JRose628
asked on
Sync password in Identity Manager if Universal password is not set
I am currently syncing Edir--->AD currently if a user does not have a Universal Password set then the user is not synced with AD this is by default. What I would like to do is sync the user but instead of saying if Universal password is not set then VETO I would like to say if universal password is not set then set password in AD to Surname that way the user is created in AD so i can changes its groups and have the users to modify in AD but then when a user logs into a Novell client there password will be updated to universal password and then synced later on. Is this possible and how?
Actually, I'll just mention this in case you're going bidirectional..
It's always a VERY GOOD IDEA to switch off ALL password policies on your Windows DC and let eDir be authorative on complexity policies, expiry etc. I remember when I did my first IDM2 implementation, when users started syncing with AD it decided their passwords weren't compliant, disabled their AD accounts and set their passwords to their surname, subsequently bouncing that change back to eDirectory!
Fortunately I had a very recent Portlock of a root server with all partitions configured in a test lab, so was able to quickly knock up an eDir->eDir driver and do a force sync of passwords only to put things back to rights.
Just one of those little gotchas that's worth bearing in mind, as IDM configured incorrectly can do a lot of damage very quickly indeed.
It's always a VERY GOOD IDEA to switch off ALL password policies on your Windows DC and let eDir be authorative on complexity policies, expiry etc. I remember when I did my first IDM2 implementation, when users started syncing with AD it decided their passwords weren't compliant, disabled their AD accounts and set their passwords to their surname, subsequently bouncing that change back to eDirectory!
Fortunately I had a very recent Portlock of a root server with all partitions configured in a test lab, so was able to quickly knock up an eDir->eDir driver and do a force sync of passwords only to put things back to rights.
Just one of those little gotchas that's worth bearing in mind, as IDM configured incorrectly can do a lot of damage very quickly indeed.
ASKER
Bty default in 3.5 this is set in the Creation Policy
If nspmDistributionPassword is not set then VETO
This is only a EDir---> AD setup.
If nspmDistributionPassword is not set then VETO
This is only a EDir---> AD setup.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you got a rule somewhere which says "if source attribute nspmdistributionpassword not available do veto"? If so all you need to do is change to to "if source attribute nspmdistributionpassword not available, set destination attribute password to source attribute surname".