Corrupt UP killing eDirectory
eDirectory 8.7.3.9 on 4 replica servers (two SLES 9, one NW 6.5, one RHat). PKI and SDI diags are current without any issues. Have IDM synching pw's to AD, eDir and RACF. Everything has been running fine for years.
Recently changed my main UP policy to keep 5 passwords in history and NOT expire them (had them expiring after 0 days before, I know, in other words not keeping history). We change passwords every 6 months, so expiring them every 365 days would keep none in history.
Since this PW Policy change we've had issues. The most disturbing is when a password is changed on some accounts (I suppose corrupt UP's), it stops NDSD on my master replica server (the server that is pointed to for LDAP PW changes). If I put one of these accounts in a PW policy without UP on, it changes the pw fine (without moving through the IDM drivers, of course). However, when the UP policy is assigned back to the user account, it stops the directory again.
Using test accounts, I can change the password many times (well over 5) without any issue. So the idea of the history list filling doesn't seem valid.
Has anyone ever seen this type of activity before (killing eDir on a UP pw change)?
I currently don't have any accounts with the problem (that I know of), but, it's happened 3 times in the past 2 weeks. Not good.
Thanks,
Stephen
|
Threaded Mode
