Troubleshooting Password Synchronization in Identity Manager

  • 3650562
  • 19-Feb-2008
  • 26-Apr-2012

Environment

Nsure Identity Manager 2.0.x
Novell Identity Manager 3.0
Novell Universal Password
Novell NDS to NDS Driver

Situation

Troubleshooting Password Synchronization in Identity Manager

Resolution

The following steps cover most of the problems seen in synchronizing passwords

1) In iManager under Password Management, Password Synchronization, search the tree for Drivers, then check the setting for each driver. Make sure that the setting 'DirXML Accepts Passwords' is marked and also that 'Application Accepts Passwords' is also marked. This will allow passwords to go both ways.

2) In the Password Policy for the user, make sure that the option 'Synchronize Distribution Password when setting Universal Password' is set to true.

3) Make sure that users have a Universal Password Policy in place. Remember that a Password policy must be assigned to a user, to a container holding the user, to the root container of the partition holding the user, or to the Login Policy object (this policy effects all users in the tree). A Password policy will not flow down to other sub OU's unless it is located at the root of the partition.

4) Make sure that password Filters are installed on all Active Directory Domain Controllers, however for NT, Filters should only be installed on the Primary Domain Controller.

5) Make sure that the universal password is set for users before migrating them to another platform. If this is not done, the users password will be set as specified in the Driver. By default for AD, this means the users last name.

6) Make sure that the Novell Clients are updated to 4.90 SP1a or later, otherwise the client will only set the NDS password, not the Universal one. Also, when installing the Novell client, make sure that the Novell NMAS client is installed on the workstation. This can be verified by checking Add/Remove Programs under the Control Panel to see if NMAS client is installed. The latest NMAS client can be downloaded from Novell's support site.

7) Make sure that the Administrative ID value on the properties of the driver is set to Administrator (or whatever name the administrator user in AD was changed too). Also make sure that the Authentication context: is blank. Finally, make sure that the Authentication Method value is set to 'negotiate'. Example: Administrator. Do not enter in the full name as in Administrator@mydomain.com.

8) A user may come across to AD but the account is disabled. This occurs if you create a user in AD without a password or try to use a password that doesn't conform to the Windows password policy then the user will be locked.

9) If password change from eDirectory but not from Active Directory and you are running the remote loader service and password sync service on a Windows 2003 server, you need to give the user you authenticate into Active Directory (The user object you specified under the properties of the AD drive in the Authentication ID field) with full control to the following registry key and all sub keys HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PassSync. High light Security | Select Permissions | Click Add and browse to your user object in AD | Add the check boxes to Read and Full Control. Make sure you select inheritable or full control to all sub keys. That way the hidden Data key can be read by that user.

10) The password synchronization agent and the Identity Manager driver for AD have to be installed and running in the same domain. If the driver, with or without remote loader configuration is installed in one domain and the password synchronization agent is installed in another domain, the passwords will not synchronize.

11) To obtain a trace that shows a password change occurring, set the DSTRACE level to 5 for the driver. This will never show the password or any password requirements. It will just show that a password change has been processed for a particular user.

12) An ignore on the User class itself, in the filter, will prevent passwords from synchronizing for that channel. When creating the driver, in the initial configuration, if one chooses to do a one way synchronization they will not be able to synchronize passwords bi-directionally unless they modify the filter.

13) eDirectory Driver synchronizing the public and private key: You must not have any of the Universal Password Policies in the driver. Negate them or remove them as per the Online Documentation for the eDirectory Driver. ( https://www.novell.com/documentation/dirxmldrivers/pdfdoc/edirectory/edirectory.pdf Page 26). Initial user creations were not synchronizing the password. Modifications of the password after the user was already created were synchronizing.

.

Additional Information


Formerly known as TID# 10092687