Hello all,

I am sure I must be missing something basic here, but it is doing my
head in.

I am working in a lab environment where I have had the AD driver working
quite happily - pushing users from our Identity Vault to AD and
synchronising passwords in both directions. Our users come
authoritativley from SAP, so any users added to AD directly get vetoed.

As part of a deployment of Exchange 2013, the Exchange guys have added
some service accounts and for some reason one of them is trying to
synchronise its password to the identity vault.

The Remote Loader trace is like this - repeating ad nauseum


DirXML: [03/18/14 12:11:24.28]: Loader: Received document from
publicationShim
DirXML: [03/18/14 12:11:24.28]: Loader: XML Document:
DirXML: [03/18/14 12:11:24.29]: <nds dtdversion="2.2">
<source>
<product build="20131219_120000"
instance="\IDM-TREE\system\driverset1\XXXXXXX AD"
version="4.0.0.3">AD</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password event-id="XXXXXXX AD##144d2f521f9##0"
class-name="user"
src-dn="CN=HealthMailbox594131caa52f45bb807fc3a10a14a8 b4,CN=Users,DC=XXXXXXX,DC=local">
<association>8538f760b1768545be753c0af46fa4c0</association>
<password><!-- content suppressed --></password>
</modify-password>
</input>
</nds>
DirXML: [03/18/14 12:11:24.31]: Loader: Received 'publisher reply'
document
DirXML: [03/18/14 12:11:24.31]: Loader: XML Document:
DirXML: [03/18/14 12:11:24.31]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output/>
</nds>
DirXML: [03/18/14 12:11:24.32]: Loader: DirXML returned:
DirXML: [03/18/14 12:11:24.32]: Loader: XML Document:
DirXML: [03/18/14 12:11:24.34]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output/>
</nds>
DirXML: [03/18/14 12:11:24.34]: ADDriver:
MadPublisherPassSync:rocessPassSyncEntries() clearing user
SM_4177808e3a68413d8 password
DirXML: [03/18/14 12:11:53.37]: Loader: Received document from
publicationShim
DirXML: [03/18/14 12:11:53.37]: Loader: XML Document:
DirXML: [03/18/14 12:11:53.37]: <nds dtdversion="2.2">
<source>
<product build="20131219_120000"
instance="\IDM-TREE\system\driverset1\XXXXXXX AD"
version="4.0.0.3">AD</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<status level="success" type="heartbeat"/>
</input>
</nds>
DirXML: [03/18/14 12:11:53.40]: Loader: Received 'publisher reply'
document
DirXML: [03/18/14 12:11:53.40]: Loader: XML Document:
DirXML: [03/18/14 12:11:53.40]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="0" level="success"></status>
</output>
</nds>
DirXML: [03/18/14 12:11:53.42]: Loader: DirXML returned:
DirXML: [03/18/14 12:11:53.42]: Loader: XML Document:
DirXML: [03/18/14 12:11:53.43]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="0" level="success"></status>
</output>
</nds>
DirXML: [03/18/14 12:11:53.43]:
DirXML Log Event -------------------
Driver = \IDM-TREE\system\driverset1\XXXXXXX AD
Thread = Publisher Channel
Level = success
DirXML: [03/18/14 12:11:53.45]: ADDriver: Publisher Poll
DirXML: [03/18/14 12:11:53.45]: ADDriver: get object changes - 0x0000
DirXML: [03/18/14 12:11:53.45]: ADDriver: process object change entry
DirXML: [03/18/14 12:11:53.45]: ADDriver: Processing change from AD:
isDeleted: NULL, whenCreated NULL, name NULL
DirXML: [03/18/14 12:11:53.45]: ADDriver: Publisher MODIFY
DirXML: [03/18/14 12:11:53.45]: ADDriver: Publisher Modify-
effectiveClassQuery
dn=CN=HealthMailbox594131caa52f45bb807fc3a10a14a8b 4,CN=Users,DC=XXXXXXX,DC=local
className=user
DirXML: [03/18/14 12:11:53.45]: ADDriver: accountExpires
DirXML: [03/18/14 12:11:53.45]: ADDriver: co
DirXML: [03/18/14 12:11:53.45]: ADDriver: company
DirXML: [03/18/14 12:11:53.45]: ADDriver: department
DirXML: [03/18/14 12:11:53.45]: ADDriver: directReports
DirXML: [03/18/14 12:11:53.45]: ADDriver: dirxml-uACAccountDisable
DirXML: [03/18/14 12:11:53.45]: ADDriver: displayName
DirXML: [03/18/14 12:11:53.45]: ADDriver: employeeID
DirXML: [03/18/14 12:11:53.45]: ADDriver: employeeType
DirXML: [03/18/14 12:11:53.45]: ADDriver: facsimileTelephoneNumber
DirXML: [03/18/14 12:11:53.45]: ADDriver: givenName
DirXML: [03/18/14 12:11:53.45]: ADDriver: homeMDB
DirXML: [03/18/14 12:11:53.45]: ADDriver: initials
DirXML: [03/18/14 12:11:53.45]: ADDriver: l
DirXML: [03/18/14 12:11:53.45]: ADDriver: logonHours
DirXML: [03/18/14 12:11:53.45]: ADDriver: mail
DirXML: [03/18/14 12:11:53.45]: ADDriver: memberOf
DirXML: [03/18/14 12:11:53.45]: ADDriver: middleName
DirXML: [03/18/14 12:11:53.45]: ADDriver: mobile
DirXML: [03/18/14 12:11:53.45]: ADDriver: physicalDeliveryOfficeName
DirXML: [03/18/14 12:11:53.45]: ADDriver: postOfficeBox
DirXML: [03/18/14 12:11:53.45]: ADDriver: postalCode
DirXML: [03/18/14 12:11:53.46]: ADDriver: sAMAccountName
DirXML: [03/18/14 12:11:53.46]: ADDriver: sn
DirXML: [03/18/14 12:11:53.46]: ADDriver: st
DirXML: [03/18/14 12:11:53.46]: ADDriver: streetAddress
DirXML: [03/18/14 12:11:53.46]: ADDriver: telephoneNumber
DirXML: [03/18/14 12:11:53.46]: ADDriver: thumbnailPhoto
DirXML: [03/18/14 12:11:53.46]: ADDriver: title
DirXML: [03/18/14 12:11:53.46]: ADDriver: userPrincipalName
DirXML: [03/18/14 12:11:53.46]: Loader: Received document from
publicationShim
DirXML: [03/18/14 12:11:53.46]: Loader: XML Document:
DirXML: [03/18/14 12:11:53.46]: <nds dtdversion="2.2">
<source>
<product build="20131219_120000"
instance="\IDM-TREE\system\driverset1\XXXXXXX AD"
version="4.0.0.3">AD</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<init-params>
<publisher-state>
<cookie>TVNEUwMAAACy3iBuT0LPAQAAAAAAAAAAKAAAALcvJg AAAAAAAAAAAAAAAAC3LyYAAAAAAGG9WE3ozeJKhQAEgli9RnQB AAAAAAAAAAEAAAAAAAAAYb1YTejN4kqFAASCWL1GdLcvJgAAAA AA</cookie>
</publisher-state>
</init-params>
</input>
</nds>
DirXML: [03/18/14 12:11:53.46]: Loader: Writing driver state to file
DirXML: [03/18/14 12:11:53.46]: Loader: Document consists only of state;
not sending to remote side
DirXML: [03/18/14 12:11:53.46]: Loader: Returning to publisher:
DirXML: [03/18/14 12:11:53.46]: Loader: XML Document:
DirXML: [03/18/14 12:11:53.46]: <nds ndsversion="8.6" dtdversion="1.0">
<output>
<status level="success"/>
</output>
</nds>
DirXML: [03/18/14 12:11:53.46]: ADDriver: object changes complete
DirXML: [03/18/14 12:12:24.35]: Loader: Received document from
publicationShim
DirXML: [03/18/14 12:12:24.35]: Loader: XML Document:
DirXML: [03/18/14 12:12:24.37]: <nds dtdversion="2.2">
<source>
<product build="20131219_120000"
instance="\IDM-TREE\system\driverset1\XXXXXXX AD"
version="4.0.0.3">AD</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password event-id="XXXXXXX AD##144d2f60ca7##0"
class-name="user"
src-dn="CN=HealthMailbox594131caa52f45bb807fc3a10a14a8 b4,CN=Users,DC=XXXXXXX,DC=local">
<association>8538f760b1768545be753c0af46fa4c0</association>
<password><!-- content suppressed --></password>
</modify-password>
</input>
</nds>
DirXML: [03/18/14 12:12:24.39]: Loader: Received 'publisher reply'
document
DirXML: [03/18/14 12:12:24.39]: Loader: XML Document:
DirXML: [03/18/14 12:12:24.39]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output/>
</nds>
DirXML: [03/18/14 12:12:24.40]: Loader: DirXML returned:
DirXML: [03/18/14 12:12:24.42]: Loader: XML Document:
DirXML: [03/18/14 12:12:24.42]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output/>
</nds>
DirXML: [03/18/14 12:12:24.42]: ADDriver:
MadPublisherPassSync:rocessPassSyncEntries() clearing user
SM_4177808e3a68413d8 password



My understanding of the AD driver and Remote Loader was that a password
event would be cached and sent to the Identity Vault for a fixed amount
of time (set on the driver) so as to let the user add event catch up,
after which it would get dumped - my driver does not seem to be doing
the dumping bit. Is there some easy way to clear the password change
cache on the AD server and make this event go away?

Cheers,
Eddie


--
ETFKNOVL
------------------------------------------------------------------------
ETFKNOVL's Profile: https://forums.netiq.com/member.php?userid=3938
View this thread: https://forums.netiq.com/showthread.php?t=50305