When a user is locked out of eDirectory because of invalid password attempts, an intruder may continue trying passwords against another system with synchronized passwords. To prevent this, it is possible to disable connected systems' accounts, if they support disabled accounts synchronized with the eDirectory "Login Disabled" attribute.
The first step to implementing this solution involves adding the "Locked By Intruder" attribute to the filter. Do not add it to the Schema Mapping policyset, as we will not be using that type of synchronization to implement this solution. With the attribute under the User class in the filter, set the Subscriber channel synchronization to "Notify" and the Publisher channel synchronization to "Ignore". We will be retrieving the attribute's value and using it before it synchronizes to the remote system.
Add the following rules into a new policy at the top of the Subscriber channel Command Transformation policyset. This can be done in iManager by creating a new policy with Policy Builder and then pasting the following XML in the policy directly ("Edit XML").
<?xml version="1.0" encoding="UTF-8"?><policy>
<if-op-attr name="Locked By Intruder" op="changing-to">true</if-op-attr>
<do-clone-op-attr dest-name="Login Disabled" src-name="Locked By Intruder"/>
<if-op-attr name="Locked By Intruder" op="changing"/>
<if-op-attr name="Locked By Intruder" op="not-equal">true</if-op-attr>
<if-src-attr name="Login Disabled" op="not-equal">true</if-src-attr>
<do-add-dest-attr-value name="Login Disabled">
<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">false</token-text>;
The first rule says that if an account is locked out, the connected-system account should be disabled.
The second rule states that if the "Locked By Intruder" attribute is changing, and it is not true (becomes enabled, perhaps), and the account is not legitimately disabled (by an administrator) in eDirectory, then the connected system account should be re-enabled. The second rule is not required for an account to be disabled but it may be nice to have it re-enabled when the account is unlocked in eDirectory. This unlocking functionality takes place automatically in eDirectory, depending on the settings being used.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.