To be in compliance with Sarbanes-Oxley auditing standards it may be required that, when a user account is disabled, a notification is sent to one or more individuals. This can be accomplished with a Loopback driver or with an existing driver that can detect the "Login Disabled" attribute.
If a driver does not already have "Login Disabled" in the filter, it can be added with iManager. Assuming the driver is processing the account-disabled event from eDirectory, set the attribute as "Notify" on the subscriber channel and "Ignore" on the publisher channel. If the attribute is already in the filter and synchronizing somehow, do not change the filter settings.
When the "Login Disabled" event takes place and an account is disabled (Login Disabled set to true), we want to send off an e-mail to one or more individuals. Sending it to a regular or dummy user configurable by another administrator may be a good option to allow that administrator to control who receives the notification without having them work with the driver configuration itself. The following rule was added to a new policy at the beginning of the Command Transform policyset for an Active Directory driver:
<?xml version="1.0" encoding="UTF-8"?><policy>
<description>Email On Disabled User</description>
<if-op-attr name="Login Disabled" op="changing-to">true</if-op-attr>
<do-send-email id="emailAuthIDHere@somewhere.tld" password="putRealPasswordHere" server="mail.somewhere.tld">
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">destinationAccountHere@somewhere.tld</token-text>;
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">someUser@somewhere.tld</token-text>;
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">Disabled User Notification</token-text>
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">A user has been disabled. The username is </token-text>
Depending on your e-mail server's settings, you may need to log in with a valid e-mail address and password. In some cases that may not be required. To send to multiple recipients, add multiple 'to' strings as demonstrated in the example. It is also possible to change other strings, such as reply-to. The actual message is currently set to include the CN only of the disabled user.
If there are duplicate CNs in different contexts, changing that to reflect the full DN is advised to prevent confusion. The message itself can be customized to the user's needs.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.