Novell Home

Preventing Password Changes from Applications

Novell Cool Solutions: Tip
By Aaron Burgemeister

Digg This - Slashdot This

Posted: 29 Mar 2006
 

The following is an IDM solution to prevent a password change from originating in an application (originally developed for Active Directory). If a password comes from the application, it is compared with the password in the vault. If they do not match, then the vault password is sent back to the application and the original operation is vetoed.

A trace message with a summary is enabled, set to trace level 1. A trace message set to trace level '6' can also be fired off, notifying the administrator of the event; however, this message is disabled by default for security reasons. Both messages are configurable and will show up only if tracing is enabled on the engine side.

Note: This solution requires Password Synchronization 2 using Universal Password.

The following XML should be located as the first policy in the Event Transformation policyset on the Publisher channel:

<?xml version="1.0" encoding="UTF-8"?><policy>
    <rule>
        <description>Set Password Variables</description>
        <conditions>
            <and>
                <if-password op="available"/>
            </and>
        </conditions>
        <actions>
            <do-set-local-variable name="adPassword">
                <arg-string>
                    <token-password/>
                </arg-string>
            </do-set-local-variable>
            <do-set-local-variable name="vaultPassword">
                <arg-string>
                    <token-dest-attr name="nspmDistributionPassword"/>
                </arg-string>
            </do-set-local-variable>
        </actions>
    </rule>
    <rule>
        <description>Intercept change from App and Send Vault password back</description>
        <conditions>
            <and>
                <if-xpath op="true">$vaultPassword!=$adPassword</if-xpath>
            </and>
        </conditions>
        <actions>
            <do-set-src-password>
                <arg-string>
                    <token-local-variable name="vaultPassword"/>
                </arg-string>
            </do-set-src-password>
            <do-trace-message level="1">
                <arg-string>
                    <token-text xml:space="preserve"
	 	xmlns:xml="http://www.w3.org/XML/1998/namespace">
		Resetting application password to value from vault.</token-text>
                </arg-string>
            </do-trace-message>
            <do-trace-message disabled="true" level="6">
                <arg-string>
                    <token-text xml:space="preserve"
	 	xmlns:xml="http://www.w3.org/XML/1998/namespace">
		Resetting application password to: '</token-text>
                    <token-local-variable name="vaultPassword"/>
                    <token-text xml:space="preserve"
	 	xmlns:xml="http://www.w3.org/XML/1998/namespace">'.</token-text>
                </arg-string>
            </do-trace-message>
            <do-veto/>
        </actions>
    </rule>
</policy>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell