A Forum reader asked about IDM 3 driver errors:
"I'm using the IDM 3 AD to eDir Driver, but I get the following errors: -9024 and -9065."
And here's some advice from Aaron Burgemeister ...
"Unable to read the Universal Password (UP)" is usually a NICI problem. See TID 10088626 and the tkinfo.pl Cool Solutions script, and that will probably lead you down the correct path.
IDM can't veto out-of-scope events until it gets to the point in the driver where it sees they are out-of-scope.
NICI needs to be healthy for the entire tree to ensure reliability. Consider the following scenario:
- server0 - IDM, holds all objects, NICI is good
- server1 - holds one OU with users, NICI is bad
UserA changes password on server0 (connect, authenticate, change), so passwords are encrypted with a tree key that the IDM server (on the same box) can read. UserB changes password on server1 (connect, authenticate, change) so passwords are encrypted with a tree key the IDM server doesn't have, cannot read, doesn't like, etc.
Some servers do not have NICI at all and do not use UP, although password changes should be going to NMAS-enabled and happy servers with NMAS working, so that is less likely. The problem occurs when a server with one key sets passwords and then synchronizes to a server with another key. One cannot decrypt the other, and an error (-1418?) will occur.
Lacking certificates on servers is easily fixed; you can create new standard ones with the correct names ('SSL CertificateIP' and 'SSL CertificateDNS') in iManager or ConsoleOne.
Fixing NICI is the same no matter what. The sdidiag utility has an NLM for NetWare and an EXE for a Windows client that can point to any eDirectory server on any platform. The NLM can too, in fact, but that usually isn't necessary since it's usually in the same tree. Fix NICI, and your life will be better.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.