Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Commander
Commander
1366 views

User must change password at next logon

In our dev environment we have created a workflow, which is used for creating users in eDir and automatically provisioned that users in AD using AD driver. With this workflow we are able to create users with a default password in eDir and automatically provisioned into AD also. But we want to enable the "User must change password at next logon" option in AD by this workflow, currently which is not happening. In the AD filter we have added the attribute pwdLastSet. Following components are installed in our dev environment 1> IDM = 4.7 2> AD Driver = 4.1.
Labels (1)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Is it safe to assume you plan on having your users login the first time,
and then change passwords, from microsoft active directory (MAD)? If not,
then is there another reason you want to expire the first password?

Besides adding that attribute to the filter have you also sent a value to
it, specifically a zero (0) as I recall? You can verify that microsoft
active directory (MAD) responds appropriately to this attribute value by
doing a create with an LDAP tool like Apache Directory Studio; if that
works, then you should also be able to do the same with IDM. Be sure the
policy which sets this ONLY actives when doing the new user create, of course.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Commander
Commander

I've written two policy one in publisher and another one in subscriber channel

**Policy defined in Publisher Channel**

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201807041547\DTD\dirxmlscript4.7.dtd"><policy>
<rule>
<description>Create Password Expiration Time if appropriate</description>
<conditions>
<and>
<if-op-attr mode="numeric" name="pwdLastSet" op="changing-to">0</if-op-attr>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="Password Expiration Time">
<arg-value type="int">
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">946710000</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule>
<description>Clear Password Expiration Time if Appropriate</description>
<conditions>
<and>
<if-op-attr mode="numeric" name="pwdLastSet" op="changing-from">0</if-op-attr>
</and>
<and>
<if-op-attr name="pwdLastSet" op="changing"/>
<if-op-attr mode="numeric" name="pwdLastSet" op="not-changing-to">0</if-op-attr>
</and>
</conditions>
<actions>
<do-clear-dest-attr-value name="Password Expiration Time"/>
</actions>
</rule>
</policy>

**Policy defined in Subscriber Channel**

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201807041547\DTD\dirxmlscript4.7.dtd"><policy xmlns:jcal="http://www.novell.com/nxsl/java/java.util.Calendar">
<rule>
<description>Store 'Password Expiration Time' in local variable</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr name="Password Expiration Time" op="available"/>
<if-op-attr name="nspmDistributionPassword" op="changing"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="PASS-EXP-TIME">
<arg-string>
<token-op-attr name="Password Expiration Time"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="cal-obj">
<arg-object>
<token-xpath expression="jcal:getInstance()"/>
</arg-object>
</do-set-local-variable>
<do-set-local-variable name="CURRENT-TIME">
<arg-string>
<token-xpath expression="floor((number(jcal:getTimeInMillis($cal-obj))*0.001)+86400)"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>Remove 'Password Expiration Time' if in future</description>
<conditions>
<and>
<if-local-variable name="CURRENT-TIME" op="available"/>
<if-local-variable name="PASS-EXP-TIME" op="available"/>
<if-xpath op="true">$CURRENT-TIME>$PASS-EXP-TIME</if-xpath>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="pwdLastSet" when="after">
<arg-value type="int">
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">0</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
</policy>

With this policy settings unable to set the option in AD. Anything wrong in this policy?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

I think we will definitely need a trace, but a couple things come to mind.

First, depending on where the policy is defined in the Subscriber channel,
the conditions may or may not match the event, but the trace should show
us for sure. Traces should be written directly from the driver config
object to a file specific to that driver object with at least trace level
three (3).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Commodore
Commodore

In case you haven't resolved your issue yet.

I was looking for a similar process (when set a password via iManager, have the User must change password on first logon set).  The policy that we came up with seems to be working on creating accounts too.  We have not put this into our live environment yet.

Subscriber Output Policy

<?xml version="1.0" encoding="UTF-8"?><policy xmlns:jcal="http://www.novell.com/nxsl/java/java.util.Calendar">
	<rule>
		<description>Store 'Password Expiration Time' in local variable</description>
		<conditions>
			<and>
				<if-class-name op="equal">User</if-class-name>
				<if-op-attr name="Password Expiration Time" op="available"/>
				<if-operation op="equal">modify</if-operation>
			</and>
		</conditions>
		<actions>
			<do-set-local-variable name="PASS-EXP-TIME">
				<arg-string>
					<token-op-attr name="Password Expiration Time"/>
				</arg-string>
			</do-set-local-variable>
			<do-set-local-variable name="cal-obj">
				<arg-object>
					<token-xpath expression="jcal:getInstance()"/>
				</arg-object>
			</do-set-local-variable>
			<do-set-local-variable name="CURRENT-TIME">
				<arg-string>
					<token-xpath expression="floor((number(jcal:getTimeInMillis($cal-obj))*0.001)+86400)"/>
				</arg-string>
			</do-set-local-variable>
		</actions>
	</rule>
	<rule>
		<description>Set 'User must change password at next logon'</description>
		<conditions>
			<and>
				<if-local-variable name="CURRENT-TIME" op="available"/>
				<if-local-variable name="PASS-EXP-TIME" op="available"/>
				<if-xpath op="true">$CURRENT-TIME>$PASS-EXP-TIME</if-xpath>
			</and>
		</conditions>
		<actions>
			<do-set-dest-attr-value name="pwdLastSet" when="after">
				<arg-value type="int">
					<token-text xml:space="preserve">0</token-text>
				</arg-value>
			</do-set-dest-attr-value>
		</actions>
	</rule>
</policy>

 

0 Likes
Lieutenant Commander Lieutenant Commander
Lieutenant Commander

Hello,

Account sync process among IDM and backend LDAP do not work as expected. When IDM pushes and update onto a record making it active / in-active a custom attribute is getting populated. Need to know where and how that being handled in IDM. 

userAPP / designer / iManager ???

Inputs appreciated !

Sri

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Tagging onto an existing and unrelated thread is not likely to get you the response you want. Try a new thread or see my response on a previous unrelated thread where you asked the same queston and start anew thread with the info I asked for there..

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.