I have a connected AD domain that I do not control and will not have
password filters installed on but I will be sending passwords to it.
I need to know when passwords are changing in this domain so I can
place the correct password back on from the Identity Vault. I can do
that by tracking the 'pwdLastSet' and sending the
'nspmDistributionPassword' back.
Unfortunately this simplistic approach would result in a loop because
every time I would set the password the 'pwdLastSet' would be
updated and the cycle repeated.
I need to be able to test the password in AD like iManager does using
'check-object-password'. Are there any solutions for this from
inside policy builder?
I thought of placing my own input document on the subscriber channel
with the password in it like iManager does on a sync check-
<nds dtdversion="3.0" ndsversion="8.x">
<input>
<check-object-password event-id="user-agent-check-password">
<association>4f02b9ff3e797b46b3f39f04a2d40f61</association>
<password><!-- content suppressed --></password>
</check-object-password>
</input>
</nds>
with operation data added so I can evaluate the returning status
message to see if I really need to update the password but I don't
want to spend the time doing this if there is an easier solution
available.
Thanks in advance for any advice you may have.