Novell Home

Checking Synchronization between eDirectory Trees

Novell Cool Solutions: Tip
By Jeffrey Johnson

Digg This - Slashdot This

Posted: 1 Aug 2007
 

Problem

A Forum reader recently asked:

"I'm using the eDir to eDir driver. Does anyone have a good method for checking whether passwords are indeed synchronized between eDirectory trees? I can check my user account by simply logging in to both trees, but what about the remaining 150K users being sync'd? Has anyone done this on a mass scale?"

And here's the response from Jeff Johnson ...

Solution

I wrote something that does this. It entails setting an attribute on a user - or a zillion users via an LDAP script. Then an IDM policy looks for a changed attribute and reads src/dest passwords and compares them. It writes out the results to an attribute you can query later. For instance, setting "jeffpasswordsynccheck" to "checkreq" via LDAP will start the process. You should be able to follow the rest.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policy PUBLIC "policy-builder-dtd" 
"/home/jeff/designer/eclipse/plugins/com.novell.designer.idm.
policybuilder_2.0.0.200706011128/DTD/dirxmlscript.dtd"><policy>
<rule>
  <description>Veto If Needed</description>
  <conditions>
    <and>
      <if-op-attr mode="nocase" name="jeffPasswordSyncCheck"
op="not-changing-to">checkreq</if-op-attr>
    </and>
  </conditions>
  <actions>
    <do-break/>
  </actions>
</rule>
<rule>
<description>Read Passwords</description>
  <conditions>
    <and>
      <if-op-attr mode="nocase" name="jeffPasswordSyncCheck"
op="changing-to">checkreq</if-op-attr>
      <if-association op="associated"/>
    </and>
  </conditions>
  <actions>
    <do-set-local-variable name="srcpw">
      <arg-string>
        <token-src-attr class-name="User" name="nspmDistributionPassword"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="destpw">
      <arg-string>
        <token-dest-attr class-name="User" name="nspmDistributionPassword"/>
      </arg-string>
    </do-set-local-variable>
  </actions>
 </rule>

<rule>
<description>Compare Passwords True</description>
  <conditions>
    <and>
      <if-local-variable name="srcpw" op="available"/>
      <if-xpath op="true">$srcpw=$destpw</if-xpath>
    </and>
  </conditions>
  <actions>
    <do-add-src-attr-value class-name="User" name="jeffPasswordSync">
      <arg-value>
        <token-text xml:space="preserve">LDAP System is Synchronized</token-text>
      </arg-value>
    </do-add-src-attr-value>
    <do-break/>
  </actions>
</rule>

<rule>
<description>Compare Passwords False</description>
  <conditions>
    <and>
      <if-local-variable name="srcpw" op="available"/>
      <if-xpath op="not-true">$srcpw=$destpw</if-xpath>
    </and>
  </conditions>
  <actions>
    <do-add-src-attr-value class-name="User" name="jeffPasswordSync">
      <arg-value>
        <token-text xml:space="preserve">LDAP System is NOT Synchronized</token-text>
      </arg-value>
    </do-add-src-attr-value>
  </actions>
</rule>
</policy>

Editor's Note: See also Lothar Haeger's Cool Solutions tip:
http://www.novell.com/coolsolutions/tip/18389.html


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell