We were getting a rash of reports that user passwords were randomly not
working right after change. After some investigation, I tracked this
down to the use of certain special characters: )('<>. Our password
policy in AD supposedly allows these, as does eDirectory. So, after
enabling traces to show the password in transit, I discovered that the
IDM was converting them to their character codes which either AD or the
AD shim apparently was interpreting as literal.

I don't know if this is a bug or what--I am still running an older
driver version (3.5.10)--but I just wanted to let the community know. I
created a work around rule on my AD command transform policy that fixes
this via regex. I don't know is the proper way to fix, but it seems to
do the trick:


<rule notrace="true">
<description>Fix Special Characters</description>
<comment xml:space="preserve">AD does not recognize special character
codes in a password, so we must manually convert them here.</comment>
<conditions>
<and>
<if-op-attr name="nspmDistributionPassword" op="available"/>
</and>
</conditions>
<actions>
<do-reformat-op-attr name="nspmDistributionPassword" notrace="true">
<arg-value type="string">
<token-replace-all regex="& #41;" replace-with=")">
<token-replace-all regex="&amp; #40;" replace-with="(">
<token-replace-all regex="&amp; #39;" replace-with="'">
<token-replace-all regex="&amp; lt;" replace-with="&lt;">
<token-replace-all regex="&amp; gt;" replace-with=">">
<token-op-attr name="nspmDistributionPassword"/>
</token-replace-all>
</token-replace-all>
</token-replace-all>
</token-replace-all>
</token-replace-all>
</arg-value>
</do-reformat-op-attr>
</actions>
</rule>




Regards,
Adam


--
adamdn01
------------------------------------------------------------------------
adamdn01's Profile: http://forums.novell.com/member.php?userid=126372
View this thread: http://forums.novell.com/showthread.php?t=454846