Article

(View Disclaimer)

Problem

A Forum reader recently asked:

"I'm using the eDir to eDir driver. Does anyone have a good method for checking whether passwords are indeed synchronized between eDirectory trees? I can check my user account by simply logging in to both trees, but what about the remaining 150K users being sync'd? Has anyone done this on a mass scale?"

And here's the response from Jeff Johnson ...

Solution

I wrote something that does this. It entails setting an attribute on a user - or a zillion users via an LDAP script. Then an IDM policy looks for a changed attribute and reads src/dest passwords and compares them. It writes out the results to an attribute you can query later. For instance, setting "jeffpasswordsynccheck" to "checkreq" via LDAP will start the process. You should be able to follow the rest.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policy PUBLIC "policy-builder-dtd" 
"/home/jeff/designer/eclipse/plugins/com.novell.designer.idm.
policybuilder_2.0.0.200706011128/DTD/dirxmlscript.dtd"><policy>
<rule>
  <description>Veto If Needed</description>
  <conditions>
    <and>
      <if-op-attr mode="nocase" name="jeffPasswordSyncCheck"
op="not-changing-to">checkreq</if-op-attr>
    </and>
  </conditions>
  <actions>
    <do-break/>
  </actions>
</rule>
<rule>
<description>Read Passwords</description>
  <conditions>
    <and>
      <if-op-attr mode="nocase" name="jeffPasswordSyncCheck"
op="changing-to">checkreq</if-op-attr>
      <if-association op="associated"/>
    </and>
  </conditions>
  <actions>
    <do-set-local-variable name="srcpw">
      <arg-string>
        <token-src-attr class-name="User" name="nspmDistributionPassword"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="destpw">
      <arg-string>
        <token-dest-attr class-name="User" name="nspmDistributionPassword"/>
      </arg-string>
    </do-set-local-variable>
  </actions>
 </rule>

<rule>
<description>Compare Passwords True</description>
  <conditions>
    <and>
      <if-local-variable name="srcpw" op="available"/>
      <if-xpath op="true">$srcpw=$destpw</if-xpath>
    </and>
  </conditions>
  <actions>
    <do-add-src-attr-value class-name="User" name="jeffPasswordSync">
      <arg-value>
        <token-text xml:space="preserve">LDAP System is Synchronized</token-text>
      </arg-value>
    </do-add-src-attr-value>
    <do-break/>
  </actions>
</rule>

<rule>
<description>Compare Passwords False</description>
  <conditions>
    <and>
      <if-local-variable name="srcpw" op="available"/>
      <if-xpath op="not-true">$srcpw=$destpw</if-xpath>
    </and>
  </conditions>
  <actions>
    <do-add-src-attr-value class-name="User" name="jeffPasswordSync">
      <arg-value>
        <token-text xml:space="preserve">LDAP System is NOT Synchronized</token-text>
      </arg-value>
    </do-add-src-attr-value>
  </actions>
</rule>
</policy>

Editor's Note: See also Lothar Haeger's Cool Solutions tip:
http://www.novell.com/coolsolutions/tip/18389.html

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.