On 7/8/2012 3:46 PM, mratcliffe wrote:
> Hi,
> I want to have 2 AD drivers for one domain, 1 to process data and 1 to
> process passwords. There seems to have been discussion about this in
> the past but I can't find anything specific where somebody has explained
> what needs to be changed from the default AD driver to create a password
> sync only driver. Can anyone help please?

I just did this with a client with 600,000 users. The biggest issue you
will run into is due to password complexity. The pre-eDir-8.8.7 NMAS
(It is really NMAS, but the version you need only comes with 887) and
the default AD complexity is more than 3/4 (now 3/5 with Unicode being
#5) and length.

You cannot use the contents of sAMACcountName in whole, nor displayName
in part. displayName is split into tokens, by space, dash, comma,
underscore, pound, and more I always forget. So depending on how your
AD displayName attribute is constructed you might have an issue when
people change passwords.

With the NMAS fix in eDir 887 there is a password policy called AD 2008
complexity, which when you enable it looks at Given Name, Surname, and
full name and disallows any of the strings to be in the password. If
you construct your displayName differently this may not help at all. It
all depends.

But what I did was take a driver and block deletes and adds. Removed
all the cruft and left only nspmDistributionPassword in the filter
(Sub-Notify). Left the Sub/Pub Command transform policies for
passwords. (Would have been more efficient to just code what I needed,
but I wanted to be able to upgrade if Novell offers an update). In fact
I did it in packages, and used the AD Base, the Common Password Sync and
a custom AD Driver Password sync package.

Then in the main AD driver, in the ITP, add a policy that watches for
<add-association> events. When it does, add an association for the
second password only driver. You get the value from the
<add-association> event. (XPATH of text() will suffice to get the value)