Login Expiration time not being enforced when synchronized between two eDirectory drivers.

  • 10098129
  • NOVL102597
  • 28-Jun-2005
  • 07-Oct-2005

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

Novell Identity Manager 2.0.1/2.0.2(OES)

Nsure Identity Manager Drivers

Symptom

Login Expiration time not being enforced when synchronized between two eDirectory drivers.

Fix

This new policy handles cases where a password was changed and expired in one eDirectory tree and then synchronized to the second tree without being expired. The requirement is that if an administrator changed the password in tree 1 then the account would be expired in both trees and if the user changed his own password then the password should not be expired.

Steps to apply this remedy:

1. Add Password Expiration Time to the subscriber filter on the source tree and the publisher filter on the destination tree. If you want this attribute to flow both ways, then you should also add it to the publisher filter on the source tree and the subscriber filter of the destination tree.

2. Ensure your password synchronization is configured to use the Distribution Password.

i. Select Password Synchronization from the Passwords Role in iMangaer

ii. Locate the DirXML DriverSet for the eDirectory driver and press OK.

iii. Click on the eDirectory driver to see more details

iv. Check "Use Distribution Password for password synchronization". The option is found under "DirXML accepts passwords (Publisher Channel)

3. Add the policy below which will modify the password expiration time after the distribution password has been set. This policy should be added to the Publisher Command Transformation policy in the Destination Tree.

i. Go to the properties of the Command Transform Policy Set ->

ii. Insert ->

iii. New Policy (give it a name), Implement with Policy Builder ->

iv. Ok ->

v. Edit XML ->

vi. Take out what is there and replace with the code below.

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Password Expiration Time</description>
<conditions>
<and>
<if-op-attr name="nspmDistributionPassword" op="available"/>
</and>
</conditions>
<actions>
<do-set-dest-attr-value class-name="User" name="Password Expiration Time" when="after">
<arg-value type="string">
<token-src-attr class-name="User" name="Password Expiration Time"/>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
</policy>

NOTE: This policy needs to be the very last Policy in the policy set. You will have to move it down as it's created as the first in the list.

This policy only applies to the eDirectory driver.

IDM 2.0.1 FP3 or later needs to be applied.

There is one case where the policy will have to be implimented differently.  If both trees have requre unique passwords enabled, and if admins are changing the password in both trees and reusing the same password only the tree where the password change is made will be updated.  This is because an admin can reuse passwords even with the option require unique passwords turned on.  This method is used so that admins cannot guess a users password by putting in guesses on the user password.  However, the other tree will return a -215 error.  This is because a change with the distribution password is treated as a user making the password change.  To get around this problem, you must use the following proceedure.

1. Add Password Expiration Time to the subscriber filter on the source tree and the publisher filter on the destination tree. If you want this attribute to flow both ways, then you should also add it to the publisher filter on the source tree and the subscriber filter of the destination tree.

2. Ensure your password synchronization is configured to use the Distribution Password.

i. Select Password Synchronization from the Passwords Role in iMangaer

ii. Locate the DirXML DriverSet for the eDirectory driver and press OK.

iii. Click on the eDirectory driver to see more details

iv. Uncheck "Use Distribution Password for password synchronization". The option is found under "DirXML accepts passwords (Publisher Channel).  This means that you will be setting the NDS password as Administrator.

3. Add the policy below which will modify the password expiration time after the NDS password has been set. This policy should be added to the Publisher Command Transformation policy in the Destination Tree.

i. Go to the properties of the Command Transform Policy Set ->

ii. Insert ->

iii. New Policy (give it a name), Implement with Policy Builder ->

iv. Ok ->

v. Edit XML ->

vi. Take out what is there and replace with the code below.

<?xml version="1.0" encoding="UTF-8"?><policy>
 <rule>
  <description>Password Expiration Time</description>
  <conditions>
   <and>
    <if-password op="available"/>
   </and>
  </conditions>
  <actions>
   <do-set-dest-attr-value class-name="User" name="Password Expiration Time" when="after">
    <arg-value type="string">
     <token-src-attr class-name="User" name="Password Expiration Time"/>
    </arg-value>
   </do-set-dest-attr-value>
  </actions>
 </rule>
</policy>

NOTE: This policy needs to be the very last Policy in the policy set. You will have to move it down as it's created as the first in the list.

This policy only applies to the eDirectory driver.

IDM 2.0.1 FP3 or later needs to be applied.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.