I have IDM 3.5 on a W2K3 computer which is a member server within the
domain. Password sync is installed on the member server and on all
domain controllers. Remote Loader for AD is installed and seems to be
working correctly.

The IDM machine syncs with AD and with another eDir tree. When I create
a new user, the user get created within the IDM Vault and the eDir tree,
but the password is dirxml1 (default).

I am really new to IDM, so I may be missing something really obvious.
Below are (what I hope) the relevant portions of level 3 trace of the AD
transactions taking place when the user is added.

Thanks in advance for any suggestions.

AD TRACE:

<nds dtdversion="2.2">
<source>
<product version="3.5.1.20070411 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="CAMBRIAN\Cambrian_Users\Staff\Test
Accounts\giskard" event-id="Active Directory Remote
Loader##11387606f86##0" src-dn="CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca">
<association>858000ec2f25c0438a0deaab55f1cbe2</association>
<add-attr attr-name="Login Disabled">
<value type="state">false</value>
</add-attr>
<add-attr attr-name="Full Name">
<value naming="false" type="string">Giskard Reventlov</value>
</add-attr>
<add-attr attr-name="Given Name">
<value naming="false" type="string">Giskard</value>
</add-attr>
<add-attr attr-name="DirXML-ADAliasName">
<value naming="false" type="string">giskard</value>
</add-attr>
<add-attr attr-name="Surname">
<value naming="false" type="string">Reventlov</value>
</add-attr>
<add-attr attr-name="Object Class">
<value type="string">DirXML-ApplicationAttrs</value>
</add-attr>
<add-attr attr-name="DirXML-ADContext">
<value type="string">CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data unmatched-src-dn="Test Accounts\Giskard Reventlov"/>
</add>
</input>
</nds>
[07/02/07 10:40:56.668]:Active Directory Remote Loader PT:Applying
policy: %+C%14C'Publish passwords to NMAS distribution password'%-C.
[07/02/07 10:40:56.684]:Active Directory Remote Loader PT: Applying to
add #1.
[07/02/07 10:40:56.684]:Active Directory Remote Loader PT: Evaluating
selection criteria for rule 'Add nspmDistributionAttribute attribute to
add operation'.
[07/02/07 10:40:57.387]:Active Directory Remote Loader PT:
(if-global-variable 'publish-password-to-dp' equal "true") = FALSE.
[07/02/07 10:40:57.387]:Active Directory Remote Loader PT: Rule rejected.
[07/02/07 10:40:57.387]:Active Directory Remote Loader PT: Evaluating
selection criteria for rule 'Change modify-password operations to a modify'.
[07/02/07 10:40:57.387]:Active Directory Remote Loader PT:
(if-global-variable 'publish-password-to-dp' equal "true") = FALSE.
[07/02/07 10:40:57.403]:Active Directory Remote Loader PT: Rule rejected.
[07/02/07 10:40:57.403]:Active Directory Remote Loader PT:Policy returned:
[07/02/07 10:40:57.403]:Active Directory Remote Loader PT:
<nds dtdversion="2.2">
<source>
<product version="3.5.1.20070411 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="CAMBRIAN\Cambrian_Users\Staff\Test
Accounts\giskard" event-id="Active Directory Remote
Loader##11387606f86##0" src-dn="CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca">
<association>858000ec2f25c0438a0deaab55f1cbe2</association>
<add-attr attr-name="Login Disabled">
<value type="state">false</value>
</add-attr>
<add-attr attr-name="Full Name">
<value naming="false" type="string">Giskard Reventlov</value>
</add-attr>
<add-attr attr-name="Given Name">
<value naming="false" type="string">Giskard</value>
</add-attr>
<add-attr attr-name="DirXML-ADAliasName">
<value naming="false" type="string">giskard</value>
</add-attr>
<add-attr attr-name="Surname">
<value naming="false" type="string">Reventlov</value>
</add-attr>
<add-attr attr-name="Object Class">
<value type="string">DirXML-ApplicationAttrs</value>
</add-attr>
<add-attr attr-name="DirXML-ADContext">
<value type="string">CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data unmatched-src-dn="Test Accounts\Giskard Reventlov"/>
</add>
</input>
</nds>
[07/02/07 10:40:57.465]:Active Directory Remote Loader PT:Applying
policy: %+C%14C'Publish passwords to NDS password.'%-C.
[07/02/07 10:40:57.465]:Active Directory Remote Loader PT: Applying to
add #1.
[07/02/07 10:40:57.465]:Active Directory Remote Loader PT: Evaluating
selection criteria for rule 'Block publishing passwords to NDS password'.
[07/02/07 10:40:57.481]:Active Directory Remote Loader PT:
(if-global-variable 'publish-password-to-nds' equal "false") = FALSE.
[07/02/07 10:40:57.481]:Active Directory Remote Loader PT: Rule rejected.
[07/02/07 10:40:57.497]:Active Directory Remote Loader PT: Evaluating
selection criteria for rule 'Block sending modify-password changes to
the NDS password'.
[07/02/07 10:40:57.497]:Active Directory Remote Loader PT:
(if-global-variable 'publish-password-to-nds' equal "false") = FALSE.
[07/02/07 10:40:57.497]:Active Directory Remote Loader PT: Rule rejected.
[07/02/07 10:40:57.497]:Active Directory Remote Loader PT:Policy returned:
[07/02/07 10:40:57.512]:Active Directory Remote Loader PT:
<nds dtdversion="2.2">
<source>
<product version="3.5.1.20070411 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="CAMBRIAN\Cambrian_Users\Staff\Test
Accounts\giskard" event-id="Active Directory Remote
Loader##11387606f86##0" src-dn="CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca">
<association>858000ec2f25c0438a0deaab55f1cbe2</association>
<add-attr attr-name="Login Disabled">
<value type="state">false</value>
</add-attr>
<add-attr attr-name="Full Name">
<value naming="false" type="string">Giskard Reventlov</value>
</add-attr>
<add-attr attr-name="Given Name">
<value naming="false" type="string">Giskard</value>
</add-attr>
<add-attr attr-name="DirXML-ADAliasName">
<value naming="false" type="string">giskard</value>
</add-attr>
<add-attr attr-name="Surname">
<value naming="false" type="string">Reventlov</value>
</add-attr>
<add-attr attr-name="Object Class">
<value type="string">DirXML-ApplicationAttrs</value>
</add-attr>
<add-attr attr-name="DirXML-ADContext">
<value type="string">CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data unmatched-src-dn="Test Accounts\Giskard Reventlov"/>
</add>
</input>
</nds>
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:Applying
policy: %+C%14C'Publish password payloads'%-C.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT: Applying to
add #1.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT: Evaluating
selection criteria for rule 'Add operation-data element to password
operations'.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:
(if-operation equal "add") = TRUE.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:
(if-password available) = TRUE.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:
(if-xpath not-true "operation-data") = FALSE.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:
(if-operation equal "add") = TRUE.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:
(if-xpath true "add-attr[@attr-name='nspmDistributionPassword']") = FALSE.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:
(if-operation equal "modify-password") = FALSE.
[07/02/07 10:40:58.184]:Active Directory Remote Loader PT:
(if-operation equal "modify") = FALSE.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT: Rule rejected.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT: Evaluating
selection criteria for rule 'Add payload data to password operations'.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT:
(if-operation equal "addPayloadToPassword") = FALSE.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT:
(if-operation equal "add") = TRUE.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT:
(if-xpath true "add-attr[@attr-name='nspmDistributionPassword']") = FALSE.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT:
(if-operation equal "modify-password") = FALSE.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT:
(if-operation equal "modify") = FALSE.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT: Rule rejected.
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT:Policy returned:
[07/02/07 10:40:58.200]:Active Directory Remote Loader PT:
<nds dtdversion="2.2">
<source>
<product version="3.5.1.20070411 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="CAMBRIAN\Cambrian_Users\Staff\Test
Accounts\giskard" event-id="Active Directory Remote
Loader##11387606f86##0" src-dn="CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca">
<association>858000ec2f25c0438a0deaab55f1cbe2</association>
<add-attr attr-name="Login Disabled">
<value type="state">false</value>
</add-attr>
<add-attr attr-name="Full Name">
<value naming="false" type="string">Giskard Reventlov</value>
</add-attr>
<add-attr attr-name="Given Name">
<value naming="false" type="string">Giskard</value>
</add-attr>
<add-attr attr-name="DirXML-ADAliasName">
<value naming="false" type="string">giskard</value>
</add-attr>
<add-attr attr-name="Surname">
<value naming="false" type="string">Reventlov</value>
</add-attr>
<add-attr attr-name="Object Class">
<value type="string">DirXML-ApplicationAttrs</value>
</add-attr>
<add-attr attr-name="DirXML-ADContext">
<value type="string">CN=Giskard Reventlov,OU=Test
Accounts,OU=Staff,DC=cambrian,DC=cambrianc,DC=on,D C=ca</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data unmatched-src-dn="Test Accounts\Giskard Reventlov"/>
</add>
</input>
</nds>
[07/02/07 10:40:58.231]:Active Directory Remote Loader PT:Filtering out
notification-only attributes.
[07/02/07 10:40:58.231]:Active Directory Remote Loader PT:Pumping XDS to
eDirectory.
[07/02/07 10:40:58.231]:Active Directory Remote Loader PT:Performing
operation add for CAMBRIAN\Cambrian_Users\Staff\Test Accounts\giskard.
[07/02/07 10:40:58.231]:Active Directory Remote Loader PT:Adding entry
CAMBRIAN\Cambrian_Users\Staff\Test Accounts\giskard.
[07/02/07 10:40:58.231]:Active Directory Remote Loader PT:Creating RDN
giskard in context CAMBRIAN\Cambrian_Users\Staff\Test Accounts.
[07/02/07 10:40:59.293]:Active Directory Remote Loader PT:Setting
initial password.
[07/02/07 10:41:01.778]:Active Directory Remote Loader PT: