All,

Perhaps a simple issue, but one that has me tearing my hair out (what
little is left this late in my life).

We have a three tree config, two production trees with users who login, and
a third that is serving as the Identity Vault (IV). The IV tree is in the
middle, with the other two connected to it bidirectionally via eDir
drivers. IM 2.0.1 is the prod rev on all trees.

I started the whole IM sync plan by simply syncing the user IDs and their
NDS password between all three trees, and that has worked great.

The next step for us is to implement Universal Password (UP) across all
three trees in prep for an Active Directory connection to the IV. So, I
configured an UP policy in each of the three trees, and made sure that all
of the policy rules match across all three trees. I also blocked the NDS
password sync attributes, and made sure that I'm passing the distribution
password using the publish:ignore/subscribe:notify method discussed in the
IM 2.0.1 admin guide. I then tried both scenario 2 and scenario 3 in that
same guide. One scenario involves passing using the dist password and the
other the UP password between trees for the sync.

The problem...Each time that I login and reset the password in a given
tree, IM then syncs out the password change properly to the other two
trees, BUT it also set the account as expired on the other trees, as if it
is performing an admin reset of the password on those two trees.

I know that I am missing something dumb here, but the docs don't talk about
this as being a problem, so I'm not sure what is causing to to occur.

Any ideas?

Thanks is advance!

David Reagan
UT Southwestern Medical Center