID")
[04/26/10 18:51:53.141]:null ST: Token Value: "jdoe".
[04/26/10 18:51:53.141]:null ST: Arg Value: "jdoe".
[04/26/10 18:51:53.141]:null ST: Evaluating selection criteria for
rule 'move from coreid'.
[04/26/10 18:51:53.141]:null ST: (if-operation equal "modify") =
FALSE.
[04/26/10 18:51:53.141]:null ST: (if-operation equal "rename") =
TRUE.
[04/26/10 18:51:53.141]:null ST: (if-src-dn in-container
"UGA\CoreIDs") = TRUE.
[04/26/10 18:51:53.142]:null ST: (if-src-attr 'ugaMyID' available)
= TRUE.
[04/26/10 18:51:53.142]:null ST: Expanded variable reference
'$lvMyID$' to 'jdoe'.
[04/26/10 18:51:53.142]:null ST: (if-src-attr 'CN' equal
"$lvMyID$") = TRUE.
[04/26/10 18:51:53.142]:null ST: Rule selected.
[04/26/10 18:51:53.142]:null ST: Applying rule 'move from coreid'.
[04/26/10 18:51:53.142]:null ST: Action:
do-move-src-object(arg-dn("UGA\users")).

[04/26/10 18:51:57.485]:null ST: Pumping XDS to eDirectory.
[04/26/10 18:51:57.486]:null ST: Performing operation move for
\MYID-TREE\UGA\CoreIDs\jdoe.
[04/26/10 18:51:57.528]:null ST: Moving entry
\MYID-TREE\UGA\CoreIDs\jdoe to \MYID-TREE\UGA\users.
[04/26/10 18:51:57.622]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:51:59.628]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:01.633]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:03.637]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:05.641]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:07.644]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:09.648]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:11.652]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:12.396]:null PT:Receiving DOM document from
application.
[04/26/10 18:52:12.397]:null PT:
<nds dtdversion="3.5">
<source>
<product instance="st-fs-bc-null" version="3.6.10.4747">DirXML Null
Driver</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<status level="success" type="heartbeat"/>
</input>
</nds>
[04/26/10 18:52:12.398]:null PT:No input transformation policies.
[04/26/10 18:52:12.399]:null PT:No schema mapping policies.
[04/26/10 18:52:12.399]:null PT:Resolving association references.
[04/26/10 18:52:12.399]:null PT:No event transformation policies.
[04/26/10 18:52:12.400]:null PT:Applying publisher filter.
[04/26/10 18:52:12.400]:null PT:Publisher processing status for .
[04/26/10 18:52:13.656]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:15.660]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:17.664]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:19.668]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:21.672]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:23.677]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:25.680]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:27.684]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:29.688]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:31.692]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:33.696]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:35.700]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:37.704]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:39.710]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:41.716]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:43.720]:null ST: Waiting for moved object
\MYID-TREE\UGA\users to replicate from master replica.
[04/26/10 18:52:45.725]:null ST: Processing returned document.
[04/26/10 18:52:45.725]:null PT:No command transformation policies.
[04/26/10 18:52:45.725]:null ST: Processing operation <status> for .
[04/26/10 18:52:45.726]:null PT:Filtering out notification-only
attributes.
[04/26/10 18:52:45.726]:null ST:
DirXML Log Event -------------------
Driver: \MYID-TREE\UGA\services\UGADriverSet\st-fs-bc-null
Channel: Subscriber
Status: Success

[04/26/10 18:52:48.162]:UserSyncUGA PT:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" event-id="MYIDSYNC#20100426225247#8#2"
qualified-src-dn="O=UGA\OU=users\CN=jdoe" src-dn="\MYID-TR
EE\UGA\users\jdoe" src-entry-id="384329">
<add-attr attr-name="CN">

[04/26/10 18:52:48.231]:UserSyncUGA PT: Applying to add #1.
[04/26/10 18:52:48.231]:UserSyncUGA PT: Evaluating selection
criteria for rule 'Add nspmDistributionAttribute attribute to
add operation'.
[04/26/10 18:52:48.231]:UserSyncUGA PT: (if-global-variable
'publish-password-to-dp' equal "true") = TRUE.
[04/26/10 18:52:48.231]:UserSyncUGA PT: (if-operation equal "add")
= TRUE.
[04/26/10 18:52:48.231]:UserSyncUGA PT: (if-password available) =
FALSE.
[04/26/10 18:52:48.231]:UserSyncUGA PT: Rule rejected.


--
keithbmartin
------------------------------------------------------------------------
keithbmartin's Profile: http://forums.novell.com/member.php?userid=48654
View this thread: http://forums.novell.com/showthread.php?t=409561