A Forum reader recently asked:
"I installed eDir-AD synchronization with password sync. Now it is required that every password change in AD should be overruled with the DP password of eDir. I know that there exists a password synchronisation option that resets the AD password to the DP password if
the user's password policy is violated. But how can I reset the AD password on every password-modify event without using a password policy?"
And here's the response from Father Ramon ...
You have to be careful with AD, because it doesn't have any loopback detection. If you send the change back at that point, it is going to keep sending it back to you.
What I would do is put is get rid of all the password sync policies on the publisher command transformation (they're just in the way if you aren't syncing passwords in that direction). Then I would replace them with something that compares the incoming password to the nspmDistributionPassword attribute in eDirectory. It sends it back if they aren't the same, and it vetoes the original modify password whether or not they are the same.
Try something like this:
<description>Password Changed - Reset</description>
<if-xpath op="not-true">string(query:readObject($destQueryProcessor, association, @dest-dn, "User", "nspmDistributionPassword")//value) = string(./password)</if-xpath>
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.