Hi All,

I am facing some issue at the time of user migration from AD to
eDirectory.

There was one password policy assigned to user container at the time of
migration that does not accept historical password. I started the user
migration from one AD container to eDirectory. As much I found in web,
that we cannot migrate AD password. But the password will be in sync
next time when the user will chen the password.
I did a twice migration of users from that container, due to some cause.
After that found some of the user's password got reset in AD with the
driver's default password, as mentioned in publisher creation policy
(NOVLADDCFG-pub-cp). I found this warning in driver log:


Code:
--------------------
Message: Code(-8021) Unable to set NMAS password: -1643 NMAS_E_INVALID_PARAMETER
--------------------


My understanding is this:

The first time when I migrated those users from AD, those might got
created in eDirectory with driver's default password. When I ran the
migration second time driver tried to replace the old password with AD's
password. As both the passwords are same and historical password is not
acceped by the password policy, that error occured. And AD password is
being replaced by the default password.

But this is a real seanario. And the default driver configuration should
not reset AD password.

Please let me understand what is the cause of that exception.
Is this is the case the driver must set AD password, if some exception
occures during password synchronization in publisher channel?

Here is some trace where I remigrated one user, and the AD password got
reset with eDirectory's default password.

Code:
--------------------

[02/02/15 09:59:20.902]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.7">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" dest-dn="data\users\jshah02" dest-entry-id="534709" event-id="migrate-app-sync-1" from-merge="true" src-dn="CN=jshah02,OU=ABCD,OU=User Contractors,OU=Corp,DC=Example,DC=com">
<association>e936c5b72a6f3f49b59d6da9c0ce32f7</association>
<modify-attr attr-name="nspmDistributionPassword"><!-- content suppressed -->
</modify-attr>
<operation-data>
<password-publish-status>
<association>e936c5b72a6f3f49b59d6da9c0ce32f7</association>
</password-publish-status>
</operation-data>
<modify-attr attr-name="Object Class">
<add-value>
<value type="string">DirXML-ApplicationAttrs</value>
</add-value>
</modify-attr>
<modify-attr attr-name="DirXML-ADContext">
<remove-all-values/>
<add-value>
<value type="string">CN=jshah02,OU=ABCD,OU=User Contractors,OU=Corp,DC=Example,DC=com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[02/02/15 09:59:20.903]:AD ST:Applying policy: %+C%14CXYZADDCFGpub-ctp-SharedMailBox%-C.
[02/02/15 09:59:20.903]:AD ST: Applying to modify #1.
[02/02/15 09:59:20.903]:AD ST: Evaluating selection criteria for rule 'Give full access to the manager of a shared mailbox'.
[02/02/15 09:59:20.904]:AD ST: (if-operation equal "modify") = TRUE.
[02/02/15 09:59:20.904]:AD ST: (if-class-name equal "User") = TRUE.
[02/02/15 09:59:20.904]:AD ST: (if-op-attr 'Internet EMail Address' available) = FALSE.
[02/02/15 09:59:20.904]:AD ST: Rule rejected.
[02/02/15 09:59:20.904]:AD ST:Policy returned:
[02/02/15 09:59:20.904]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.7">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" dest-dn="data\users\jshah02" dest-entry-id="534709" event-id="migrate-app-sync-1" from-merge="true" src-dn="CN=jshah02,OU=ABCD,OU=User Contractors,OU=Corp,DC=Example,DC=com">
<association>e936c5b72a6f3f49b59d6da9c0ce32f7</association>
<modify-attr attr-name="nspmDistributionPassword"><!-- content suppressed -->
</modify-attr>
<operation-data>
<password-publish-status>
<association>e936c5b72a6f3f49b59d6da9c0ce32f7</association>
</password-publish-status>
</operation-data>
<modify-attr attr-name="Object Class">
<add-value>
<value type="string">DirXML-ApplicationAttrs</value>
</add-value>
</modify-attr>
<modify-attr attr-name="DirXML-ADContext">
<remove-all-values/>
<add-value>
<value type="string">CN=jshah02,OU=ABCD,OU=User Contractors,OU=Corp,DC=Example,DC=com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[02/02/15 09:59:20.906]:AD ST:Filtering out notification-only attributes.
[02/02/15 09:59:20.906]:AD ST:Pumping XDS to eDirectory.
[02/02/15 09:59:20.906]:AD ST:Performing operation modify for data\users\jshah02.
[02/02/15 09:59:20.906]:AD ST:--JCLNT-- \XYZ\system\XYZ Driver Set\XYZ Active Directory Driver : Duplicating : context = 1982070863, tempContext = 1982070885
[02/02/15 09:59:20.906]:AD ST:Modifying entry data\users\jshah02.
[02/02/15 09:59:20.909]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.7">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" dest-dn="CN=jshah02,OU=ABCD,OU=User Contractors,OU=Corp,DC=Example,DC=com" src-dn="data\users\jshah02">
<association>e936c5b72a6f3f49b59d6da9c0ce32f7</association>
<modify-attr attr-name="nspmDistributionPassword" failed-sync="true"><!-- content suppressed -->
</modify-attr>
</modify>
</input>
</nds>
[02/02/15 09:59:20.917]:AD ST:--JCLNT-- \XYZ\system\XYZ Driver Set\XYZ Active Directory Driver : Calling free on tempContext = 1982070885
[02/02/15 09:59:20.921]:AD ST:
DirXML Log Event -------------------
Driver: \XYZ\system\XYZ Driver Set\XYZ Active Directory Driver
Channel: Subscriber
Object: CN=jshah02,OU=ABCD,OU=User Contractors,OU=Corp,DC=Example,DC=com (data\users\jshah02)
Status: Success
[02/02/15 09:59:20.925]:AD ST:
DirXML Log Event -------------------
Driver: \XYZ\system\XYZ Driver Set\XYZ Active Directory Driver
Channel: Subscriber
Object: CN=jshah02,OU=ABCD,OU=User Contractors,OU=Corp,DC=Example,DC=com (data\users\jshah02)
Status: Warning
Message: Code(-8021) Unable to set NMAS password: -1643 NMAS_E_INVALID_PARAMETER.

--------------------


--
Thanks,
Raktim Banerjee
Enterprise Risk and Security Services (ERSS), Cognizant
------------------------------------------------------------------------
raktimb's Profile: https://forums.netiq.com/member.php?userid=4402
View this thread: https://forums.netiq.com/showthread.php?t=52732