unfortunately I have to populate this forum with another password question sooner than I would have preferred.

Synchronising distribution password values to external systems would clearly benefit from the existence of distribution passwords in the first place. In our system a loopback driver is generating new users including their initial passwords. The idea was to assign a password policy that enables the Universal Password for these users and synchronises their generated initial passwords to the NDS and Distribution Password. Unfortunately, the IDM seems to work differently than anticipated.

Traces report "Setting the initial password." after the user has been created in the specified context. In the next line, however, NMAS begins to complain: "GetXKey: Key not available", followed by "Universal Password not supported for CN=..." and finally "ERROR: -1658 Failed get password status for CN=...".

Jim Willeke's dump UP tool confirms that no UP value is present, but that the correct password policy has been assigned to the new user.

Logging into iManager and setting the UP of the aforementioned user manually to the value generated by the loopback driver proceeds without problem, though.

If left alone (without administrative intervention) the user stays without UP for hours (I gave up after two hours). Nevertheless the user can log in to iManager, e.g., and upon that occasion the engine comes up with a 'modify/modify-attr attr-name="nspmDistributionPassword"' event sent to drivers configured to be notified upon password changes, NMAS reports "Successful get distribution password for .CN=" and afterwards the UP is up and running.

Since the system to be connected to our IDM needs initial passwords when new users are created, this sequence of events has major drawbacks and I wonder, whether there are options to make the UP operational right from the beginning, i.e., during the creation of new users?