Highlighted
Absent Member.
Absent Member.
172 views

Simple IDM eDir driver rule assistance needed


GREETINGS,

HOPING THIS IS AN EASY QUESTION....

I'M USING IDM 3.6.1 & NEED TO CREATE A SIMPLE RULE THAT WILL SEND AN
E-MAIL TO A USER IF THEIR UNIVERSAL PASSWORD WAS RESET ADMINISTRATIVELY.
I'VE BEEN TRYING TO DO THIS KEYING OFF THE PASSWORD EXPIRATION TIME
VALUE WITHOUT ANY LUCK (PASSWORD EXPIRATION TIME IS CONFIGURED TO EXPIRE
IMMEDIATELY IF UP IS RESET BY AN ADMIN). IS THERE POSSIBLY ANYTHING IN
THE OPERATION BESIDES PASSWORD EXPIRATION TIME THAT CAN BE USED TO
DISCERN AN ADMIN PWD RESET FROM A USER PWD REST (WHICH PUSHES PWD EXPIRE
TIME OUT 60 DAYS BY POLICY).

-<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.15.5883">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20130405133328.586Z" class-name="User"
event-id="server1#20130405133328#1#1"
qualified-src-dn="O=company\OU=IDENTITIES\CN=user"
src-dn="\TREE\company\IDENTITIES\user" src-entry-id="38287"
timestamp="1365168808#15">
<association
state="associated">{865FC102-5C45-a544-0D9F-865FC1025C45}</association>
<modify-attr attr-name="Password Expiration Time">
<remove-value>
<value timestamp="1365168699#12"
type="time">1365168699</value>
</remove-value>
<add-value>
<value timestamp="1365168808#12"
type="time">1365168808</value>
</add-value>
</modify-attr>
<modify-attr attr-name="nspmDistributionPassword"><!-- content
suppressed -->
</modify-attr>
</modify>
</input>
</nds>-

*Regards,
Kerry Tholl*


--
ktholl
------------------------------------------------------------------------
ktholl's Profile: https://forums.netiq.com/member.php?userid=4737
View this thread: https://forums.netiq.com/showthread.php?t=47502

Labels (1)
0 Likes
2 Replies
Highlighted
Absent Member.
Absent Member.

Re: Simple IDM eDir driver rule assistance needed

What have you tried so far, and how has it not worked? Using the password
expiration time is probably the best way I can think of to do this without
using something like Novell/NetIQ Sentinel to detect a password rest sent
via auditing functionality which may be a slightly better way of handling
this, but is not related to IDM necessary and since you have IDM this
should work. All you should need to do is compare the expiration time and
see if it is within a few seconds of the present (or anytime in the past)
and then send the e-mail, but knowing what you have currently, and having
the trace from your attempts, will help us help you better.

Good luck.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Simple IDM eDir driver rule assistance needed

On 09.04.2013 01:58, ab wrote:
> What have you tried so far, and how has it not worked? Using the password
> expiration time is probably the best way I can think of to do this without
> using something like Novell/NetIQ Sentinel to detect a password rest sent
> via auditing functionality which may be a slightly better way of handling
> this, but is not related to IDM necessary and since you have IDM this
> should work. All you should need to do is compare the expiration time and
> see if it is within a few seconds of the present (or anytime in the past)
> and then send the e-mail, but knowing what you have currently, and having
> the trace from your attempts, will help us help you better.


This is what we have used (on IDM 3.6.1):

1. Password Expiration Time as Subscriber Notify in the driver filter.

2. The following policy.

<rule>
<description>Password Expiration Detection</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="case" op="equal">modify</if-operation>
<if-op-attr mode="regex" name="Password Expiration Time"
op="changing-to">\d+</if-op-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="currentTime" scope="policy">
<arg-string>
<token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="1"
offset-unit="second" src-format="!CTIME" src-tz="UTC">
<token-time format="!CTIME" tz="UTC"/>
</token-convert-time>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<or>
<if-op-attr mode="numeric" name="Password Expiration Time"
op="lt">$currentTime$</if-op-attr>
</or>
</arg-conditions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">act on an admin password
reset</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>

This policy could be improved to as Aaron suggests check that the
password expiration occurred sometime in the very recent past (rather
than just checking that the password eexpiration was set to a value in
the past) - that wouldn't be too hard to add in.

We used this rule to force accounts in other connected systems to
require password change on first logon when the administrator reset the
password in IDM.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.