A Forum reader recently asked:
"I am running IDM 3.5.1 on a Windows 2003 server, and the AD driver is installed with Remote Loader. Remote Loader is running on the DC, and password sync works from eDirectoty to AD. Also, attribute sync works bi-directionally.
The problem is that passwords are not synched from AD to eDirectory. The .. PassSync\Data\ONE.NET registry path has hundreds of registry keys under it. Why can't the AD driver process them?"
And here is the response from Aaron Burgemeister ...
First, make sure the Remote Loader is on a Domain Controller for best/fastest/easiest/most-secure results. All statements below assume that the one above is in place.
1. Leave the authentication context blank in the driver properties.
2. Specify the authentication ID as either 'username' or 'domain/username'
3. Be sure the authentication password is set properly for this same user in the driver properties.
4. Use 'Negotiate' (not often a problem, since that's the default).
5. Be sure filters are installed on all DCs and showing as 'Running' in the Control Panel 'Identity Manager PassSync' applet.
6. Use SSL between the Engine and the Remote Loader. See the documentation if this isn't completely clear and understood.
7. 'Use SSL/Signing/Sealing' should ALL be set to No (not related to the previous statement).
8. The Authentication ID user should have tons of rights in MAD.
Also, see TID 3614450 - Password Sync 2.0 - AD to eDirectory Components (http://tinyurl.com/2pnon2). The document explains how the password sync works (all the files and registry keys).
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.