AD / eDirectory Password Synchronization Tip
Novell Cool Solutions: Tip
Digg This -
Posted: 9 May 2007
A Forum reader recently asked:
"I installed eDir-AD synchronization with password sync. Now it is required that every password change in AD should be overruled with the DP password of eDir. I know that there exists a password synchronisation option that resets the AD password to the DP password if the user's password policy is violated. But how can I reset the AD password on every password-modify event without using a password policy?"
And here's the response from Father Ramon ...
You have to be careful with AD, because it doesn't have any loopback detection. If you send the change back at that point, it is going to keep sending it back to you.
What I would do is put is get rid of all the password sync policies on the publisher command transformation (they're just in the way if you aren't syncing passwords in that direction). Then I would replace them with something that compares the incoming password to the nspmDistributionPassword attribute in eDirectory. It sends it back if they aren't the same, and it vetoes the original modify password whether or not they are the same.
Try something like this:
<rule> <description>Password Changed - Reset</description> <conditions> <and> <if-password op="available"/> <if-xpath op="not-true">string(query:readObject($destQueryProcessor, association, @dest-dn, "User", "nspmDistributionPassword")//value) = string(./password)</if-xpath> </and> </conditions> <actions> <do-set-src-password> <arg-string> <token-dest-attr name="nspmDistributionPassword"/> </arg-string> </do-set-src-password> <do-veto/> </actions> </rule>
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com