Hash: SHA1

I'm not sure but I don't think the little Zen client thingy supports
NMAS so the password change you are doing with an expired password is
going straight to NDS password which cannot synchronize to Zen. Now
because you are on eDirectory 8.8 (hopefully SP1 really) some
interesting things may help you out. First, doing any kind of LDAP bind
to eDirectory when you have the NDSD_TRY_NMASLOGIN_FIRST environment
variable set should set your Universal Password (UP) in eDirectory which
will then synchronize too AD. Various other logins may also do this
besides LDAP. For instance, once you do this password change via the
Zen client try logging in (just logging in) with the Novell client (with
NMAS enabled) from another workstation. Now try doing your AD stuff.
If that works then we have confirmed the issue.

So some things to do follow. First, make sure your AD password expires
before your eDirectory password. If it does this then there is no
reason for the eDirectory password to need a change before the AD
password and if it does get changed first either the user is being
strange or the Helpdesk managed to get involved. If the former, train
them. If the latter, make sure they know about this scenario.

Another option is to use one of many utilities (IDM drivers, Java-based
apps, etc.) to detect when a user's eDirectory password is going to
expire and e-mail them before that happens so they can change their
password in AD the proper way before things become expired. This is not
a bad idea anyway as it prevents any kind of necessary last-minute
downtime when the user must think up a new password.

Good luck.

aalbery@northampton.gov.uk wrote:
> Identity Manager 3.0.1 Bundle
> Zenworks 7
> Windows 2003 Server
> Clientless Workstation with Zenworks Agents set in passive mode.
> The Windows box is hosting Edirectory 8.8, Identity Manager Components,
> Middle Tier etc.
> The password sync to AD works fine in all of the following scenarios and
> can be checked via dstrace with the Dirxml and NMAS options enabled, which
> shows the events going through.
> Change password in Console one, change password in IManager, change
> password in Active Directory, change password on workstation after
> successful login.
> The one scenario that does not work is when the password has expired. The
> prompt comes up to change password, password change is accepted and login
> continues. DStrace shows no trace of this event. On the next login the
> initial login goes OK then the windows password box for the AD domain pops
> up and this will only accept the old password. Basically in this scenario
> the Edirectory password changes but the AD side does not and the event does
> not even register on the DSTrace so the it cannot have been picked up by
> the synch engine.
> I've read and reread the documentation for both Identity Manager and
> Zenworks but I can't find any clue. I've searched the TID's but again
> nothing relevant. The nearest desription mentioned Windows 98 and used a
> Novell Client.
> If I install the Novell client then everything works. However this is not
> an acceptable solution within my organisation.

Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org