Driver Sealing and Connection with AD
Novell Cool Solutions: Tip
By David Gersic
Digg This -
Posted: 21 Oct 2005
"We are trying to get IDM 2.0.1 to sync accounts and passwords to AD. We turned on driver sealing, but when we do that we cannot connect. If we leave it off the IDM driver will run, but the accounts that do get sent from eDirectory to AD are getting disabled, with no password."
Here's some practical advice on the issue from Forum expert David Gersic:
Turn off sealing. Here's what's working for me - I created a domain admin account and specified the domain/account and the password to log in as. (Note that you may not need a domain admin account - so long as the driver is configured for ssl and can negotiate, it should probably work.) Then I used the following settings:
- Authentication Method: Negotiate
- Use Signing: No
- Use Sealing: No
The lack of the password is why the accounts are disabled. Make sure that you're specifying a password.
Turn on a Level 3 trace of the create and see what you're sending to the driver shim. The actual create, if you watch it in the MS Users and Groups tool, looks something like this:
1) User is created.
2) No password is set, which can conflict with a domain policy requiring password minimum length or password complexity.
3) The domain controller disables the newly created account, since it does not meet the password policy for the domain. "Account disabled" is a single bit in the userAccountControl bitmask attribute stored on the user object.
4) MAD sync updates this new user to all other domain controllers.
5) IDM2 sets the password on the newly created user. You need to ensure that the password sent to the domain meets the domain's password requirements.
6) Since the user now meets the password requirements for the domain, the domain controller enables the user.
7) MAD sync updates this user on all other domain controllers, so they have the password and the correct (enabled) value of userAccountControl.
At this point, if you do nothing else, the user should be there, enabled, and with the correct password. The password will not be expired ("user must change on next log in").
You'll want to enable SSL. MS won't let a non-secure connection set the password. If password complexity is enabled on the Win2k3 domain, that means the password for connecting to the driver has to be complex as well.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com