SETUP:
- Bi-Direction eDir Driver from Read-Only Replica
- Flat user placement in IDM
- Goal is to get all users into IDM with most attributes filtered out,
and eventually add in some VLAN assignment attributes for wireless users
that get picked up in RADIUS.

PASSWORD SYNC OPTIONS:
- Identity Manager accept passwords
- Use Distributed Password for password sync
- Always accept password

DRIVER FILTER:
- Publish (sync): uniqueID, Surname, Full Name, CN, nspmPasswordKey
- Subsribe (notify): nspmDistributionPassword
- User class is sync for pub/sub


I can migrate users into IDM fine, all attributes are correct except the
password is always set to default (@dirxml1). I've gone through dozens
of related posts here thinking it has to be something simple but none of
the solutions that have worked for others are working.

I've verified the password polices are assigned correctly on both sides
with diagpwd utility.
Oddly on the initial migration the UP/DP comes back as set (but it's the
default password).
After a syncronization, they come back as not set, yet the default
password still works.
UP/DP is definitely enabled on the connected eDirectory and the password
policies don't conflict.
I have also tried assigning the password policy directly to the user, no
luck.

Checking the user password after sync returns: Not Synchronized.
Code(-9046) Invalid password specified for <{0}>.
Checking before sync gives an LDAP error -43 (presumably because it's
sending the default password and getting rejected).


Here is the level 3 trace of the user migration:
http://paste.opensuse.org/c2fbeaa3
And here is the user getting synced: http://paste.opensuse.org/0048ecac


Any guidance on where to look next would be really appreciated.



HERE'S THE DIAGPWD OUTPUT:

## Initial Migration, default password is set (@dirxml1)
Object DN: cn=baldockd,o=Uofr
EMail: [NONE]
Last Changed Date: 2015-02-11 15:56:21 Z
Password Status: Enabled, Set, UP != Simple
Distribution Password Status: Set
Simple Password Status: Not set
Password Policy DN: cn=UOFR Policy,cn=Password Policies,cn=Security

Password Policy DN: cn=UOFR Policy,cn=Password Policies,cn=Security
Options: 0x374 (884)
Universal Password enabled
Advanced policy enabled
Sync NDS
Sync Simple disabled
Synch external
User readable
Admin readable

## AFTER SYNC
## SAYS NOT SET, BUT DEFAULT PASSWORD STILL WORKS.
Object DN: cn=baldockd,o=Uofr
EMail: [NONE]
Last Changed Date: 2015-02-11 14:50:24 Z
Password Status: Enabled, Not set
Distribution Password Status: Not set
Simple Password Status: Not set
Password Policy DN: cn=UOFR Policy,cn=Password Policies,cn=Security

Password Policy DN: cn=UOFR Policy,cn=Password Policies,cn=Security
Options: 0x374 (884)
Universal Password enabled
Advanced policy enabled
Sync NDS
Sync Simple disabled
Synch external
User readable
Admin readable

## VERIFIED PASSWORD POLICY ON CONNECTED EDIR IS SET
## VERIFIED UP & DP SET ON CONNECTED EDIR
Object DN: cn=baldockd,ou=compserv,ou=IS,o=Uofr
EMail: [email]
Last Changed Date: 2015-02-11 15:00:33 Z
Password Status: Enabled, Set
Distribution Password Status: Set
Simple Password Status: Set
Password Policy DN: cn=universal password enable,cn=Password
Policies,cn=Security

Password Policy DN: cn=universal password enable,cn=Password
Policies,cn=Security
Options: 0x144 (324)
Universal Password enabled
Advanced policy disabled
Sync NDS
Sync Simple disabled
Synch external
Not user readable
Not admin readable


--
baldockd
------------------------------------------------------------------------
baldockd's Profile: https://forums.netiq.com/member.php?userid=9044
View this thread: https://forums.netiq.com/showthread.php?t=52805