jlmasmit Absent Member.
Absent Member.
568 views

Reset password in edir-edir driver


Hi,

We have two eDirectory trees (metadirectory and production) and they're
connected with an edir-edir driver.

The metadirectory tree is authoritative for all the attributes
including the password and the driver is configured to reset when a
modification is made on the production tree.

Universal Password is up and configured with the same password policy.
It's configured to not repeat the last 30 passwords.

The driver is working ok except for the password syncronization:

- When a password change is made on the metadirectory it synchronizes
to the production tree.

- When a password change is made on the production tree it show the
error: "DSERR_DUPLICATE_PASSWORD".

This error is due to the password history list because the driver is
configured to do a reset of the password. Is there any way to do this
reset without the "duplicate password" error?

The reset is made through a rule in a Command Transformation policy:

<rule name="sub-ctp-ResetPassword">
<policy>
<rule>
<description>Reset Password</description>
<conditions>
<and>
<if-op-attr name="nspmDistributionPassword" op="available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="pwd_old" scope="policy">
<arg-string>
<token-dest-attr name="nspmDistributionPassword"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-op-attr mode="case" name="nspmDistributionPassword"
op="not-equal">$pwd_old$</if-op-attr>
</and>
</arg-conditions>
<arg-actions>
<do-set-src-password>
<arg-string>
<token-local-variable name="pwd_old"/>
</arg-string>
</do-set-src-password>
</arg-actions>
<arg-actions/>
</do-if>
<do-veto/>
</actions>
</rule>
</policy>
</rule>

I have read that a solution is that the driver does not use the
Distribution Password but I don't know how to cofigure the driver to do
this.

Many thanks.


--
jlmasmit
------------------------------------------------------------------------
jlmasmit's Profile: http://forums.novell.com/member.php?userid=20336
View this thread: http://forums.novell.com/showthread.php?t=455101

Labels (1)
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: Reset password in edir-edir driver

On Wed, 25 Apr 2012 16:06:01 +0000, jlmasmit wrote:

> The metadirectory tree is authoritative for all the attributes including
> the password and the driver is configured to reset when a modification
> is made on the production tree.


Wouldn't it be easier to change the password policy to "user is allowed
to change password = no"?


> - When a password change is made on the production tree it show the
> error: "DSERR_DUPLICATE_PASSWORD".

[-snip-]
> I have read that a solution is that the driver does not use the
> Distribution Password but I don't know how to cofigure the driver to do
> this.


I seem to recall it being nspmPassword but I could be wrong.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Reset password in edir-edir driver

On 4/25/2012 1:30 PM, David Gersic wrote:
> On Wed, 25 Apr 2012 16:06:01 +0000, jlmasmit wrote:
>
>> The metadirectory tree is authoritative for all the attributes including
>> the password and the driver is configured to reset when a modification
>> is made on the production tree.

>
> Wouldn't it be easier to change the password policy to "user is allowed
> to change password = no"?
>
>
>> - When a password change is made on the production tree it show the
>> error: "DSERR_DUPLICATE_PASSWORD".

> [-snip-]
>> I have read that a solution is that the driver does not use the
>> Distribution Password but I don't know how to cofigure the driver to do
>> this.

>
> I seem to recall it being nspmPassword but I could be wrong.


The actual UP which the engine can read is nspmPassword (never tried
writing it direct). If you use Password Tunneling, you can tell the
vault not to sync DP to UP and then the UP in the Vault remains
untouched when a DP changes via another tree.

Then the password in AD changes, flows to the vault, as a DP change. So
UP in Vault is untouched but DP changes. Any other drivers that get
passwords via DP get the updated password. So it tunnels through the
vault without affecting the vault.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.