Hello,

I have an AD driver which allows to create users from Identity Vault to
AD.
I am trying to associate a password in the AD user account.
Unfortunately it does not work?

In the GCV of the driver, I've set to true :
- Application accepts passwords from Identity Manager
Other options of Pwd Management are set to false.

In Driver Configuration Access Options, the option "search domain
scope" is set to true.

In Driver Filter, the nspmDistributionPassword is "Synchronize" on
Subscribe channel (I've tried with Notify).

Moreover, the command rule which sets the password in AD is the
following.

<rule>
<description>Affectation password + identifiant</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-operation op="equal">add</if-operation>
</and>
</conditions>
<actions>
<do-set-dest-password class-name="User">
<arg-string>
<token-text xml:space="preserve">alpha.13</token-text>
</arg-string>
</do-set-dest-password>
<do-set-dest-attr-value class-name="User" name="Login Disabled">
<arg-value type="string">
<token-text xml:space="preserve">false</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>


When I add a user via IDM, I get following errors in AD Driver logs :



Naming contexts & RootDSE Properties:
DC=alpha,DC=fr
CN=Configuration,DC=alpha,DC=fr
CN=Schema,CN=Configuration,DC=alpha,DC=fr
DC=DomainDnsZones,DC=alpha,DC=fr
DC=ForestDnsZones,DC=alpha,DC=fr
default naming context: DC=alpha,DC=fr
schema naming context: CN=Schema,CN=Configuration,DC=alpha,DC=fr
configuration naming context: CN=Configuration,DC=alpha,DC=fr
root domain naming context: DC=alpha,DC=fr
forest functional level: Windows 2000 Forest Mode
[06/12/09 09:18:27.015]:c:\alpha\logs\tracesAD.log PT:ADDriver: Connect
using ldap_bind: user=cn=AdminNim,cn=Users,dc=alpha,dc=fr, domain=,
password=***, method=simple, server=10.99.1.184, sign=no, seal=no
ssl=no

[06/12/09 09:18:27.015]:c:\alpha\logs\tracesAD.log PT:ADDriver:
ldap_bind connection succeeded

[06/12/09 09:18:27.015]:c:\alpha\logs\tracesAD.log PT:ADDriver: [PWD]
PasswordSync::PasswordSync() hToken = 0x00000000

...

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20070823_095000"
instance="\CCI_TREE\alpha\system\Ensemble Pilote Dev\Active Directory
Test" version="3.5.1">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<add-association dest-dn="\ALPHA_TREE\alpha\comptes\Ala AAELUNEUF"
dest-entry-id="41995"
event-id="ALPHA-NDS#20090612062123#1#1">ae2d7e75c53e1b4b8f0db429f6 4abdf8</add-association>
<status level="error" type="driver-general">Could not set password
via platform call. Err=5 (access denied)</status>
<status event-id="ALPHA-NDS#20090612062123#1#1" level="success"/>
</output>
</nds>

...


What is strange in a first time is the log "Connect using ldap_bind"
where my domain is empty
And then I get an error which tells me that it is not possible to
password via platform call cause access is denied.

Do you have an idea why I have empty domain (although my driver works
except for password) and why I get access is denied in the logs ?


Many thanks in advance for your help,

Christine


--
coves
------------------------------------------------------------------------
coves's Profile: http://forums.novell.com/member.php?userid=4568
View this thread: http://forums.novell.com/showthread.php?t=376044