Novell Home

Updating the Notes HTTPPassword

Novell Cool Solutions: Tip
By Perry Nuffer

Digg This - Slashdot This

Posted: 15 Mar 2006
 

Problem

A Forum participant asked the following question:

"We have some problems updating the Notes HTTPPassword in the following scenario. We want to synchronize only HTTPPassword from eDirectory to Notes to update the web password of already existing Notes users. When an eDirectory user changes his password, we get the following output from the Notes Remote Loader trace log:

<input>
  <modify-password  class-name="Person"
     event-id="pwd-subscribe"
     src-dn="\PWDSYNCTREE\sync\dom\unit\JohnDoe"
     src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <password><!-- content suppressed --></password>
  </modify-password>
</input>

This seems correct to me. So why is the following error (status message) returned?"

<output>
  <status  event-id="pwd-subscribe"
           level="error"
           type="password-set-operation">
    <description>Subscriber: modify-password event failed: 
old HTTPPassword parameter for John Doe (UNID=D9628831A988381AC12570F9005BE6B3) 
does not match current HTTPPassword in Notes.</description>
  </status>
</output>

And here's the response from Novell's Perry Nuffer ...

Solution

When processing a modify-password command, the NotesDriverShim checks for an existing and valid 'old-password' match. Thus, if the modify-password command is missing an <old-password> value and the existing Notes User already has an HTTPPassword (web password) value set, the modify-password command will fail (returning the status error you described). So, if the old HTTPPassword value is known (and currently valid in Notes), adding an <old-password> element with the old HTTPPassword value to the <modify-password> command should work ... something like this:

<input>
  <modify-password	 class-name="Person" 
     event-id="pwd-subscribe" 
     src-dn="\PWDSYNCTREE\sync\dom\unit\JohnDoe"
     src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <old-password><!-- content suppressed -—></old-password>
    <password><!-- content suppressed --></password>
  </modify-password>
</input>

Sending a command similar to this can be achieved with a DirXML Script policy. The following DirXML script example sets the eDir DistributionPassword attribute (nspmDistributionPassword) value to the new password and uses my3secret as the old password:

<policy>
  <rule>
    <description>Send modify-password command with old-password value</description>
    <conditions>
      <and>
        <if-operation op="equal">modify</if-operation>
        <if-class-name op="equal">User</if-class-name>
        <if-op-attr name="nspmDistributionPassword" op="changing"/>
      </and>
    </conditions>
    <actions>
      <do-set-dest-password>
        <arg-string>
          <token-op-attr name="nspmDistributionPassword"/>
        </arg-string>
      </do-set-dest-password>
      <do-append-xml-element expression="../modify-password" name="old-password"/>
      <do-append-xml-text expression="../modify-password/old-password">
        <arg-string>
          <token-text xml:space="preserve">my3secret</token-text>
        </arg-string>
      </do-append-xml-text>
    </actions>
  </rule>
</policy>

And if you don't know the old-password (or have a method of retrieving it), to overcome this security check, try setting the HTTPPassword attribute directly. A command like the following received by the NotesDriverShim should work:

<input>
  <modify class-name="Person"
      event-id="pwd-set-subscribe"
      src-dn="\PWDSYNCTREE\sync\dom\poc\JohnDoe"
      src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <modify-attr attr-name="HTTPPassword" is-sensitive="true"
><!-- content suppressed -></modify-attr>
  </modify>
</input>

Sending a command similar to this can be achieved with a DirXML Script policy. The following DirXML script example sets the eDir DistributionPassword attribute (nspmDistributionPassword) value to the new Notes HTTPPassword:

<policy>
  <rule>
    <description>Set DistributionPassword as Notes HTTPPassword</description>
    <conditions>
      <and>
        <if-class-name op="equal">User</if-class-name>
        <if-op-attr name="nspmDistributionPassword" op="changing"/>
      </and>
    </conditions>
    <actions>
      <do-set-dest-attr-value class-name="User" name="HTTPPassword">
        <arg-value type="string">
          <token-op-attr name="nspmDistributionPassword"/>
        </arg-value>
      </do-set-dest-attr-value>
    </actions>
  </rule>
</policy>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell