Hi!

I've got a problem, again

We are trying to establish password sync between an eDir
(V.8.8.1 running on SLES SP3) and an ADS (Windows 2000 Server).

Somehow it does not work and I don't know why.

We created a policy and assigned it to all OU's under a certain OU
speratly.
Policy looks like that:

-----
Universal Password
Options

Enable Universal Password true
Enable the Advanced Password Rules true
Synchronize NDS password when setting Universal Password true
Synchronize Simple Password when setting Universal Password false
Allow user to retrieve password true
Allow admin to retrieve passwords false
Synchronize Distribution Password when setting Universal Password true
Verify whether existing passwords comply with the password policy
(verification occurs on login) false


Rules

Allow user to initiate password change false
Do not expire the user's password when the administrator sets the
password false
Require unique passwords true
Minimum number of characters in password 8
Allow numeric characters in password true
Disallow numeric as first character false
Disallow numeric as last character false
Allow the password to be case sensitive false
Allow special characters in the password true
Disallow special character as first character false
Disallow special character as last character false
Allow non-US ASCII characters true


Forgotten Password Enabled: false

Policy Assignments
People.AIS.Fraunhofer.DE
User.AIS.Fraunhofer.DE
deleted.User.AIS.Fraunhofer.DE
alumni.User.AIS.Fraunhofer.DE

-----

If we try to sync passwords we're getting the following errors:

[08/21/07 19:10:40.295]: ActiveDirectory3 PT: Applying policy:
%+C%14CCommand Transform%-C.
[08/21/07 19:10:40.296]: ActiveDirectory3 PT: Applying to
modify-password #1.
[08/21/07 19:10:40.297]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'ok: set cached context value on merge'.
[08/21/07 19:10:40.297]: ActiveDirectory3 PT: (if-operation equal
"modify") = FALSE.
[08/21/07 19:10:40.298]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.299]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'ok: remove managed attributes when object disassociated'.
[08/21/07 19:10:40.300]: ActiveDirectory3 PT: (if-operation equal
"remove-association") = FALSE.
[08/21/07 19:10:40.300]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.301]: ActiveDirectory3 PT: Policy returned:
[08/21/07 19:10:40.301]: ActiveDirectory3 PT:
<nds dtdversion="2.2">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password class-name="User"
dest-dn="de\fraunhofer\ise\People\Rafael von Woyna"
dest-entry-id="35371" src-dn="CN=Rafael Woyna,OU=ENT,OU=Normal,OU=USER
DB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<password><!-- content suppressed --></password>
</modify-password>
</input>
</nds>
[08/21/07 19:10:40.305]: ActiveDirectory3 PT: Applying XSLT policy.
[08/21/07 19:10:40.307]: ActiveDirectory3 PT: Policy returned:
[08/21/07 19:10:40.307]: ActiveDirectory3 PT:
<nds dtdversion="2.2">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password class-name="User"
dest-dn="de\fraunhofer\ise\People\Rafael von Woyna"
dest-entry-id="35371" src-dn="CN=Rafael Woyna,OU=ENT,OU=Normal,OU=USER
DB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<password><!-- content suppressed --></password>
</modify-password>
</input>
</nds>
[08/21/07 19:10:40.311]: ActiveDirectory3 PT: Applying policy:
%+C%14CPassword(Pub)-Default Password Policy%-C.
[08/21/07 19:10:40.312]: ActiveDirectory3 PT: Applying to
modify-password #1.
[08/21/07 19:10:40.313]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'On User add, provide default password of @Dirxml1 if
no password exists
'.
[08/21/07 19:10:40.314]: ActiveDirectory3 PT: (if-operation equal
"add") = FALSE.
[08/21/07 19:10:40.314]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.315]: ActiveDirectory3 PT: Policy returned:
[08/21/07 19:10:40.315]: ActiveDirectory3 PT:
<nds dtdversion="2.2">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password class-name="User"
dest-dn="de\fraunhofer\ise\People\Rafael von Woyna"
dest-entry-id="35371" src-dn="CN=Rafael Woyna,OU=ENT,OU=Normal,OU=USER
DB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<password><!-- content suppressed --></password>
</modify-password></input>
</nds>
[08/21/07 19:10:40.319]: ActiveDirectory3 PT: Applying policy:
%+C%14C'Publish Passwords'%-C.
[08/21/07 19:10:40.320]: ActiveDirectory3 PT: Applying to
modify-password #1.
[08/21/07 19:10:40.321]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Block publishing passwords to Identity Manager data
store when adding a
object'.
[08/21/07 19:10:40.322]: ActiveDirectory3 PT: (if-global-variable
'enable-password-publish' equal "false") = FALSE.
[08/21/07 19:10:40.323]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.323]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Block sending modify-password changes to the Identity
Manager data stor
e'.
[08/21/07 19:10:40.324]: ActiveDirectory3 PT: (if-global-variable
'enable-password-publish' equal "false") = FALSE.
[08/21/07 19:10:40.325]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.326]: ActiveDirectory3 PT: Policy returned:
[08/21/07 19:10:40.326]: ActiveDirectory3 PT:
<nds dtdversion="2.2">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password class-name="User"
dest-dn="de\fraunhofer\ise\People\Rafael von Woyna"
dest-entry-id="35371" src-dn="CN=Rafael Woyna,OU=ENT,OU=Normal,OU=USER
DB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<password><!-- content suppressed --></password>
</modify-password>
</input>
</nds>
[08/21/07 19:10:40.330]: ActiveDirectory3 PT: Applying policy:
%+C%14C'Publish passwords to NMAS distribution password'%-C.
[08/21/07 19:10:40.331]: ActiveDirectory3 PT: Applying to
modify-password #1.
[08/21/07 19:10:40.332]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Add nspmDistributionAttribute attribute to add
operation'.
[08/21/07 19:10:40.333]: ActiveDirectory3 PT: (if-global-variable
'publish-password-to-dp' equal "true") = TRUE.
[08/21/07 19:10:40.333]: ActiveDirectory3 PT: (if-operation equal
"add") = FALSE.
[08/21/07 19:10:40.334]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.335]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Change modify-password operations to a modify'.
[08/21/07 19:10:40.335]: ActiveDirectory3 PT: (if-global-variable
'publish-password-to-dp' equal "true") = TRUE.
[08/21/07 19:10:40.336]: ActiveDirectory3 PT: (if-operation equal
"modify-password") = TRUE.
[08/21/07 19:10:40.337]: ActiveDirectory3 PT: Rule selected.
[08/21/07 19:10:40.338]: ActiveDirectory3 PT: Applying rule 'Change
modify-password operations to a modify'.
[08/21/07 19:10:40.338]: ActiveDirectory3 PT: Action:
do-add-dest-attr-value("nspmDistributionPassword",token-password()).
[08/21/07 19:10:40.339]: ActiveDirectory3 PT:
arg-string(token-password())
[08/21/07 19:10:40.340]: ActiveDirectory3 PT: token-password()
[08/21/07 19:10:40.340]: ActiveDirectory3 PT: Token Value:
"-- suppressed --".
[08/21/07 19:10:40.341]: ActiveDirectory3 PT: Arg Value: "--
suppressed --".
[08/21/07 19:10:40.342]: ActiveDirectory3 PT: Action:
do-set-xml-attr("event-id","../modify","pwd-publish").
[08/21/07 19:10:40.343]: ActiveDirectory3 PT:
arg-string("pwd-publish")
[08/21/07 19:10:40.343]: ActiveDirectory3 PT:
token-text("pwd-publish")
[08/21/07 19:10:40.344]: ActiveDirectory3 PT: Arg Value:
"pwd-publish".
[08/21/07 19:10:40.344]: ActiveDirectory3 PT: Action:
do-set-xml-attr("enforce-password-policy","../modify/modify-attr[@attr-name='nspmDistributionPassword
']",token-global-variable("enforce-password-policy")).
[08/21/07 19:10:40.346]: ActiveDirectory3 PT:
arg-string(token-global-variable("enforce-password-policy"))
[08/21/07 19:10:40.347]: ActiveDirectory3 PT:
token-global-variable("enforce-password-policy")
[08/21/07 19:10:40.348]: ActiveDirectory3 PT: Token Value:
"true".
[08/21/07 19:10:40.348]: ActiveDirectory3 PT: Arg Value: "true".
[08/21/07 19:10:40.349]: ActiveDirectory3 PT: Policy returned:
[08/21/07 19:10:40.349]: ActiveDirectory3 PT:
<nds dtdversion="2.2">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password class-name="User"
dest-dn="de\fraunhofer\ise\People\Rafael von Woyna"
dest-entry-id="35371" src-dn="CN=Rafael Woyna,OU=ENT,OU=Normal,OU=USER
DB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<password><!-- content suppressed --></password>
</modify-password>
<modify class-name="User" dest-dn="de\fraunhofer\ise\People\Rafael
von Woyna" dest-entry-id="35371" event-id="pwd-publish"
src-dn="CN=Rafael Woyna,OU=ENT,OU=
Normal,OU=USERDB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<modify-attr attr-name="nspmDistributionPassword"
enforce-password-policy="true"><!-- content suppressed -->
</modify-attr>
</modify>
</input>
</nds>
[08/21/07 19:10:40.356]: ActiveDirectory3 PT: Applying policy:
%+C%14C'Publish passwords to NDS password.'%-C.
[08/21/07 19:10:40.357]: ActiveDirectory3 PT: Applying to
modify-password #1.
[08/21/07 19:10:40.358]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Block publishing passwords to NDS password'.
[08/21/07 19:10:40.359]: ActiveDirectory3 PT: (if-global-variable
'publish-password-to-nds' equal "false") = TRUE.
[08/21/07 19:10:40.360]: ActiveDirectory3 PT: (if-operation equal
"add") = FALSE.
[08/21/07 19:10:40.361]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.361]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Block sending modify-password changes to the NDS
password'.
[08/21/07 19:10:40.362]: ActiveDirectory3 PT: (if-global-variable
'publish-password-to-nds' equal "false") = TRUE.
[08/21/07 19:10:40.363]: ActiveDirectory3 PT: (if-operation equal
"modify-password") = TRUE.
[08/21/07 19:10:40.364]: ActiveDirectory3 PT: Rule selected.
[08/21/07 19:10:40.364]: ActiveDirectory3 PT: Applying rule 'Block
sending modify-password changes to the NDS password'.
[08/21/07 19:10:40.365]: ActiveDirectory3 PT: Action: do-veto().
[08/21/07 19:10:40.366]: ActiveDirectory3 PT: Applying to modify #2.
[08/21/07 19:10:40.366]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Block publishing passwords to NDS password'.
[08/21/07 19:10:40.367]: ActiveDirectory3 PT: (if-global-variable
'publish-password-to-nds' equal "false") = TRUE.
[08/21/07 19:10:40.368]: ActiveDirectory3 PT: (if-operation equal
"add") = FALSE.
[08/21/07 19:10:40.369]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.369]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Block sending modify-password changes to the NDS
password'.
[08/21/07 19:10:40.370]: ActiveDirectory3 PT: (if-global-variable
'publish-password-to-nds' equal "false") = TRUE.
[08/21/07 19:10:40.371]: ActiveDirectory3 PT: (if-operation equal
"modify-password") = FALSE.
[08/21/07 19:10:40.372]: ActiveDirectory3 PT: Rule rejected.
[08/21/07 19:10:40.372]: ActiveDirectory3 PT: Policy returned:
[08/21/07 19:10:40.373]: ActiveDirectory3 PT:
<nds dtdversion="2.2">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" dest-dn="de\fraunhofer\ise\People\Rafael
von Woyna" dest-entry-id="35371" event-id="pwd-publish"
src-dn="CN=Rafael Woyna,OU=ENT,OU=
Normal,OU=USERDB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<modify-attr attr-name="nspmDistributionPassword"
enforce-password-policy="true"><!-- content suppressed -->
</modify-attr>
</modify>
</input>
</nds>
[08/21/07 19:10:40.377]: ActiveDirectory3 PT: Applying policy:
%+C%14C'Publish password payloads'%-C.
[08/21/07 19:10:40.378]: ActiveDirectory3 PT: Applying to modify #1.
[08/21/07 19:10:40.379]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Add operation-data element to password operations'.
[08/21/07 19:10:40.380]: ActiveDirectory3 PT: (if-operation equal
"add") = FALSE.
[08/21/07 19:10:40.380]: ActiveDirectory3 PT: (if-operation equal
"add") = FALSE.
[08/21/07 19:10:40.381]: ActiveDirectory3 PT: (if-operation equal
"modify-password") = FALSE.
[08/21/07 19:10:40.382]: ActiveDirectory3 PT: (if-operation equal
"modify") = TRUE.
[08/21/07 19:10:40.383]: ActiveDirectory3 PT: (if-xpath true
"modify-attr[@attr-name='nspmDistributionPassword']") = TRUE.
[08/21/07 19:10:40.384]: ActiveDirectory3 PT: (if-xpath not-true
"operation-data") = TRUE.
[08/21/07 19:10:40.384]: ActiveDirectory3 PT: Rule selected.
[08/21/07 19:10:40.385]: ActiveDirectory3 PT: Applying rule 'Add
operation-data element to password operations'.
[08/21/07 19:10:40.386]: ActiveDirectory3 PT: Action:
do-append-xml-element("operation-data",".").
[08/21/07 19:10:40.386]: ActiveDirectory3 PT: Evaluating selection
criteria for rule 'Add payload data to password operations'.
[08/21/07 19:10:40.387]: ActiveDirectory3 PT: (if-operation equal
"addPayloadToPassword") = FALSE.
[08/21/07 19:10:40.388]: ActiveDirectory3 PT: (if-operation equal
"add") = FALSE.
[08/21/07 19:10:40.389]: ActiveDirectory3 PT: (if-operation equal
"modify-password") = FALSE.
[08/21/07 19:10:40.389]: ActiveDirectory3 PT: (if-operation equal
"modify") = TRUE.
[08/21/07 19:10:40.390]: ActiveDirectory3 PT: (if-xpath true
"modify-attr[@attr-name='nspmDistributionPassword']") = TRUE.
[08/21/07 19:10:40.391]: ActiveDirectory3 PT: Rule selected.
[08/21/07 19:10:40.391]: ActiveDirectory3 PT: Applying rule 'Add
payload data to password operations'.
[08/21/07 19:10:40.392]: ActiveDirectory3 PT: Action:
do-append-xml-element("password-publish-status","operation-data").
[08/21/07 19:10:40.393]: ActiveDirectory3 PT: Action:
do-append-xml-element("association","operation-data/password-publish-status").
[08/21/07 19:10:40.394]: ActiveDirectory3 PT: Action:
do-append-xml-text("operation-data/password-publish-status/association",token-association()).
[08/21/07 19:10:40.395]: ActiveDirectory3 PT:
arg-string(token-association())
[08/21/07 19:10:40.396]: ActiveDirectory3 PT: token-association()
[08/21/07 19:10:40.396]: ActiveDirectory3 PT: Token Value:
"c523855689677042a852d412ff52bcac".
[08/21/07 19:10:40.397]: ActiveDirectory3 PT: Arg Value:
"c523855689677042a852d412ff52bcac".
[08/21/07 19:10:40.398]: ActiveDirectory3 PT: Policy returned:
[08/21/07 19:10:40.399]: ActiveDirectory3 PT:
<nds dtdversion="2.2">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" dest-dn="de\fraunhofer\ise\People\Rafael
von Woyna" dest-entry-id="35371" event-id="pwd-publish"
src-dn="CN=Rafael Woyna,OU=ENT,OU=
Normal,OU=USERDB,DC=ise,DC=fhg,DC=de">
<association>c523855689677042a852d412ff52bcac</association>
<modify-attr attr-name="nspmDistributionPassword"
enforce-password-policy="true"><!-- content suppressed -->
</modify-attr>
<operation-data>
<password-publish-status>
<association>c523855689677042a852d412ff52bcac</association>
</password-publish-status>
</operation-data>
</modify>
</input>
</nds>
[08/21/07 19:10:40.404]: ActiveDirectory3 PT: Filtering out
notification-only attributes.
[08/21/07 19:10:40.405]: ActiveDirectory3 PT: Pumping XDS to eDirectory.
[08/21/07 19:10:40.406]: ActiveDirectory3 PT: Performing operation
modify for de\fraunhofer\ise\People\Rafael von Woyna.
[08/21/07 19:10:40.407]: ActiveDirectory3 PT: Modifying entry
de\fraunhofer\ise\People\Rafael von Woyna.
[08/21/07 19:10:40.445]: ActiveDirectory3 PT:
DirXML Log Event -------------------
Driver:
\ISE_FHG_DIT\de\fraunhofer\ise\services\DirXML-DriverSet\ActiveDirectory3
Channel: Publisher
Object: CN=Rafael
Woyna,OU=ENT,OU=Normal,OU=USERDB,DC=ise,DC=fhg,DC= de
(de\fraunhofer\ise\People\Rafael von Woyna)
Status: Success
[08/21/07 19:10:40.448]: ActiveDirectory3 PT:
DirXML Log Event -------------------
Driver:
\ISE_FHG_DIT\de\fraunhofer\ise\services\DirXML-DriverSet\ActiveDirectory3
Channel: Publisher
Object: CN=Rafael
Woyna,OU=ENT,OU=Normal,OU=USERDB,DC=ise,DC=fhg,DC= de
(de\fraunhofer\ise\People\Rafael von Woyna)
Status: Warning
Message: Code(-8021) Unable to set NMAS password, -222.
[08/21/07 19:10:40.451]: ActiveDirectory3 PT:
DirXML Log Event -------------------
Driver:
\ISE_FHG_DIT\de\fraunhofer\ise\services\DirXML-DriverSet\ActiveDirectory3
Channel: Publisher
Object: CN=Rafael
Woyna,OU=ENT,OU=Normal,OU=USERDB,DC=ise,DC=fhg,DC= de
(de\fraunhofer\ise\People\Rafael von Woyna)
Status: Warning
Message: Code(-8021) Unable to set NMAS password,
com.novell.nds.dhutil.DSErr: -16049 (0xffffc14f).
[08/21/07 19:10:40.455]: ActiveDirectory3 PT: Fixing up association
references.
[08/21/07 19:10:40.455]: ActiveDirectory3 PT: Applying schema mapping
policies to output.
[08/21/07 19:10:40.457]: ActiveDirectory3 PT: Applying output
transformation policies.


I created the password policy in my lab environment(8.8.1
Solaris+Windwos2003 Server) and configured the default domain policy the
way I did in the productive environment.
I think I configured so far everything similar. In my lab environment
everything works fine.

I found this pdf which includes one of the error codes:
http://thebackroomtech.files.wordpre...204-readme.pdf
but the security patch is installed on the SLES 9 server?

Anyone an idea what the problem might be?

We first assigned the policy to Security/Login Policy and then we
changed the assignment to certain OUs. Could this maybe cause the error?

Regards,
Christine