Highlighted
Absent Member.
Absent Member.
401 views

Randomly reset the passwords for users:


Hi Guys,

Version:
4.0.1.0 AE

Scenario:
Since there are a lot of external users who seldom access their accounts
over our internal system, these users accounts passwords get expired.
We would like to reset the passwords of such users automatically.
All these external users are in a one container called as external and
they also have an attribute which has a value to differentiate them from
normal internal business users.

Questions:
- Is there is a job in IDM where I can do this? [I know there is a job
which helps in settings a random password].
- Can this same job be used and modified to reset the passwords for a
specific set of users with defined attributes? [Then sent a notification
to the user that their password has been reset via email]

Any ideas?
Any pointers?

Thank you,
ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

Labels (1)
0 Likes
36 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

On 7/18/2014 4:24 PM, ddgaikwad wrote:
>
> Hi Guys,
>
> Version:
> 4.0.1.0 AE
>
> Scenario:
> Since there are a lot of external users who seldom access their accounts
> over our internal system, these users accounts passwords get expired.
> We would like to reset the passwords of such users automatically.
> All these external users are in a one container called as external and
> they also have an attribute which has a value to differentiate them from
> normal internal business users.
>
> Questions:
> - Is there is a job in IDM where I can do this? [I know there is a job
> which helps in settings a random password].
> - Can this same job be used and modified to reset the passwords for a
> specific set of users with defined attributes? [Then sent a notification
> to the user that their password has been reset via email]


Resetting the password in a job out of the box? Not really.

You can ste up a standard trigger job, scope it at this container, then
tell it to send one ever per object, and then in a policy in Sub-Event
in that driver, look for operation=trigger, and the name of the trigger
(I think source-name, but I forget at this second, look at trace to find
it) and then use the set source password, with the password coming from
Generate Password token. POint it at a policy that does NOT have a
uniqueness requirement, since the token dies on those.


0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


Hi geoffc,
geoffc;246744 Wrote:
> On 7/18/2014 4:24 PM, ddgaikwad wrote:
> >
> > Hi Guys,
> >
> > Version:
> > 4.0.1.0 AE
> >
> > Scenario:
> > Since there are a lot of external users who seldom access their

> accounts
> > over our internal system, these users accounts passwords get

> expired.
> > We would like to reset the passwords of such users automatically.
> > All these external users are in a one container called as external

> and
> > they also have an attribute which has a value to differentiate them

> from
> > normal internal business users.
> >
> > Questions:
> > - Is there is a job in IDM where I can do this? [I know there is a

> job
> > which helps in settings a random password].
> > - Can this same job be used and modified to reset the passwords for a
> > specific set of users with defined attributes? [Then sent a

> notification
> > to the user that their password has been reset via email]

>
> Resetting the password in a job out of the box? Not really.
>
> You can ste up a standard trigger job, scope it at this container, then
> tell it to send one ever per object, and then in a policy in Sub-Event
> in that driver, look for operation=trigger, and the name of the trigger
> (I think source-name, but I forget at this second, look at trace to
> find
> it) and then use the set source password, with the password coming from
> Generate Password token. POint it at a policy that does NOT have a
> uniqueness requirement, since the token dies on those.


Seems that developing a driver would take some efforts to get all these
things in place.
I am thinking of an alternative of creating a script which could be run
on IDM server and have it generate and replace the password for the
users based on expiration time and last login of the user.

Would a script be a better option of the driver then?

Thank you,
ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:

Take your pick; both can work. If these are identity data then an IDM
system makes sense. Having something that polls for stuff regularly and
then makes something happen is a fair fit for a Null driver with a
Trigger. Having scripts do functionally the same thing isn't better or
worse, though it is outside the Identity system, so when you migrate to
another server (upgrade/etc.) there may be more work to also move external
scripts called by cron.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


Thanks ab,

ab;246746 Wrote:
> Take your pick; both can work. If these are identity data then an IDM
> system makes sense. Having something that polls for stuff regularly
> and
> then makes something happen is a fair fit for a Null driver with a
> Trigger. Having scripts do functionally the same thing isn't better or
> worse, though it is outside the Identity system, so when you migrate to
> another server (upgrade/etc.) there may be more work to also move
> external
> scripts called by cron.
>
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Well, I would love to get started on the driver.
There is just a tiny bit of a problem here, is there is any reference
data/driver/article that help me get on the fast track to creating this
driver?

Thank you,
ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:

On 07/18/2014 03:24 PM, ddgaikwad wrote:
>
> Well, I would love to get started on the driver.
> There is just a tiny bit of a problem here, is there is any reference
> data/driver/article that help me get on the fast track to creating this
> driver?


See Lothar's driver config to notify users about expired passwords. It
has the framework and logic in place; all you really need to do is turn
off the notifications (or maybe point them to a service e-mail account so
you have some way to easily see who was expired every time the driver
config runs), and then modify the condition to work based on lastLoginTime
being X time period in the past, and also add an action to reset the
user's password. I'd bet this can be done in an hour or two with minimal
work sine he's already done the heavy lifting in creating an awesome
password-expiration driver config.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


ab;246750 Wrote:
> On 07/18/2014 03:24 PM, ddgaikwad wrote:
> >
> > Well, I would love to get started on the driver.
> > There is just a tiny bit of a problem here, is there is any reference
> > data/driver/article that help me get on the fast track to creating

> this
> > driver?

>
> See Lothar's driver config to notify users about expired passwords. It
> has the framework and logic in place; all you really need to do is turn
> off the notifications (or maybe point them to a service e-mail account
> so
> you have some way to easily see who was expired every time the driver
> config runs), and then modify the condition to work based on
> lastLoginTime
> being X time period in the past, and also add an action to reset the
> user's password. I'd bet this can be done in an hour or two with
> minimal
> work sine he's already done the heavy lifting in creating an awesome
> password-expiration driver config.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Thank you all!
For all this information, I have started working it now, its been a
while I have not really worked on created drivers, so might take some
more time to do it.
Will post an update for sure.

Thank you again,
-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

On 7/18/2014 4:44 PM, ddgaikwad wrote:
>
> Hi geoffc,
> geoffc;246744 Wrote:
>> On 7/18/2014 4:24 PM, ddgaikwad wrote:
>>>
>>> Hi Guys,
>>>
>>> Version:
>>> 4.0.1.0 AE
>>>
>>> Scenario:
>>> Since there are a lot of external users who seldom access their

>> accounts
>>> over our internal system, these users accounts passwords get

>> expired.
>>> We would like to reset the passwords of such users automatically.
>>> All these external users are in a one container called as external

>> and
>>> they also have an attribute which has a value to differentiate them

>> from
>>> normal internal business users.
>>>
>>> Questions:
>>> - Is there is a job in IDM where I can do this? [I know there is a

>> job
>>> which helps in settings a random password].
>>> - Can this same job be used and modified to reset the passwords for a
>>> specific set of users with defined attributes? [Then sent a

>> notification
>>> to the user that their password has been reset via email]

>>
>> Resetting the password in a job out of the box? Not really.
>>
>> You can ste up a standard trigger job, scope it at this container, then
>> tell it to send one ever per object, and then in a policy in Sub-Event
>> in that driver, look for operation=trigger, and the name of the trigger
>> (I think source-name, but I forget at this second, look at trace to
>> find
>> it) and then use the set source password, with the password coming from
>> Generate Password token. POint it at a policy that does NOT have a
>> uniqueness requirement, since the token dies on those.

>
> Seems that developing a driver would take some efforts to get all these
> things in place.
> I am thinking of an alternative of creating a script which could be run
> on IDM server and have it generate and replace the password for the
> users based on expiration time and last login of the user.
>
> Would a script be a better option of the driver then?


Key thing you get, doing it in the engine (as a rule in an existing
driver, say) is the use of the Generate Password, which nicely reads the
Password Policy and generates a random password based on the
restrictions in the POlicy. If you change the policy, no code changes,
next random run uses the new value.

Otherwise, both would work.


0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

Geoffrey Carman wrote:

> You can ste up a standard trigger job, scope it at this container, then tell
> it to send one ever per object


Or to allow for finer target object selection, point the trigger job at a
dynamic group and you have all the power of LDAP filters at your hand to
generate trigger event for just the accounts you need to work on. This would
allow filtering after the "attribute which has a value to differentiate them
from normal internal business users" that was mentioned.

You could even run a second, scope-less trigger job on the same driver (so you
get one event per minute/hour/day) and use it to modify the dynamic group's
LDAP filter to filter after loginTime/loginExpirationTime more than 90 days ago
or the like. So one job triggers updating the LDAP filter, the other then
triggers random password reset on just the accounts you are looking for. No
more looping over all externals just to find the one or two you need to
actually do something about anymore... 🙂

Modifying the PWNotify driver should also work, you'd have to add code that
works on the results found for the "Account Idle" notification ( older than XX
days), but there's no built-in option to check for account expired more than XX
days ago, so you'd have to add that yourself. Sounds like more work than
building just what you need from scratch as described above to me, though.
Unless you also need to implement password notifications anyway...
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


Hi,

I took the PWD_Notify driver and added the following rule in Publisher
channel over event transformation, to test the random password reset:

<if-global-variable mode="numeric" name="$LastLoginTimeAttr$"
op="lt">$AccountIdleDays$</if-global-variable>
<do-set-dest-password class-name="User">
<arg-string>
<token-text xml:space="preserve">123456</token-text>
</arg-string>
</do-set-dest-password>

Now what is happening is that, the rule is always evaluated as FALSE,
and it does not reset the password for the user.
What am I missing here?

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

On 8/6/2014 7:08 PM, ddgaikwad wrote:
>
> Hi,
>
> I took the PWD_Notify driver and added the following rule in Publisher
> channel over event transformation, to test the random password reset:
>
> <if-global-variable mode="numeric" name="$LastLoginTimeAttr$"
> op="lt">$AccountIdleDays$</if-global-variable>
> <do-set-dest-password class-name="User">
> <arg-string>
> <token-text xml:space="preserve">123456</token-text>
> </arg-string>
> </do-set-dest-password>


You have a GCV, whose name is held in a variable LastLoginTimeAttr?
That seems unlikely?

Perhaps instead of if-global-variable, you intended if-src-attr?

IN that case, a GCV or Local variable, LastLoginTimeAttr, could hold the
name of the last login time attribute.

Then AccountIdleDays is fine, assuming it is CTIME equivalent of NOW -
90*24*60*60

That is, what time is set in your LastLoginTimeAttr attribute? The time
of the last login?

The advantage of the Password Notifier driver approach is you can do an
LDAP query for your attr (lets call it loginTime, as that is the
standard eDir one) for a value of < 201401010101Z or the like and only
get back those objects to iterate over, that have a loginTime value
before Jan 1, 2014.

But that could work as well.

Perhaps, Lothar already has a process calling in the long ago logins and
you are piggy backing off it, which coudl work.




0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:

Where's the trace?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.