Novell Home

Sending an E-mail on Account-Disabled

Novell Cool Solutions: Tip
By Aaron Burgemeister

Digg This - Slashdot This

Posted: 15 Feb 2006
 

To be in compliance with Sarbanes-Oxley auditing standards it may be required that, when a user account is disabled, a notification is sent to one or more individuals. This can be accomplished with a Loopback driver or with an existing driver that can detect the "Login Disabled" attribute.

If a driver does not already have "Login Disabled" in the filter, it can be added with iManager. Assuming the driver is processing the account-disabled event from eDirectory, set the attribute as "Notify" on the subscriber channel and "Ignore" on the publisher channel. If the attribute is already in the filter and synchronizing somehow, do not change the filter settings.

When the "Login Disabled" event takes place and an account is disabled (Login Disabled set to true), we want to send off an e-mail to one or more individuals. Sending it to a regular or dummy user configurable by another administrator may be a good option to allow that administrator to control who receives the notification without having them work with the driver configuration itself. The following rule was added to a new policy at the beginning of the Command Transform policyset for an Active Directory driver:

<?xml version="1.0" encoding="UTF-8"?><policy>
    <rule>
        <description>Email On Disabled User</description>
        <conditions>
            <and>
                <if-op-attr name="Login Disabled" op="changing-to">true</if-op-attr>
            </and>
        </conditions>
        <actions>
            <do-send-email id="emailAuthIDHere@somewhere.tld" password="putRealPasswordHere" server="mail.somewhere.tld">
                <arg-string name="to">
                    <token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">destinationAccountHere@somewhere.tld</token-text>;
                </arg-string>
                <arg-string name="from">
                    <token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">someUser@somewhere.tld</token-text>;
                </arg-string>
                <arg-string name="subject">
                    <token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">Disabled User Notification</token-text>
                </arg-string>
                <arg-string name="message">
                    <token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">A user has been disabled. The username is </token-text>
                    <token-src-attr name="CN"/>
                </arg-string>
                <arg-string name="to">
                    <token-text xml:space="preserve">anotherUser@somewhere.tld</token-text>
                </arg-string>
            </do-send-email>
        </actions>
    </rule>
</policy>

Depending on your e-mail server's settings, you may need to log in with a valid e-mail address and password. In some cases that may not be required. To send to multiple recipients, add multiple 'to' strings as demonstrated in the example. It is also possible to change other strings, such as reply-to. The actual message is currently set to include the CN only of the disabled user.

If there are duplicate CNs in different contexts, changing that to reflect the full DN is advised to prevent confusion. The message itself can be customized to the user's needs.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell