Novell Home

Password Management Script

Novell Cool Solutions: Tip
By Armando A. Perez

Digg This - Slashdot This

Posted: 12 Jul 2006
 

Problem

Determine which password to use when transitioning from NDS to Universal Password.

Solution

When implementing Universal Password across the enterprise, there could be scenarios where both NDS passwords (private/public keys) and UP are available. This scripts determines which password to use.

If a private key change is detected, we look for the presence of a nspmDistributionPassword (UP). If the user's object contains such an attibute, we drop the public and private keys from coming through and set the remote user's password with the value from the nspmDistributionPassword. Once we set the password, we also drop the nspmDistributionPassword from flowing through.

For our environment, we added an additional "payload" with a separate "after" event. This additional payload helps clear out any lingering security attribute issues that may existing in our IDVault. The connected system is responsible for strong passwords, via policies, which get replicated to the remaining systems, including Active Directory and other eDir trees. The nspmDistributionPassword is sent out to the remaining systems without concerns for conflicting security attributes.

Example

<rule>
<description>MODIFY : Universal Password Detection and Support</description>
<comment xml:space="preserve">This script detects if a password change (private key) 
is being made and determines whether to use the Universal Password
 (if available) or use the standard NDS public/private key combo.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation op="equal">modify</if-operation>
<if-op-attr name="Private Key" op="changing"/>
<if-attr name="nspmDistributionPassword" op="available"/>
</and>
</conditions>
<actions>
<do-strip-op-attr name="Private Key"/>
<do-strip-op-attr name="Public Key"/>
<do-set-dest-password>
<arg-string>
<token-op-attr name="nspmDistributionPassword"/>
</arg-string>
</do-set-dest-password>
<do-strip-op-attr name="nspmDistributionPassword"/>
<do-strip-op-attr name="SAS:Login Configuration"/>
<do-strip-op-attr name="Password Expiration Time"/>
<do-clear-dest-attr-value class-name="User" name="Password Expiration Time" when="after"/>
<do-clear-dest-attr-value class-name="User" name="Login Grace Limit" when="after"/>
<do-clear-dest-attr-value class-name="User" name="Login Grace Remaining" when="after"/>
<do-clear-dest-attr-value class-name="User" name="Password Unique Required" when="after"/>
<do-clear-dest-attr-value class-name="User" name="Password Required" when="after"/>
</actions>
</rule>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell