Novell Identity Manager 3.5 some users do not sync to AD from EDIR

Posted on 2007-10-15
Last Modified: 2008-08-04
Novell, Identity manager 3.5. AD Connector/Driver. We have exisitng users in EDIR that we want to migrate to AD. Using the migrate option form within Imanager Identlty management dirver, only the groups were migrated , despite selecting the whole container.

However, EDirectory sync to AD works for users created in, or modified by, Imanager. When we create they by Console 1 they don't sync and or are not created in AD. If we change a user who was created in console one with Imanager, using password change from NMAS option, then the user will be created or synced in AD as required.

I think this is related to NMAS or Universal password or something, but I need to find out what the differences are, as there are about 22000 user ID's and it is impractical to manually change all their passwords in this manner. Universal password policy is assigned to the container with the user ID's we are testing.

Any suggestions anyone??
Question by:mattpaulin
    LVL 19

    Accepted Solution

    Yes, this sounds Universal Password related. ConsoleOne by default won't populate the Universal Password attribute, whereas iManager will. It sounds as if the 3.5 AD driver has a veto rule to reject users with no UP set. The UP is also populated during a successful login from an NMAS enabled Novell Client (v4.9+). Are your users' machines equipped with an upto date client?

    I don't have a 3.5 installation to check the driver rules (not upgraded from 3.0 yet), but the rule you're looking for is going to look something like this:

    if source attribute nspmPassword unavailable
    do veto

    Try upping the trace level on your driver to 5, then migrating a user you know does NOT have a UP set. That should make it easy to pick out which policy group the offending rule resides in. You can then disable the rule and users will flow. Just watch out for any password policies on your DC. If your users arrive in AD and don't comply with existing AD password policies, they may have their passwords changed. If you have bi-directional sync, this triggers an event, and that password would then be synced back to eDir. Not funny when that happens!

    That said though, is there much point in having users in AD with an incorrect password set? The default AD driver in =<3.0 used to set the password to the user's surname, or alternatively just to "dirxml1". Looks like this behaviour has been changed to simlpy veto the migration. Seems fairly sensible to me!


    Author Comment

    Hi Alex, excellent answer, we located and disabled the PW policy you mentioned and  all works! Thanks very much, that heads up was just what we needed.


    Expert Comment

    Just to add that Console One if running from a workstation with an nmas client installed will set the universal password.


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Overview This article describes how to silently install Adobe Reader on multiple workstations, customize the installation options (accept EULA, remove desktop shortcut etc) using the Adobe Customization Wizard and install Adobe Reader font packs an…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now