Hello,

I've set up policies in a DLT driver to import new passwords into IDM
eDirectory, which then would sync to Prod-eDir, AD, and Google. Last
night we ran the import and were able to change 1042 out of 1048
passwords.

Now the six users whose passwords did not change at Google or in AD,
did change in the Prod-eDir tree. Yah, weird I know.

When reviewing the log I did find this discrepancy.

PASSWORD CHANGED OKAY

<attr attr-name="nspmDistributionPassword"><!-- content suppressed
-->
</attr>

<attr attr-name="Object Class">
<value timestamp="1431033903#25" type="string">User</value>
<value timestamp="1431033903#26" type="string">phsUser</value>
<value timestamp="1431033903#27"
type="string">sapAddOnUM</value>
<value timestamp="1431033903#28" type="string">Organizational
Person</value>
<value timestamp="1431033903#29" type="string">Person</value>
<value timestamp="1431033903#30"
type="string">ndsLoginProperties</value>
<value timestamp="1431033903#31" type="string">Top</value>
<value timestamp="1431033903#138"
type="string">DirXML-PasswordSyncStatusUser</value>
<value timestamp="1431034033#1"
type="string">DirXML-Identity</value>
<value timestamp="1442334573#19"
type="string*">DirXML-ApplicationAttrs*</value>
</attr>
</instance>
<status event-id="0" level="success"></status>
</output>
</nds>
[12/01/15 06:03:30.772]: pwd PT:Found non-class attribute
nspmDistributionPassword.

PASSWORD CHANGED NOT WORKING CORRECTLY.

<attr attr-name="nspmDistributionPassword"><!-- content suppressed -->
</attr>

<attr attr-name="Object Class">
<value timestamp="1335408286#34" type="string">User</value>
<value timestamp="1340332296#83" type="string">Organizational
Person</value>
<value timestamp="1340332296#84" type="string">Person</value>
<value timestamp="1340332296#85"
type="string">ndsLoginProperties</value>
<value timestamp="1340332296#86" type="string">Top</value>
<value timestamp="1340332296#80" type="string">phsUser</value>
<value timestamp="1340332296#81"
type="string">sapAddOnUM</value>
<value timestamp="1350678380#1"
type="string">DirXML-Identity</value>
<value timestamp="1360019179#2"
type="string">DirXML-PasswordSyncStatusUser</value>
<value timestamp="1360032879#1"
type="string">*srvprvEntityAux*</value>
</attr> </instance>
<status event-id="0" level="success"></status>
</output>
</nds>
[12/01/15 10:16:17.451]: pwd PT:
DirXML Log Event -------------------
Driver: \PHSIDV\pembroke\services\Pluto Driver Set\Password
Import
Channel: Publisher
Object: (\PHSIDV\pembroke\PHSUsers\PHS-Students\CDema17)
Status: Success

If you notice on the trace that works correctly it has a
DirXML-ApplicationAttrs value, where the trace from the user that
isnt working does not.

The non-working user then ends with a success, while the working user
continues to process the password change.

There are no entries in the AD or Google logs for the users not
syncing.

Does anyone know why the working user has this value while the other
does not? Where does this value come from? Can you think of anywhere
else to look for a solution?

Many thanks in advance,

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54767