Novell Home

Synchronizing an Expired Password with Active Directory

Novell Cool Solutions: Tip
By Aaron Burgemeister

Digg This - Slashdot This

Posted: 29 Mar 2006
 

The following policy is designed to synchronize an expired password to the "User must change password at next logon" option in Active Directory (User > Properties > Account > Account Options). This option is basically the same as having an expired password (with grace logins remaining) in eDirectory.

The desired functionality was to expire a password in eDirectory when the checkbox was checked in Active Directory (to prevent the user from continuing with an expired password in either system). Having both passwords become valid on a valid password change was also desired and implemented.

In the event the action started in Active Directory, the password was expired in eDirectory to 2000-01-01. Using this date guaranteed an expired password but also provided an easily recognizable date should somebody forget about this functionality in the future.

The following policy should be placed as the first policy in the Event Transformation policyset on the Publisher channel:

<?xml version="1.0" encoding="UTF-8"?><policy>
    <rule>
        <description>Create Password Expiration Time if appropriate</description>
        <conditions>
            <and>
                <if-op-attr mode="numeric" name="pwdLastSet" op="changing-to">0</if-op-attr>
            </and>
        </conditions>
        <actions>
            <do-set-dest-attr-value name="Password Expiration Time">
                <arg-value type="int">
                    <token-text xml:space="preserve"
		    xmlns:xml="http://www.w3.org/XML/1998/namespace">946710000</token-text>
                </arg-value>
            </do-set-dest-attr-value>
        </actions>
    </rule>
    <rule>
        <description>Clear Password Expiration Time if Appropriate</description>
        <conditions>
            <and>
                <if-op-attr mode="numeric" name="pwdLastSet" op="changing-from">0</if-op-attr>
            </and>
            <and>
                <if-op-attr name="pwdLastSet" op="changing"/>
                <if-op-attr mode="numeric" name="pwdLastSet" op="not-changing-to">0</if-op-attr>
            </and>
        </conditions>
        <actions>
            <do-clear-dest-attr-value name="Password Expiration Time"/>
        </actions>
    </rule>
</policy>

The following policy should be placed as the first policy in the Command Transform policyset on the Subscriber channel:

<?xml version="1.0" encoding="UTF-8"?>
<policy xmlns:jcal="http://www.novell.com/nxsl/java/java.util.Calendar">
    <rule>
        <description>Store 'Password Expiration Time' in local variable</description>
        <conditions>
            <and>
                <if-class-name op="equal">User</if-class-name>
                <if-op-attr name="Password Expiration Time" op="available"/>
                <if-op-attr name="nspmDistributionPassword" op="changing"/>
            </and>
        </conditions>
        <actions>
            <do-set-local-variable name="PASS-EXP-TIME">
                <arg-string>
                    <token-op-attr name="Password Expiration Time"/>
                </arg-string>
            </do-set-local-variable>
            <do-set-local-variable name="cal-obj">
                <arg-object>
                    <token-xpath expression="jcal:getInstance()"/>
                </arg-object>
            </do-set-local-variable>
            <do-set-local-variable name="CURRENT-TIME">
                <arg-string>
                    <token-xpath 
		    expression="floor((number(jcal:getTimeInMillis($cal-obj))*0.001)+86400)"/>
                </arg-string>
            </do-set-local-variable>
        </actions>
    </rule>
    <rule>
        <description>Remove 'Password Expiration Time' if in future</description>
        <conditions>
            <and>
                <if-local-variable name="CURRENT-TIME" op="available"/>
                <if-local-variable name="PASS-EXP-TIME" op="available"/>
                <if-xpath op="true">$CURRENT-TIME>$PASS-EXP-TIME</if-xpath>
            </and>
        </conditions>
        <actions>
            <do-set-dest-attr-value name="pwdLastSet" when="after">
                <arg-value type="int">
                    <token-text xml:space="preserve"
 xmlns:xml="http://www.w3.org/XML/1998/namespace">0</token-text>
                </arg-value>
            </do-set-dest-attr-value>
        </actions>
    </rule>
</policy>

The final required changes involve adding the pwdLastSet attribute to the driver filter. Set the attribute at least to "Notify" on the Publisher Channel and "Ignore" on the Subscriber channel. The Application Name for this attribute in the filter was left blank and should not be required because it is not truly synchronizing.

As always, testing a solution before implementing it in production is highly recommended. This solution was tested only with Password Synchronization 2.0 using Universal Password.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell