Environment
Novell Identity Manager - Password Synchronization
Novell Identity Manager 3.5.1
Novell Identity Manager 3.5
Novell Identity Manager 3.0
Novell Identity Manager - Remote Loader
Microsoft Windows Server 2003 Enterprise Edition
Novell Identity Manager 3.5.1
Novell Identity Manager 3.5
Novell Identity Manager 3.0
Novell Identity Manager - Remote Loader
Microsoft Windows Server 2003 Enterprise Edition
Situation
User reports after changing password the user can't login to Active Directory. The user is changing their password in eDirectory Vault or other eDirectory Tree connected to Vault and Distribution Passwords are set to synchronize to Active Directory (or other connected systems).
Using iManager to Check Password Status shows result of Not Synchronized to Active Directory and show Synchronized to other Connected Systems.
Identity Manager logs show:
Using iManager to Check Password Status shows result of Not Synchronized to Active Directory and show Synchronized to other Connected Systems.
Identity Manager logs show:
<status event-id="user-agent-check-password" level="error" type="driver-general">
<message>Check password connection validation</message>
<ldap-err ldap-rc="86" ldap-rc-name="LDAP_AUTH_UNKNOWN">
<client-err ldap-rc="14"/>
</ldap-err>
</status>
<message>Check password connection validation</message>
<ldap-err ldap-rc="86" ldap-rc-name="LDAP_AUTH_UNKNOWN">
<client-err ldap-rc="14"/>
</ldap-err>
</status>
Checking of other users password synchronization status shows successful. Password synchronization is demonstrating as working when tested.
Resolution
Check Active Directory (or connected system) account and make sure user isn't locked out due to Intruder Detection.
Also, verify login isn't disabled in Active Directory (or connected system).
Once the account was unlocked/enabled the Check Password Status results showed "Synchronized".
Also, verify login isn't disabled in Active Directory (or connected system).
Once the account was unlocked/enabled the Check Password Status results showed "Synchronized".
Additional Information
It isn't possible to retrieve or compare the passwords of many different systems, including Active Directory, with the Distribution Password stored in the Identity Vault. For this reason when a Check Password Status is performed from iManager an LDAP Bind is attempted. If it's successful then the passwords are verified as synchronized. If it's unsuccessful the passwords are determined to not be synchronized. In this case we were failing the Check Password Status due to the user account being locked out.
If for any reason the LDAP Bind fails, the Check Password Status will show "Not Synchronized" regardless of whether the passwords are truly synchronized or not.
If for any reason the LDAP Bind fails, the Check Password Status will show "Not Synchronized" regardless of whether the passwords are truly synchronized or not.
