Article
2022
Password Management Script
Problem
Determine which password to use when transitioning from NDS to Universal Password.
Solution
When implementing Universal Password across the enterprise, there could be scenarios where both NDS passwords (private/public keys) and UP are available. This scripts determines which password to use.
If a private key change is detected, we look for the presence of a nspmDistributionPassword (UP). If the user's object contains such an attibute, we drop the public and private keys from coming through and set the remote user's password with the value from the nspmDistributionPassword. Once we set the password, we also drop the nspmDistributionPassword from flowing through.
For our environment, we added an additional "payload" with a separate "after" event. This additional payload helps clear out any lingering security attribute issues that may existing in our IDVault. The connected system is responsible for strong passwords, via policies, which get replicated to the remaining systems, including Active Directory and other eDir trees. The nspmDistributionPassword is sent out to the remaining systems without concerns for conflicting security attributes.
Example
<rule> <description>MODIFY : Universal Password Detection and Support</description> <comment xml:space="preserve">This script detects if a password change (private key) is being made and determines whether to use the Universal Password (if available) or use the standard NDS public/private key combo.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-operation op="equal">modify</if-operation> <if-op-attr name="Private Key" op="changing"/> <if-attr name="nspmDistributionPassword" op="available"/> </and> </conditions> <actions> <do-strip-op-attr name="Private Key"/> <do-strip-op-attr name="Public Key"/> <do-set-dest-password> <arg-string> <token-op-attr name="nspmDistributionPassword"/> </arg-string> </do-set-dest-password> <do-strip-op-attr name="nspmDistributionPassword"/> <do-strip-op-attr name="SAS:Login Configuration"/> <do-strip-op-attr name="Password Expiration Time"/> <do-clear-dest-attr-value class-name="User" name="Password Expiration Time" when="after"/> <do-clear-dest-attr-value class-name="User" name="Login Grace Limit" when="after"/> <do-clear-dest-attr-value class-name="User" name="Login Grace Remaining" when="after"/> <do-clear-dest-attr-value class-name="User" name="Password Unique Required" when="after"/> <do-clear-dest-attr-value class-name="User" name="Password Required" when="after"/> </actions> </rule>
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
- Be the first to comment! To leave a comment you need to Login or Register
- 2022 reads
0