1) Customer is using Smart Cards and don't receive NDS password expiration notifications. They don't want to implement an e-mail notification method as they are concerned it could be spoofed. They already had maintenance for SecureLogin. See Solution A.
If a customer is not entitled to SecureLogin, they can use a login script, see Solution B.
2) Customer is wanting password expiration / change prompts days before the password expires, similar to Microsoft.
Products to install for Solution A
Novell Client
NetIQ SecureLogin
SSPR (Self Service Password Reset)
1) Create a NSL Startup Script to check for the current users password expiration
After the SecureLogin product has been installed using eDirectory Mode, with the Novell Client, create a startup script that will run every time a user does a login. Below is an example startup script that will check the users password to see when it expires and notify the user.
### Password Expiration Notification script on startup###
Subtract %Password_Expiration_Time %Login_time ?Remaining
Divide ?remaining 86400 ?days
### If password is going to expire in 3 days or less, force user to be redirected to the password portal
If ?days LT 4
MessageBox %Full_Name ", Your password will expire in " ?days " days, you must change your password now to avoid interruption to services." \n \n \t "You will now be redirected to the Password Change Portal to change your password."
Run "c:\Program Files\Internet Explorer\iexplore.exe" http://192.168.176.4:8080/sspr/private/ChangePassword
EndScript
EndIf
### Notify user's that there password will change in 10 or fewer days and give them the option to change their password
### It will prompt them on each new login to change there password until they have successfully changed it
If ?days LT 11
MessageBox -YesNo ?Result %Full_Name ", Your password will expire in " ?days " days, would you like to change it now?"
If ?Result Eq "Yes"
MessageBox "You will now be redirected to the Password Change portal to change your password."
Run "c:\Program Files\Internet Explorer\iexplore.exe" http://192.168.176.4:8080/sspr/private/ChangePassword
Else
MessageBox "You will continue to receive these password change messages until your password has been changed."
EndIf
EndIf
Notice that the script will pop up a message screen and you can then direct the user to a given portal that they would like to use for the user to change their password.
2) Configure SSPR:
To Setup SSPR as the portal to be directed to, the customer installed SLES 11 SP2 64bit and included Tomcat 6 in the install. Make sure users are already associated to an eDirectory Universal Password Policy.
See the online documentation for SSPR. Currently the link you can go to is: https://www.netiq.com/documentation/sspr20/pdfdoc/nsl702_sspr/nsl702_sspr.pdf
Once the server was installed, they simply followed the directions in the online documentation to place the WAR file, and then began the configuration of SSPR after restarting tomcat6. See the online documentation.
The customer this was initially setup for wanted to use SSPR and did not want the users to have the ability to use challenge questions. eDirectory schema did not need to be extended.
3) Script used to automatically login a user to the SSPR portal with their existing password, after being directed to the SSPR site from the password expiration startup script. Once logged in, user will see the prompt to enter in a new password.
NSL Script -- SSPR web page login with current credentials
#=============================================================
# EXE/ID: 192.168.176.4
# Name: Password Self Service
# Type: Web
# Version: 1
# Created By:
#=============================================================
GetReg "HKCU\Software\Protocom\SecureLogin\LastCacheUser"?UserIDAll
RegSplit CN=(.*).OU=(.*) ?UserIDALL ?UserID1 ?junk ?junk2
RegSplit (.*).OU=(.*) ?UserID1 ?UserID ?junk3
#MessageBox "UserID: " ?UserID
## BeginSection: "Login Form"
Site "Password Self Service" -initial
DebugPrint "Conducting Match on login form Password Self Service"
MatchForm #1 -name "login"
MatchField #1:3 -type "text" -name "username"
DebugPrint "Matched Field 'username'"
MatchField #1:4 -type "password" -name "password"
DebugPrint "Matched Field 'password'"
MatchField #1:8 -type "submit" -name "button"
DebugPrint "Matched Field 'button'"
MatchField #1:5 -type "submit" -name "button"
DebugPrint "Matched Field 'button'"
EndSite
DebugPrint "Successfully matched login form Password Self Service"
OnException EnterVariablesCancelled Call N056893D0N052D5A40
SetPrompt "Username"
FocusInput #1:3
#TextInput #1:3 -value "$username"
TextInput #1:3 -value "?UserID"
DebugPrint "Performed entry action TextInput $username into control id#1:3"
SetPrompt "Current Password"
FocusInput #1:4
#TextInput #1:4 -value "$password"
TextInput #1:4 -value "?syspassword"
DebugPrint "Performed entry action TextInput $password into control id#1:4"
SetPrompt "Please edit your login variables."
FocusInput #1:5
PressInput #1:5
DebugPrint "PressInput action performed"
EndScript
## EndSection: "Login Form"
## BeginSection: "Login Form"
Site "Password Self Service" -recent 5000
DebugPrint "Conducting Match on login form Password Self Service"
MatchForm #1 -name "login"
MatchField #1:3 -type "text" -name "username"
DebugPrint "Matched Field 'username'"
MatchField #1:4 -type "password" -name "password"
DebugPrint "Matched Field 'password'"
MatchField #1:8 -type "submit" -name "button"
DebugPrint "Matched Field 'button'"
MatchField #1:5 -type "submit" -name "button"
DebugPrint "Matched Field 'button'"
EndSite
DebugPrint "Successfully matched login form Password Self Service"
OnException EnterVariablesCancelled Call N056893D0N052D5A40
if -exists $username
Displayvariables $username $password
Endif
SetPrompt "Username"
FocusInput #1:3
TextInput #1:3 -value "?UserID"
DebugPrint "Performed entry action TextInput $username into control id#1:3"
SetPrompt "Current Password"
FocusInput #1:4
TextInput #1:4 -value "?syspassword"
DebugPrint "Performed entry action TextInput $password into control id#1:4"
SetPrompt "Please edit your login variables."
FocusInput #1:5
PressInput #1:5
DebugPrint "PressInput action performed"
EndScript
## EndSection: "Login Form"
## BeginSection: "Login Form"
Site "Password Self Service" -subsequent
DebugPrint "Conducting Match on login form Password Self Service"
MatchForm #1 -name "login"
MatchField #1:3 -type "text" -name "username"
DebugPrint "Matched Field 'username'"
MatchField #1:4 -type "password" -name "password"
DebugPrint "Matched Field 'password'"
MatchField #1:8 -type "submit" -name "button"
DebugPrint "Matched Field 'button'"
MatchField #1:5 -type "submit" -name "button"
DebugPrint "Matched Field 'button'"
EndSite
DebugPrint "Successfully matched login form Password Self Service"
OnException EnterVariablesCancelled Call N056893D0N052D5A40
MessageBox "Do you wish to re-login?" -YesNo ?Result -DefaultNo
If ?Result Eq "No"
EndScript
EndIf
SetPrompt "Username"
FocusInput #1:3
TextInput #1:3 -value "?UserID"
DebugPrint "Performed entry action TextInput $username into control id#1:3"
SetPrompt "Current Password"
FocusInput #1:4
TextInput #1:4 -value "?syspassword"
DebugPrint "Performed entry action TextInput $password into control id#1:4"
SetPrompt "Please edit your login variables."
FocusInput #1:5
PressInput #1:5
DebugPrint "PressInput action performed"
EndScript
## EndSection: "Login Form"
## BeginSection: "Login Form Subroutines"
Sub N056893D0N052D5A40
FocusInput #1:8
PressInput #1:8
DebugPrint "PressInput action performed"
ClearException EnterVariablesCancelled
EndScript
EndSub
## EndSection: "Login Form Subroutines"
--------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------
Another option is to use the login script to build the logic. See below for an example of how to use the login script. (compliments from RLJohnson)
Customer that don't license NSL, can use a pretty simple Novell Client login script to do some simple notification as well as send them to their User App portal.
**If the user's password is to expire in 1 to 5 days, they are sent to their Psswd Self Service Portal**
IF PASSWORD_EXPIRES<="5" AND PASSWORD_EXPIRES>"1" THEN
WRITE "\n\n\n\7Hello, %LOGIN_NAME,\nyour password will expire in %PASSWORD_EXPIRES days,\nyou must change your password now to avoid interruption to services. \n\n\7Press any key to be redirected to the Password Self Service Portal."
PAUSE
@C:\Program Files\Internet Explorer\iexplore https://: /IDM/jsps/login/Login.jsp
END
**If the user's password expires today or using grace logins, they are sent to their Psswd Self Service Portal**
IF PASSWORD_EXPIRES<="1" THEN
WRITE "\n\n\n\7%LOGIN_NAME,\nYOUR PASSWORD IS EXPIRED\n\n\7YOU MUST CHANGE YOUR PASSWORD\n\nPress any key to be redirected to the Password Self Service Portal."
PAUSE
@C:\Program Files\Internet Explorer\iexplore https://: /IDM/jsps/login/Login.jsp
END
Notice: An enhancement has been submitted to Novell Development to have the Novell Client have an option to handle password expiration, the same as Microsoft's solution, by notifying and allowing the user to change their password so many days prior to the expiration. Even though the enhancement has been submitted there is no current information on the consideration of the enhancement.
Support
Documentation
Training
Partner Portal