Hi, Im having trouble with the Password Expiration Time value from admin
password resets.

I am syncing users and passwords in the following manner: eDir(main user
source) -> IDM(separate eDir) -> AD.
Everything is working except I cannot seem to grab the correct Password
Expiration Time in the eDir2eDir nor the AD driver. As soon as a
password modify event comes through the password expiration date is
always (current time+max age specified in password policy) instead of
current time even though the password is reset by admin and the password
remain expired (current time) in the source eDir. This also means the
user is able to log in to IDM (only done for testing) and is not
prompted for a password change. I would like to be able to pick up the
correct password expiration time so that I can expire passwords in AD
when an admin resets passwords in eDir. The thing is, I have all of this
working in a test environment which _as_far_as_I_can_tell_ is identical
to my production environment except two details; Production is 64-bit
(all IDM and eDir servers) while Test is 32-bit (all IDM and eDir
servers) and Production has eDir 8.8.8 patch 7 while Test har eDir 8.8.7
(unpatched). Is it possible that something regarding password expiration
time has changed in newer versions of eDirectory?

In my test environment when a password change is done by an admin(in
source eDir) there are always two events; The first with password
expiration time: (current time+maxAge) and a second with password
expiration time: (current time). In production environment however there
is only one event which has password expiration time: (current
time+maxAge). This means in my test environment I can implement this
policy on the AD driver and it will correctly reset the AD password when
it is reset by admin: http://tinyurl.com/hl32mjf. (first the "expiration
date" in AD is set incorrectly and then on the second event it's set
correctly) This difference can be seen in the eDir2eDir driver so its
not something in the AD driver.
These are the details of my environments:

Production and Test:
IDM: 4.0.2 engine patch 7
eDir2eDir driver:
AD driver:
Universal Passwords in use with Microsoft Server 2008 Password Policy

SLES 11 SP3 (x64)
eDir 8.8.8 patch 7

SLES 11 SP1 (x86)
eDir 8.8.7 (unpatched), cannot be upgraded to 8.8.8 because its not
available for 32-bit systems.

I have checked and double checked that the password policies in both
eDirs and bort IDM:s match in the test and production environment,
specifically that the option to not expire passwords when set by admin
is false on both source eDirs, and indeed the password expiration is set
correctly in the source eDir but the in the case of the production
environment the correct expiration date is not synced by IDM.
I have gone through driver-configurations, including filters, policies,
password synchronizations options to see that they actually match in the
Test and Production environment. I exported the eDir2eDir driver from
Production to Test environment to make sure they were configured
identically and still it did not behave the same way.
The password change is initiated using iManager (which our helpdesk will
use) I tried using the same iManager-server to log in to both the Test
and Production eDir environment to make sure the way the password change
was initiated was not the problem.

Any ideas how I would go about finding out why I cannot get this to work
in our Production environment? Any help would be greatly appreciated.

jimbjorklund's Profile: https://forums.netiq.com/member.php?userid=1292
View this thread: https://forums.netiq.com/showthread.php?t=56023