Quote Originally Posted by geoffc View Post
Some details for you to consider.

eDir stores Password Expiration Time in CTIME format. (Count of seconds
since Jan 1, 1970).

AD stores pwdLastSet in FILETIME format (Count of 100ns intervals since
Jan 1, 1601).

And thus expiration is calculated as pwdLastSet + Expiration setting. If
in the past, expired, if not active.

You can only write 0 (must change on next login) or -1 (Never expire) to
pwdLastSet.

So short answer, writing to AD is not an option.

PWNotify to warn people change passwords is pretty easy, but as you
noted the issue is not the technology. People just ignore it.

eDir when you expire gives you grace logins. AD once you expire locks
you out.

I forget, do you have AD Password filters? I.e. Do you get password
changes FROM AD, or just eDir password changes sent to AD?

You could consider setting the expiration 1 day apart.

Say AD 90 days, and eDir 89. (Or 91 and 90).

Then eDir will expire first and then AD. So they change eDir, it syncs
to AD and resets their expiration time in AD again.


On 12/20/2018 10:54 AM, kjhurni wrote:
>
> Other than some really old KB articles from 2012, just wondering if this
> can even be done or how to deal with the situation I'm dealt.
>
> eDir <-> eDir Vault <-> AD
>
> Passwords, however, are synced only one way from eDir -> AD (there's no
> password driver installed on the AD DC).
>
> For political, oh I mean, "security" reasons, the AD Default Domain
> policy regarding passwords needs to be changed to use MS Complexity and
> the Max Password age set to 90 and the Min. set to 1)
>
> I've got the eDir NMAS stuff setup as "equivalent" as I can.
>
> Now, we have a loopback driver that adjusts the TIME of the password
> expiration in eDirectory so that if you change the password, it adjusts
> the time (not the date) to 90 days at midnight.
>
> Ie, if I change it today, it'll set to 3/20/19 at midnight.
>
> Now, in AD of course, it sets the pwdLastSet to the actual date/time
> that the password was changed, so it'll be like, 12/20/19 @ 10:50 a.m.
>
> So the issue that we've encountered in testing is that, the user will
> sit down to their PC and login with the Novell Client, which will (or
> used to) seamlessly login to AD. But you'll then get prompted by the MS
> Client to change your AD password (this depends on WHEN you login to the
> PC obviously), and you have to do that first before you can get the
> desktop and then change the eDirectory password.
>
> I'm racking my brain to come up with any method that would sync the
> password expiration date/time to AD (and of course AD stores the value
> in some hideous format).
>
> BUT, I'm now thinking, that even if that's is accomplished, we'd run
> into the same situation:
> You'll login to eDirectory via the Novell Client, which will try to
> login to AD (so that you can actually change the password) but even if
> both passwords expire at midnight, you'll be prompted to change the AD
> password before you load up the desktop.
>
> The only viable option I see is to not set AD to expire passwords every
> 90 days which won't fly (well it's not my decision, but I'm 99% certain
> the answer will be "no").
>
> We could try to mitigate it via pre-emptive password change emails, but
> it seems that doesn't work reliably (from a cursory forum search), and
> knowing our users (we have another system that emails every 15 days
> prior to password expiration and I'd say at least 50% of the people
> don't pay attention to it).
>
> But I'm open to ideas/suggestions that I can pass along.
>
>
Thanks Geoff,

No password filters on the AD side, so it's one-way (eDir to AD) only (just the remote loader bit is running on the AD DC).

Yes, MS seems to be the only directory that expires your password and locks you out and then you can't change it (completely opposite of almost everything else I've looked at). But that's MS for you, LOL.

While setting the eDir lower than AD won't solve the issue, it should help mitigate it. Now, we'll have to see how much, but the only real way will be to throw it in Prod and see what happens.

Thanks for the idea/suggestion and explanation.