We're considering implementing SAP's IDM Password hook into our environment to allow for bidirectional password sync.
The environment in question is a Server 2008 R2 DC in a 2003 functional level domain. The version of the hook is from 7.2 So far I've only used the included files to be able to observe the behavior of the hook to know what to expect.
Specifically, I'm only using the newpass.bat as the Filter program with unencrypted output to observe the output. Unfortunately the output is concerning.
First, the username is appending the last name. So, if you have a user named John Doe with an SAMAccount of JDoe, it reports the username as jdoeDoe.
Second, the hook is appending extra characters to the password parameter. Below is are examples of the passwords used and what was reported by newpass.bat.
Pass.w0rd -- Pass.w0rdst
Pass.w@rd -- Pass.w@rds
Pass.word -- Pass.wordT$
P@$$.w0rd -- P@$$.w0rd
P0$$.w@rd -- P0$$.w@rd
Pass.w0rd -- Pass.w0rd
As you can see, sometimes it adds characters, sometimes it doesn't. Which characters it adds is also not consistent.
Given the content of newpass.bat, I don't think it's sophisticated enough to be the source of the extra characters, which means the hook is handing the extra characters to newpass.bat. Why would the hook be adding data, and how do I get the hook to only pass the actual password entered by the user and the actual username?