Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
tirthankar1984
Commander
Commander
‎2018-08-03 09:24
1366 views

User must change password at next logon

In our dev environment we have created a workflow, which is used for creating users in eDir and automatically provisioned that users in AD using AD driver. With this workflow we are able to create users with a default password in eDir and automatically provisioned into AD also. But we want to enable the "User must change password at next logon" option in AD by this workflow, currently which is not happening. In the AD filter we have added the attribute pwdLastSet. Following components are installed in our dev environment 1> IDM = 4.7 2> AD Driver = 4.1.
Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
6 Replies
aburgemeister
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-08-03 13:14

Is it safe to assume you plan on having your users login the first time,
and then change passwords, from microsoft active directory (MAD)? If not,
then is there another reason you want to expire the first password?

Besides adding that attribute to the filter have you also sent a value to
it, specifically a zero (0) as I recall? You can verify that microsoft
active directory (MAD) responds appropriately to this attribute value by
doing a create with an LDAP tool like Apache Directory Studio; if that
works, then you should also be able to do the same with IDM. Be sure the
policy which sets this ONLY actives when doing the new user create, of course.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Reply
Report Inappropriate Content
tirthankar1984
Commander
Commander
‎2018-08-06 13:46

I've written two policy one in publisher and another one in subscriber channel

**Policy defined in Publisher Channel**

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201807041547\DTD\dirxmlscript4.7.dtd"><policy>
<rule>
<description>Create Password Expiration Time if appropriate</description>
<conditions>
<and>
<if-op-attr mode="numeric" name="pwdLastSet" op="changing-to">0</if-op-attr>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="Password Expiration Time">
<arg-value type="int">
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">946710000</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule>
<description>Clear Password Expiration Time if Appropriate</description>
<conditions>
<and>
<if-op-attr mode="numeric" name="pwdLastSet" op="changing-from">0</if-op-attr>
</and>
<and>
<if-op-attr name="pwdLastSet" op="changing"/>
<if-op-attr mode="numeric" name="pwdLastSet" op="not-changing-to">0</if-op-attr>
</and>
</conditions>
<actions>
<do-clear-dest-attr-value name="Password Expiration Time"/>
</actions>
</rule>
</policy>

**Policy defined in Subscriber Channel**

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201807041547\DTD\dirxmlscript4.7.dtd"><policy xmlns:jcal="http://www.novell.com/nxsl/java/java.util.Calendar">
<rule>
<description>Store 'Password Expiration Time' in local variable</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr name="Password Expiration Time" op="available"/>
<if-op-attr name="nspmDistributionPassword" op="changing"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="PASS-EXP-TIME">
<arg-string>
<token-op-attr name="Password Expiration Time"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="cal-obj">
<arg-object>
<token-xpath expression="jcal:getInstance()"/>
</arg-object>
</do-set-local-variable>
<do-set-local-variable name="CURRENT-TIME">
<arg-string>
<token-xpath expression="floor((number(jcal:getTimeInMillis($cal-obj))*0.001)+86400)"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>Remove 'Password Expiration Time' if in future</description>
<conditions>
<and>
<if-local-variable name="CURRENT-TIME" op="available"/>
<if-local-variable name="PASS-EXP-TIME" op="available"/>
<if-xpath op="true">$CURRENT-TIME>$PASS-EXP-TIME</if-xpath>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="pwdLastSet" when="after">
<arg-value type="int">
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">0</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
</policy>

With this policy settings unable to set the option in AD. Anything wrong in this policy?
0 Likes
Reply
Report Inappropriate Content
aburgemeister
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-08-08 01:25

I think we will definitely need a trace, but a couple things come to mind.

First, depending on where the policy is defined in the Subscriber channel,
the conditions may or may not match the event, but the trace should show
us for sure. Traces should be written directly from the driver config
object to a file specific to that driver object with at least trace level
three (3).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Reply
Report Inappropriate Content
grahamch
Commodore
Commodore
‎2020-01-22 20:31

In case you haven't resolved your issue yet.

I was looking for a similar process (when set a password via iManager, have the User must change password on first logon set).  The policy that we came up with seems to be working on creating accounts too.  We have not put this into our live environment yet.

Subscriber Output Policy

<?xml version="1.0" encoding="UTF-8"?><policy xmlns:jcal="http://www.novell.com/nxsl/java/java.util.Calendar">
	<rule>
		<description>Store 'Password Expiration Time' in local variable</description>
		<conditions>
			<and>
				<if-class-name op="equal">User</if-class-name>
				<if-op-attr name="Password Expiration Time" op="available"/>
				<if-operation op="equal">modify</if-operation>
			</and>
		</conditions>
		<actions>
			<do-set-local-variable name="PASS-EXP-TIME">
				<arg-string>
					<token-op-attr name="Password Expiration Time"/>
				</arg-string>
			</do-set-local-variable>
			<do-set-local-variable name="cal-obj">
				<arg-object>
					<token-xpath expression="jcal:getInstance()"/>
				</arg-object>
			</do-set-local-variable>
			<do-set-local-variable name="CURRENT-TIME">
				<arg-string>
					<token-xpath expression="floor((number(jcal:getTimeInMillis($cal-obj))*0.001)+86400)"/>
				</arg-string>
			</do-set-local-variable>
		</actions>
	</rule>
	<rule>
		<description>Set 'User must change password at next logon'</description>
		<conditions>
			<and>
				<if-local-variable name="CURRENT-TIME" op="available"/>
				<if-local-variable name="PASS-EXP-TIME" op="available"/>
				<if-xpath op="true">$CURRENT-TIME>$PASS-EXP-TIME</if-xpath>
			</and>
		</conditions>
		<actions>
			<do-set-dest-attr-value name="pwdLastSet" when="after">
				<arg-value type="int">
					<token-text xml:space="preserve">0</token-text>
				</arg-value>
			</do-set-dest-attr-value>
		</actions>
	</rule>
</policy>

 

0 Likes
Reply
Report Inappropriate Content
sri4netiq
Lieutenant Commander Lieutenant Commander
Lieutenant Commander
‎2020-01-27 19:56

Hello,

Account sync process among IDM and backend LDAP do not work as expected. When IDM pushes and update onto a record making it active / in-active a custom attribute is getting populated. Need to know where and how that being handled in IDM. 

userAPP / designer / iManager ???

Inputs appreciated !

Sri

0 Likes
Reply
Report Inappropriate Content
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2020-01-28 15:25

Tagging onto an existing and unrelated thread is not likely to get you the response you want. Try a new thread or see my response on a previous unrelated thread where you asked the same queston and start anew thread with the info I asked for there..

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.