IDM 3 AD to eDir Driver Errors -9024 and -9065
Novell Cool Solutions: Tip
By Aaron Burgemeister
Digg This -
Posted: 11 Oct 2006
A Forum reader asked about IDM 3 driver errors:
"I'm using the IDM 3 AD to eDir Driver, but I get the following errors: -9024 and -9065."
And here's some advice from Aaron Burgemeister ...
IDM can't veto out-of-scope events until it gets to the point in the driver where it sees they are out-of-scope.
NICI needs to be healthy for the entire tree to ensure reliability. Consider the following scenario:
- server0 - IDM, holds all objects, NICI is good
- server1 - holds one OU with users, NICI is bad
UserA changes password on server0 (connect, authenticate, change), so passwords are encrypted with a tree key that the IDM server (on the same box) can read. UserB changes password on server1 (connect, authenticate, change) so passwords are encrypted with a tree key the IDM server doesn't have, cannot read, doesn't like, etc.
Some servers do not have NICI at all and do not use UP, although password changes should be going to NMAS-enabled and happy servers with NMAS working, so that is less likely. The problem occurs when a server with one key sets passwords and then synchronizes to a server with another key. One cannot decrypt the other, and an error (-1418?) will occur.
Lacking certificates on servers is easily fixed; you can create new standard ones with the correct names ('SSL CertificateIP' and 'SSL CertificateDNS') in iManager or ConsoleOne.
Fixing NICI is the same no matter what. The sdidiag utility has an NLM for NetWare and an EXE for a Windows client that can point to any eDirectory server on any platform. The NLM can too, in fact, but that usually isn't necessary since it's usually in the same tree. Fix NICI, and your life will be better.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com