New Windows only NDS/Identity Manager install for ZFD7. Running NDS and
Identity Manager on a 2003SP2 Member server. Password Sync is
configured with filters on 3 of 6 domain controllers so far. Both
domain controllers at the same LAN site as the NDS/IDM server are
configured/filters and show status of "Running" in the password sync
window on the IDM server. XP workstations are not running the Novell
client... Just the ZFD agent.

Password policy is configured and applied to the user containers.

Here is the password policy summary:

Password Policy Summary
Name IDM Password Policy
Description
Universal Password
Options Enable Universal Password true
Enable the Advanced Password Rules true
Synchronize NDS password when setting Universal Password true
Synchronize Simple Password when setting Universal Password true
Allow user to retrieve password true
Allow admin to retrieve passwords false
Synchronize Distribution Password when setting Universal Password true

Allow the following to retrieve passwords
Verify whether existing passwords comply with the password policy
(verification occurs on login) true


Rules Use Microsoft complexity policy true
Allow user to initiate password change true
Do not expire the user's password when the administrator sets the
password false
Require unique passwords false
Allow non-US ASCII characters true


Forgotten Password Enabled: false

Policy Assignments ColomboBank.colombonds
colombonds


Here is what is working:

- Succesfully Migrated existing user objects from AD to NDS with plan
to force password change from the AD side in order to sync passwords to
NDS.

- Can "view policy assignment" in iManager for password policy and
shows correct policy assigned to users.

- Can change password of AD user account in "AD Users and Computers"
and it will sync the password to the NDS account.

- Can "Set Universal Password" in iManager for a user and the password
in AD and NDS is successfully changed. HOWEVER, the user is not
prompted to change their password at next login even though "Do not
expire the user's password when the administrator sets the password" is
set to "false" in the policy. I also see a "TLS" error on the NMAP/LDAP
trace during this task:

[2/27/2008 07:33:21.89] NMAS : Successful get distribution password
for ZENTest15.ColomboBank.colombonds
[2/27/2008 07:33:21.89] NMAS : Successful get distribution password
for ZENTest15.ColomboBank.colombonds
[2/27/2008 07:33:35.19] LDAP : TLS accept failure 1 on connection
0x4707450, setting err = -5875. Error stack:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown - SSL alert number 46
[2/27/2008 07:33:35.19] LDAP : TLS handshake failed on connection
0x4707450, err = -5875
[2/27/2008 07:33:35.19] LDAP : BIO ctrl called with unknown cmd 7
[2/27/2008 07:33:35.23] LDAP : BIO ctrl called with unknown cmd 7
[2/27/2008 07:33:50.15] LDAP : BIO ctrl called with unknown cmd 7
[2/27/2008 07:34:16.30] NMAS : Successful check password for
CN=ZENTest15.OU=ColomboBank.O=colombonds
[2/27/2008 07:34:16.70] NMAS : Successful set password for
CN=ZENTest15.OU=ColomboBank.O=colombonds
[2/27/2008 07:34:16.73] NMAS : Successful get distribution password
for ZENTest15.ColomboBank.colombonds
[2/27/2008 07:34:16.75] NMAS : Successful get distribution password
for ZENTest15.ColomboBank.colombonds
[2/27/2008 07:34:16.89] Drvrs : Active Directory PT:
DirXML Log Event -------------------
Driver: \COLOMBO_TREE\colombonds\IDM3\ADDriverSet\Active
Directory
Channel: Publisher
Object: CN=ZENTest15,OU=Colombo Bank,DC=colombo,DC=com
(colombonds\ColomboBank\ZENTest15)
Status: Success
[2/27/2008 07:34:16.94] Drvrs : Active Directory ST:
DirXML Log Event -------------------
Driver: \COLOMBO_TREE\colombonds\IDM3\ADDriverSet\Active
Directory
Channel: Subscriber
Object: \COLOMBO_TREE\colombonds\ColomboBank\ZENTest15
Status: Success
[2/27/2008 07:34:21.09] OSync : 2008/02/27 7:34:21 Start partition
sync .COLOMBO_TREE. state:[0], type:[0].
[2/27/2008 07:34:21.09] OSync : Sync - Partition .COLOMBO_TREE. All
processed = YES

- Can create new user in AD with successful sync of user and password
to NDS.


Here is what is not working:

- When I Force password change on on users next login from AD user
manager, the AD password changes but does not sync to NDS. NDS trace
screen shows no activity during password change. This is with NMAS,
LDAP, Dirxml, Dirxml Drivers selected on the trace.

- User manual change password (initiated at the workstation) gives
same results. No password sync to NDS and nothing on trace screen.


Not sure where to look next...


--
fdgoings
------------------------------------------------------------------------
fdgoings's Profile: http://forums.novell.com/member.php?userid=5050
View this thread: http://forums.novell.com/showthread.php?t=313704