Article

(View Disclaimer)

The following is an IDM solution to prevent a password change from originating in an application (originally developed for Active Directory). If a password comes from the application, it is compared with the password in the vault. If they do not match, then the vault password is sent back to the application and the original operation is vetoed.

A trace message with a summary is enabled, set to trace level 1. A trace message set to trace level '6' can also be fired off, notifying the administrator of the event; however, this message is disabled by default for security reasons. Both messages are configurable and will show up only if tracing is enabled on the engine side.

Note: This solution requires Password Synchronization 2 using Universal Password.

The following XML should be located as the first policy in the Event Transformation policyset on the Publisher channel:

<?xml version="1.0" encoding="UTF-8"?><policy>
    <rule>
        <description>Set Password Variables</description>
        <conditions>
            <and>
                <if-password op="available"/>
            </and>
        </conditions>
        <actions>
            <do-set-local-variable name="adPassword">
                <arg-string>
                    <token-password/>
                </arg-string>
            </do-set-local-variable>
            <do-set-local-variable name="vaultPassword">
                <arg-string>
                    <token-dest-attr name="nspmDistributionPassword"/>
                </arg-string>
            </do-set-local-variable>
        </actions>
    </rule>
    <rule>
        <description>Intercept change from App and Send Vault password back</description>
        <conditions>
            <and>
                <if-xpath op="true">$vaultPassword!=$adPassword</if-xpath>
            </and>
        </conditions>
        <actions>
            <do-set-src-password>
                <arg-string>
                    <token-local-variable name="vaultPassword"/>
                </arg-string>
            </do-set-src-password>
            <do-trace-message level="1">
                <arg-string>
                    <token-text xml:space="preserve"
	 	xmlns:xml="http://www.w3.org/XML/1998/namespace">
		Resetting application password to value from vault.</token-text>
                </arg-string>
            </do-trace-message>
            <do-trace-message disabled="true" level="6">
                <arg-string>
                    <token-text xml:space="preserve"
	 	xmlns:xml="http://www.w3.org/XML/1998/namespace">
		Resetting application password to: '</token-text>
                    <token-local-variable name="vaultPassword"/>
                    <token-text xml:space="preserve"
	 	xmlns:xml="http://www.w3.org/XML/1998/namespace">'.</token-text>
                </arg-string>
            </do-trace-message>
            <do-veto/>
        </actions>
    </rule>
</policy>

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.