We were getting a rash of reports that user passwords were randomly not
working right after change. After some investigation, I tracked this
down to the use of certain special characters: )('<>. Our password
policy in AD supposedly allows these, as does eDirectory. So, after
enabling traces to show the password in transit, I discovered that the
IDM was converting them to their character codes which either AD or the
AD shim apparently was interpreting as literal.

I don't know if this is a bug or what--I am still running an older
driver version (3.5.10)--but I just wanted to let the community know. I
created a work around rule on my AD command transform policy that fixes
this via regex. I don't know is the proper way to fix, but it seems to
do the trick:

<rule notrace="true">
<description>Fix Special Characters</description>
<comment xml:space="preserve">AD does not recognize special character
codes in a password, so we must manually convert them here.</comment>
<if-op-attr name="nspmDistributionPassword" op="available"/>
<do-reformat-op-attr name="nspmDistributionPassword" notrace="true">
<arg-value type="string">
<token-replace-all regex="& #41;" replace-with=")">
<token-replace-all regex="&amp; #40;" replace-with="(">
<token-replace-all regex="&amp; #39;" replace-with="'">
<token-replace-all regex="&amp; lt;" replace-with="&lt;">
<token-replace-all regex="&amp; gt;" replace-with=">">
<token-op-attr name="nspmDistributionPassword"/>


adamdn01's Profile: http://forums.novell.com/member.php?userid=126372
View this thread: http://forums.novell.com/showthread.php?t=454846