How to synchronize only the 'Password Expiration Time' when the password is changed by admin
(Last modified: 23Jun2006)
This document (10098559) is provided subject to the disclaimer at the end of this document.
goal
How to synchronize only the 'Password Expiration Time' when the password is changed by admin
In cases where password policies may not be the same in both eDirectory trees, it is desired that only the 'Password Expiration Time' attribute synchronize when the admin (or equivalent) changes the password (password would be expired immediately if allowed to synchronize). In contrast, if the user changes the password, synchronize the password and block the Password and allow the local password policy to set the 'Password Expiration Time' value.
fact
Nsure Identity Manager 2.0
Novell NDS to NDS Driver
fix
Below is a policy that will allow only the 'Password Expiration Time' attribut to synchronize when admin changes the password. This will prevent the 'Password Expiration Time' from setting to current time for the user. If the user changes the password it is best to synchronize the change and block the 'Password Expiration Time' so that the destination tree's password policy will determine that future expiration time. The NSure IDM (Identity Manager) policy rules shown below assume that the password policy on the destination tree is configured to expire a user password at least 24 hours beyond current password change time.
This policy does the following:
- Checks the document to see if the 'Password Expiration Time' is being modified with a <modify-password> event
- Saves the 'Password Expiration Time' in a local variable (PASS-EXP-TIME)
- Saves the current time plus 24 hours (to account for time sync differences) in a local variable (CURRENT-TIME)
- Checks to see if both times were saved
- Checks if the PASS-EXP-TIME > CURRENT-TIME and strips 'Password Expiration Time' attribute if true
NOTE: For this policy to work properly, the policy listed in latest IDM 2.0.x engine patch , which is currently idm201ir4.tgz.
<?xml version="1.0" encoding="UTF-8"?><policy xmlns:jcal="http://www.novell.com/nxsl/java/java.util.Calendar">
<rule>
<description>Store 'Password Expiration Time' in local variable</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr name="Password Expiration Time" op="available"/>
<if-xpath op="true">//modify-password</if-xpath>
</and>
</conditions>
<actions>
<do-set-local-variable name="PASS-EXP-TIME">
<arg-string>
<token-op-attr name="Password Expiration Time"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="cal-obj">
<arg-object>
<token-xpath expression="jcal:getInstance()"/>
</arg-object>
</do-set-local-variable>
<do-set-local-variable name="CURRENT-TIME">
<arg-string>
<token-xpath expression="floor((number(jcal:getTimeInMillis($cal-obj))*0.001)+86400)"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>Remove 'Password Expiration Time' if in future</description>
<conditions>
<and>
<if-local-variable name="CURRENT-TIME" op="available"/>
<if-local-variable name="PASS-EXP-TIME" op="available"/>
<if-xpath op="true">$CURRENT-TIME<$PASS-EXP-TIME</if-xpath>
</and>
</conditions>
<actions>
<do-strip-op-attr name="Password Expiration Time"/>
</actions>
</rule>
</policy>
This policy needs to be the first policy evaluated on the destination tree's publisher channel (Publisher Input Transformation (PIT)). To add this policy:
- Go to the driver over screen
- Click on the PIT (Publisher Input Transformation) Policy Set object.
- Click Insert
- Enter a name for the policy
- Click OK
- Click 'Edit XML'
- Check the 'Enable XML editing' check box
- Paste the policy above into the Editor replacing the text that is currently there
- Click 'DirXML Policy' to validate the policy (Click OK to restart the driver)
- Click Ok and Close
- If you didn't restart the driver restart it now.
NOTE: Remember that this policy cannot be applied to a DirXML 1.1a system unless written in XSLT since the above coding protocol (known as DirXML-Script) was not implemented until the first relaease of NSure IDM 2.0.
.document
| Document Title: | How to synchronize only the 'Password Expiration Time' when the password is changed by admin |
| Document ID: | 10098559 |
| Solution ID: | NOVL103064 |
| Creation Date: | 09Aug2005 |
| Modified Date: | 23Jun2006 |
| Novell Product Class: | DirXML |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.