How to read a named password outside of IDM

For the last couple of IDM versions the product has had a nice API for manipulating the IDM engine and drivers, by using LDAP extensions calls through Java.

This API is a part of the com.novell.nds.dirxml.ldap package which you can find in the dirxml_misc.jar file that comes with IDM.

The package is documented in this Javadoc that you can find on the Novell developer site:

Unfortunately the docs are not updated for the latest IDM version...

Anyway, in IDM 4.0.1 Novell added two new classes to this package called:


When I tried to use the GetNamedPasswordRequest class from my application I would always get back a -672 error which means no access.

Since I had full supervisor rights to the driver this confused me.

Eventually I was able to find out that besides having rights to the driver there also needs to exist a GCV on the driver called "allow-fetch-named-passwords".

The GCV is a boolean and needs to be set to "true".

You can also find this information in the RBPM Administration Guide for 4.0.1 by searching for GetNamedPasswordRequest.

The manual has the following GCV example that you need to add to your driver:

<definition display-name="Allow Named Password to be retrieved over LDAP"
name="allow-fetch-named-passwords" type="boolean">
<description>Allow Named Password to be retrieved over LDAP. If the
value is true, then the named password value can be fetched using the LDAP

Besides the GCV you must have write rights to the DirXML-AccessConfigure attribute on the driver object.

So far this has worked for me but I haven't managed to retrieve named passwords stored on the driverset object.

Here is java code snippet that shows you how you can use the GetNamedPasswordRequest function.

In this example you pass two parameters to the GetNamedPasswordRequest constructor.
dn is the distinguished name of the driver in LDAP format.
passwordName is just what is sounds like, the name of the named password.
lc is the LDAPConnection object created using Novell JLDAP.
My LDAPConnection objects are always using SSL encryption and I don't know if this would work on a clear text connection.

try {
GetNamedPasswordRequest request = new GetNamedPasswordRequest(dn, passwordName);

LDAPExtendedResponse response = lc.extendedOperation(request);

if (response instanceof GetNamedPasswordResponse && response.getResultCode() == LDAPException.SUCCESS) {
GetNamedPasswordResponse rsp = (GetNamedPasswordResponse) response;

System.out.println("Named password is: " rsp.getPasswordValue());


} catch (LDAPException e) {
System.err.println("Error getting named password: " e.getMessage());



How To-Best Practice
Comment List
  • As Jim mentions GetNamedPasswordResonse.register() should(must) be called, otherwise one can get an exception. And it needs to be called prior to the call to 'extendedOperation' ..

    GetNamedPasswordRequest gnpr = new GetNamedPasswordRequest(dn, name);
    LDAPExtendedResponse response =(LDAPExtendedResponse)lc.extendedOperation(gnpr);
  • in reply to MigrationDeletedUser
    FYI: I've successfully read Driver Set GCVs and named passwords by just reading them off of the drivers themselves as if they were on the drivers just like the policies behave.
  • You will get better responses if you first "register" the Response as an extended response.

    Simply call:

    Did you ever find out how to call the driverSet for the named Passwords?

    Thanks for all your cool tools and help!