jacmarpet1 Absent Member.
Absent Member.
276 views

IDM 4.5.3 - Assign Password Policy from driver


Hello,

I would like to assign a password policy directly to a user from a
driver.

When I assign it directly to the user, by adding the attribute
nspmPasswordPolicyDN it does not work. The attribute is set, but the
attribute on the password policy object itself, nsimAssignments is not
updated with the user DN.

If I do it the other way around, by adding the msinAssignments attribute
to the password policy object, the nspmPasswordPolicyDN is not added to
the user.

However, if I add both of them, from the driver, it works. This all
seems a bit shady and strange. Is this really how I would go about
adding it to a user from a driver?

Thanks in advance,

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=56102

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: IDM 4.5.3 - Assign Password Policy from driver

On 06/23/2016 09:34 AM, jacmarpet wrote:
>
> Hello,
>
> I would like to assign a password policy directly to a user from a
> driver.
>
> When I assign it directly to the user, by adding the attribute
> nspmPasswordPolicyDN it does not work. The attribute is set, but the
> attribute on the password policy object itself, nsimAssignments is not
> updated with the user DN.


The nsimAssignments attribute is only there for convenience when using
iManager (or whatever) to look at the password policy to quickly see what
is assigned to that policy. The policy is enforced based entirely,
exclusively, only, on nspmPasswordPolicyDN. I'd stick with this if I were
you for reasons I'll cover at the bottom.

> If I do it the other way around, by adding the msinAssignments attribute
> to the password policy object, the nspmPasswordPolicyDN is not added to
> the user.


Yes, true, and now the policy is also not applying to your object.

> However, if I add both of them, from the driver, it works. This all
> seems a bit shady and strange. Is this really how I would go about
> adding it to a user from a driver?


This is probably the best way to do this, with a few notes:

1. You could setup Reciprocal Attributes to handle this. If you do this
correctly, you only need to write one side and the other will be maintained.

2. Doing both sides manually is fine; eDirectory does not care about
nsimAssignments during login. It may seem odd that you need to do both,
but both objects exist independently of eachother; the reason the "link"
seems to exist using iManager is because it modifies both objects for you
behind the scenes; iManager does this for other things too, like group
memberships and security equivalences, which have attributes on both user
and group sides.

3. One concern with updating nsimAssignments is that, particularly if you
are setting this via IDM, you could have thousands/millions of values on
that one object in that one attribute. This can be fine, or it can cause
problems, particularly with iManager when it tries to load those values
and subsequently crashes due to lack of memory. If I were you, I'd ignore
nsimAssignments on anything managed via IDM if it's like to have even
thousands of entries because it's managed by something, so let it do it
fully. If you want to know which policy applies to a user, check the user
(or the 'Password Policy Assignments' task in iManager) and ignore what
the policy has directly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM 4.5.3 - Assign Password Policy from driver

On 6/23/2016 11:34 AM, jacmarpet wrote:
>
> Hello,
>
> I would like to assign a password policy directly to a user from a
> driver.
>
> When I assign it directly to the user, by adding the attribute
> nspmPasswordPolicyDN it does not work. The attribute is set, but the
> attribute on the password policy object itself, nsimAssignments is not
> updated with the user DN.
>
> If I do it the other way around, by adding the msinAssignments attribute
> to the password policy object, the nspmPasswordPolicyDN is not added to
> the user.
>
> However, if I add both of them, from the driver, it works. This all
> seems a bit shady and strange. Is this really how I would go about
> adding it to a user from a driver?


As Aaron notes, this is actually how it works, and he goes on to explain
the why as well. Very good explanation.

As a side note, I have a packaged add on for a Loopback driver that adds
Password Policy as an Entitlement. 🙂

So you Define a Role, assign it a Resource, that uses this entitlement
and you can select for the Resource, and assign it to any Password Policy.


0 Likes
jacmarpet1 Absent Member.
Absent Member.

Re: IDM 4.5.3 - Assign Password Policy from driver


geoffc;269071 Wrote:
> On 6/23/2016 11:34 AM, jacmarpet wrote:
> >
> > Hello,
> >
> > I would like to assign a password policy directly to a user from a
> > driver.
> >
> > When I assign it directly to the user, by adding the attribute
> > nspmPasswordPolicyDN it does not work. The attribute is set, but the
> > attribute on the password policy object itself, nsimAssignments is

> not
> > updated with the user DN.
> >
> > If I do it the other way around, by adding the msinAssignments

> attribute
> > to the password policy object, the nspmPasswordPolicyDN is not added

> to
> > the user.
> >
> > However, if I add both of them, from the driver, it works. This all
> > seems a bit shady and strange. Is this really how I would go about
> > adding it to a user from a driver?

>
> As Aaron notes, this is actually how it works, and he goes on to
> explain
> the why as well. Very good explanation.
>
> As a side note, I have a packaged add on for a Loopback driver that
> adds
> Password Policy as an Entitlement. 🙂
>
> So you Define a Role, assign it a Resource, that uses this entitlement
> and you can select for the Resource, and assign it to any Password
> Policy.


Thank you both very much for explaining this to me, great answers!

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=56102

0 Likes
jacmarpet1 Absent Member.
Absent Member.

Re: IDM 4.5.3 - Assign Password Policy from driver


Just an FYI: I have assigned a pw policy to 1500~ users and also set the
nsimAssignments on the policy object and iManager can handle it without
problems. It's even quite fast, and I bet if I index it it will load in
less than 5 seconds. So, I'll set both attributes.

Thanks again!

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=56102

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.