App Analyst for the new IDM made a tactical error, he set the Global password sync attribute to on for the entire environment. In Novell IDM this is the classic NBD (no big deal), in the new one? Well, it does this, it captured password changes off the AD side, which is down stream from the eDir and Identity Vault. It then says "Hey! new password! I need to tell all the downstream apps that it's a new password!." It then sends the passwords to the down to the attached app, which in our case is eDir and AD, ok it's the same password NBD, right? wrong... It does an administrative password set, which means that the password is immediately expired. A hundred help desk calls later, they finally ping me, I investigate since the App Analyst didn't do a change control on this. The password was initially ok, set to expire in 60 days per policy, 5 minutes later it would suddenly be expired. I pulled the Novell IDVault logs on some password changes with the log level set to 5. Nothing, everything looked normal, except that 5 minutes after the password event happen another one appeared, from apparently no where. Off to DSTRACE, I had a suspicion, watch the LDAP records and 5 minutes after a password change another one came through from the other IDM. Go to App Analyst;
"What did you do?"
"I changed the Global Sync Attribute"
"Change it back"
"Why"
"Cause people are constantly resetting passwords because you caused a logic loop"
"Crap"
Systems Orchestration can be an Art, but it takes an Artist to truly appreciate IT.
No comments:
Post a Comment