Article

(View Disclaimer)

Problem

A Forum participant asked the following question:

"We have some problems updating the Notes HTTPPassword in the following scenario. We want to synchronize only HTTPPassword from eDirectory to Notes to update the web password of already existing Notes users. When an eDirectory user changes his password, we get the following output from the Notes Remote Loader trace log:

<input>
  <modify-password  class-name="Person"
     event-id="pwd-subscribe"
     src-dn="\PWDSYNCTREE\sync\dom\unit\JohnDoe"
     src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <password><!-- content suppressed --></password>
  </modify-password>
</input>

This seems correct to me. So why is the following error (status message) returned?"

<output>
  <status  event-id="pwd-subscribe"
           level="error"
           type="password-set-operation">
    <description>Subscriber: modify-password event failed: 
old HTTPPassword parameter for John Doe (UNID=D9628831A988381AC12570F9005BE6B3) 
does not match current HTTPPassword in Notes.</description>
  </status>
</output>

And here's the response from Novell's Perry Nuffer ...

Solution

When processing a modify-password command, the NotesDriverShim checks for an existing and valid 'old-password' match. Thus, if the modify-password command is missing an <old-password> value and the existing Notes User already has an HTTPPassword (web password) value set, the modify-password command will fail (returning the status error you described). So, if the old HTTPPassword value is known (and currently valid in Notes), adding an <old-password> element with the old HTTPPassword value to the <modify-password> command should work ... something like this:

<input>
  <modify-password	 class-name="Person" 
     event-id="pwd-subscribe" 
     src-dn="\PWDSYNCTREE\sync\dom\unit\JohnDoe"
     src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <old-password><!-- content suppressed -—></old-password>
    <password><!-- content suppressed --></password>
  </modify-password>
</input>

Sending a command similar to this can be achieved with a DirXML Script policy. The following DirXML script example sets the eDir DistributionPassword attribute (nspmDistributionPassword) value to the new password and uses my3secret as the old password:

<policy>
  <rule>
    <description>Send modify-password command with old-password value</description>
    <conditions>
      <and>
        <if-operation op="equal">modify</if-operation>
        <if-class-name op="equal">User</if-class-name>
        <if-op-attr name="nspmDistributionPassword" op="changing"/>
      </and>
    </conditions>
    <actions>
      <do-set-dest-password>
        <arg-string>
          <token-op-attr name="nspmDistributionPassword"/>
        </arg-string>
      </do-set-dest-password>
      <do-append-xml-element expression="../modify-password" name="old-password"/>
      <do-append-xml-text expression="../modify-password/old-password">
        <arg-string>
          <token-text xml:space="preserve">my3secret</token-text>
        </arg-string>
      </do-append-xml-text>
    </actions>
  </rule>
</policy>

And if you don't know the old-password (or have a method of retrieving it), to overcome this security check, try setting the HTTPPassword attribute directly. A command like the following received by the NotesDriverShim should work:

<input>
  <modify class-name="Person"
      event-id="pwd-set-subscribe"
      src-dn="\PWDSYNCTREE\sync\dom\poc\JohnDoe"
      src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <modify-attr attr-name="HTTPPassword" is-sensitive="true"
><!-- content suppressed -></modify-attr>
  </modify>
</input>

Sending a command similar to this can be achieved with a DirXML Script policy. The following DirXML script example sets the eDir DistributionPassword attribute (nspmDistributionPassword) value to the new Notes HTTPPassword:

<policy>
  <rule>
    <description>Set DistributionPassword as Notes HTTPPassword</description>
    <conditions>
      <and>
        <if-class-name op="equal">User</if-class-name>
        <if-op-attr name="nspmDistributionPassword" op="changing"/>
      </and>
    </conditions>
    <actions>
      <do-set-dest-attr-value class-name="User" name="HTTPPassword">
        <arg-value type="string">
          <token-op-attr name="nspmDistributionPassword"/>
        </arg-value>
      </do-set-dest-attr-value>
    </actions>
  </rule>
</policy>

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.