This section contains information that is specific to the DirXML Driver for eDirectory, and assumes that you are familiar with the information in "Implementing Password Synchronization" in the Novell Nsure Identity Manager 2 Administration Guide.
If you are using the driver to connect to eDirectory 8.7.3, you have more options to choose from, including synchronizing Universal Password.
See the description of the different scenarios in "Implementing Password Synchronization" in the Novell Nsure Identity Manager 2 Administration Guide.
If you enforce incompatible Password Policies in multiple eDirectory trees, and choose to set a password back if it does not comply (with the option "If password does not comply, enforce Password Policy on the connected system by resetting user's password to the Distribution Password"), you could encounter a loop in which each eDirectory server tries to change a noncompliant password.
Scenario: Encountering a Loop. To enforce incompatible Password Policies in multiple eDirectory trees, you select the option "If password does not comply, enforce Password Policy on the connected system by resetting user's password to the Distribution Password". This option sets a password back if it does not comply with the policy. Because each eDirectory server tries to change a noncompliant password, you encounter a loop.
Information about Password Policies is in "Managing Passwords Using Password Policies" in the Novell Nsure Identity Manager 2 Administration Guide.
If you want to synchronize passwords using Universal Password, make sure you set the filter on both eDirectory drivers to Ignore for the Public Key and Private Key attributes for all classes that you want to synchronize Universal Password.
The new policies for password synchronization are intended to support Universal Password and Distribution Password. If you are planning to synchronize only the NDS Password, these policies should not be added to the driver configuration. NDS Password is synchronized using Public Key and Private Key attributes instead of these policies.
The Check Password Status task lets you see whether a user's password in Identity Manager is synchronized with the password on connected systems.
If you are using the DirXML Driver for eDirectory, and the Password Policy for a user specifies in the Configuration Options tab that the NDS Password should not be updated when the Universal Password is updated, then the Check Password Status task for that user always shows that the password is not synchronized. The password status is shown as not synchronized, even if the Identity Manager Distribution Password and the Universal Password on the eDirectory connected system are in fact the same.
This is because the eDirectory check password functionality is checking the NDS Password at this time, instead of going through NMAS to refer to the Universal Password.
The option to update the NDS Password when the Universal Password is updated in the Password Policy is the default setting. If you select this option, Check Password Status should be accurate for the eDirectory connected system.