Anonymous_User Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


Hi ab,

Here is the trace:
http://pastebin.com/5FFaSd2R

Thanks!
ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


ddgaikwad;247358 Wrote:
> Hi ab,
>
> Here is the trace:
> http://pastebin.com/5FFaSd2R
>
> Thanks!
> ddgaikwad


Here is another trace, where I tried to migrate the newly created
users.
http://pastebin.com/eG1ECUsS
The condition went true, but then it did not reset the password for the
users as given in the rule.
Instead it was vetoed by an action which says if its not a trigger then
veto all.. Not sure if that something I might be looking into..?

Thanks!
-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

ddgaikwad wrote:

> > Here is the trace:
> > http://pastebin.com/5FFaSd2R


This trace shows a publisher heartbeat triggering the policies but as Geoffrey
already explained, fails with an LDAP connect error, so that there is no data
to trigger a password reset in the first place. Fix that and the second error
("Could not convert time...") will go away, too. Are you sure cleartext LDAP is
allowed on server 10.20.151.62? If so, try enabling LDAP tracing on the server
and see what why it fails.

Btw. which version of the PWNotify driver to you use? From the policy naming
scheme and the call to es:ldapsearch() it looks like you have a pretty old
version. The lastest version 2.2 together with the latest ldapsearch ECMA
library from http://www.brummelhook.com/download/idm/packages allows to trace
details of ldapsearch processing (set to level 10 for all details, level 5 to
all but bind password used).

Since you are still using IDM 3.6 you would have to cheat and tell Designer
it's 4.0x in order to install and deploy it (will show some errors during
deploy but generally works, try in a dev environment first). Another option
would be to install offline in Designer, export the driver as XML and import
that into your 3.6 tree. Off the top of my head, I do not think the packaged
driver uses any features not available in IDM 3.6, but I'm not 100% sure.

> Here is another trace, where I tried to migrate the newly created
> users.
> http://pastebin.com/eG1ECUsS


This shows a subscriber event which will never trigger your code on the
publisher channel.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

Lothar Haeger wrote:

> Off the top of my head, I do not think the packaged
> driver uses any features not available in IDM 3.6, but I'm not 100% sure.


Well, GCV resources... you'd have to copy all GCVs from the resources to the
driver GCV and not deploy the resource objects.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

On 8/8/2014 3:00 AM, Lothar Haeger wrote:
> Lothar Haeger wrote:
>
>> Off the top of my head, I do not think the packaged
>> driver uses any features not available in IDM 3.6, but I'm not 100% sure.

>
> Well, GCV resources... you'd have to copy all GCVs from the resources to the
> driver GCV and not deploy the resource objects.


Filter extension should be fine as well, since they get copied to the
Filter.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for user

On 8/7/2014 3:07 PM, ddgaikwad wrote:
>
> Hi ab,
>
> Here is the trace:
> http://pastebin.com/5FFaSd2R


Probably lots of comments. Is the driver Sec Equals to someone who can
write to the driver object?

Last Referenced Time is used as a 'high water' marker:

[08/07/14 14:51:28.914]:Run PT:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query
dest-dn="\HAVI-DEV\havi\manufactures\IDM_manufactures\PWD_Notify"
scope="entry">
<read-attr attr-name="Last Referenced Time"/>
</query>
</input>
</nds>
[08/07/14 14:51:28.915]:Run PT: Pumping XDS to eDirectory.
[08/07/14 14:51:28.919]:Run PT: Performing operation
query for \HAVI-DEV\havi\manufactures\IDM_manufactures\PWD_Notify.
[08/07/14 14:51:28.925]:Run PT: Query from policy result
[08/07/14 14:51:28.928]:Run PT:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="DirXML-Driver" event-id="0"
qualified-src-dn="O=havi\OU=manufactures\CN=IDM_manufactures\CN=PWD_Notify"
src-dn="\HAVI-DEV\havi\manufactures\IDM_manufactures\PWD_Notify"
src-entry-id="33276"/>
<status event-id="0" level="success"></status>
</output>
</nds>
[08/07/14 14:51:28.941]:Run PT: Token Value: "".
[08/07/14 14:51:28.942]:Run PT: Arg Value: "".
[08/07/14 14:51:28.945]:Run PT:
DirXML Log Event -------------------
Driver: \HAVI-DEV\havi\manufactures\IDM_manufactures\PWD_Notify
Channel: Publisher
Status: Warning
Message: Code(-8033) Error in
vnd.nds.stream://HAVI-DEV/havi/manufactures/IDM_manufactures/PWD_Notify/Publisher/%231+Check+Schedule#XmlData:46:
Couldn't convert date/time '': java.lang.NumberFormatException: For
input string: ""


You are not connecting over LDAP properly. Figure out the proper
parameters and set them:

<nds dtdversion="3.5">
<source>
<product instance="PWD_Notify" version="3.6.10.4747">DirXML
Loopback Driver</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<status level="success" type="notification">Password Expiration
Notification<br/>
<LastRunTime>2008-01-01 00:00:00</LastRunTime>
<ThisRunTime>2014-08-07 14:51:28</ThisRunTime>
<AccountExpires>
<From>2014-08-07 14:51:28</From>
<To..>2014-09-07 14:51:28</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</AccountExpires>


Host is:
"ldap://10.20.151.62:389

Might need SSL on 636...

User is:
CN=admin,O=havi

Looks good.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


Yes, the driver has security equals to admin.
Will check what parameters am I missing while connecting to LDAP.

Thanks!
-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:

The action that you previously posted in XML form does not, at least
anywhere that I can see, show up in this trace. As a result I'm guessing
it is either disabled or trace is suppressed or something. Either way,
not helpful. If the rule was supposed to be the 'Applying policy:
%+C%14CFBS emp reset psswd%-C.' then the problem is that this was not an
FBS user, or at least something caused the engine to determine that was
not the case.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


ab;247376 Wrote:
> The action that you previously posted in XML form does not, at least
> anywhere that I can see, show up in this trace. As a result I'm
> guessing
> it is either disabled or trace is suppressed or something. Either way,
> not helpful. If the rule was supposed to be the 'Applying policy:
> %+C%14CFBS emp reset psswd%-C.' then the problem is that this was not
> an
> FBS user, or at least something caused the engine to determine that was
> not the case.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Yes, that was a different rule which also did a password reset for the
user.
But, then when I checked for my own rule, its condition went into FALSE
for every interval the driver checked for users:
[08/13/14 05:53:45.098]:PWD_Notify PT: Evaluating selection criteria
for rule 'Reset account idle passwpord'.
[08/13/14 05:53:45.098]:PWD_Notify PT: Expanded variable reference
'$LastLoginTimeAttr$' to 'lastLoginTime'.
[08/13/14 05:53:45.098]:PWD_Notify PT: (if-global-variable
'$LastLoginTimeAttr$' gt "$AccountIdleDays$") = FALSE.
[08/13/14 05:53:45.098]:PWD_Notify PT: Rule rejected.

The other question that came to mind was that, if my rule needs to be on
the Subscriber channel instead of Publisher channel?
Since, this " 'Applying policy:%+C%14CFBS emp reset psswd%-C." is also
running on Subscriber channel?

I will try and disable most of the rules from the driver and check if my
just this policy runs or not.

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Knowledge Partner
Knowledge Partner

Re: Randomly reset the passwords for users:

ddgaikwad wrote:

> The other question that came to mind was that, if my rule needs to be on
> the Subscriber channel instead of Publisher channel?


If you're using the PWNotify driver and your code should be executed on a
scheduled basis: publisher. If it acts based on Edirectory events: subscriber.

Since you do not get an event when an account has not been used for XX days, I
would expect the code to reset thier passwords to live on the publisher and
trigger off the ldapsearch results similar to the various notifications that
can be send out.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:


Oh cool!

I have put my code on the PWNotify driver in the subscriber channel.
Well, the other thing happening is that, I am getting this following
error:
"Message: A password for "CN=admin,OU=Services,O=havigs" could not be
obtained. Make sure a Distribution Password is available and the driver
has rights to read it, or set the "LDAP Bind password" named password."

Not sure why, as I have already given this driver security equal to
admin user... am I missing some configuration here?
What exaclty needs to be updated?

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51359

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Randomly reset the passwords for users:

Does the admin user have a Universal Password set? Did you apply a policy
to that user somehow, and then set one?

As always, post the full trace; guessing gets old quickly, especially when
the answers are likely right there.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.