Challenge/Response IDM Driver Configuration



By: ab

October 2, 2009 6:29 pm

Reads: 523

Comments:0

Rating:0

The attachment includes the following text (with graphics) in PDF form along with the driver configuration and necessary JAR files.

Overview

For some time now customers have been requesting a means by which to populate Challenge Response Set questions and/or responses in an automated fashion to streamline the user experience. The accompanying files and this documentation provide just one answer for making this possible.

For those familiar with Novell’s Identity Manager (IDM) product, this solution provides a specialized implementation of the Null driver (refer to the online documentation for more information concerning IDM specifics). The driver configuration provides a framework for setting challenge questions and responses contained in a challenge set assigned to a given user. It is a framework in the sense that it describes and exemplifies what can be done – but, the burden remains on the system administrator to customize the policies on a case-by-case basis, as challenge set definitions will differ. It is suggested that you become familiar with the ‘default’ configuration (as described herein), and then make the necessary changes to customize the driver to your particular needs. Any further references to the configuration of the driver refers to this ‘default’ configuration.

The challenge set illustrated in the driver configuration consists of seven (7) total questions: four (4) are admin defined, three (3) are user defined. Remember – the definition of your challenge set(s) will most likely be different! The driver implements a single stylesheet defined on the Subscriber channel’s Event Transform policy set. Triggered solely on User adds, it sets responses to administrator defined questions and sets both questions and responses for user defined challenges. It can easily be modified to handle other events, as well as other object classes. A number of global configuration values (GCVs) and named passwords are used to define connection parameters, as well as questions, responses, and response attributes.

NOTE: Setting up user defined challenges as the default configuration shows is ultimately the same thing as defining an administrator defined challenge because of the static nature of the question. Questions could be configured to be dynamic based on attribute data, thus making it truly a ‘user defined’ challenge. User defined challenges can also be used in a specialized manner such that the questions, although static, are dynamically applied based on attributes – for example, if a user’s department is ‘Finance’ they may get one question, whereas a user in ‘Engineering’ may get another question.

As mentioned earlier, the overall configuration of the driver must be customized to fit your environment and needs, which includes manipulation of the stylesheet and driver settings.

As a final note before proceeding, this document was originally a document released as a TID but was not made to be supported by Novell and so is being re-released as an AppNote. Credits for the bulk of the XSLT and NMAS classes go to the former authors.

Setup

The following steps will take care of the setup that needs to be done for the driver to function properly. Paths and/or command syntax may depend on your particular platform – see platform specific documentation for additional help:

Copy in the JAR files providing the Challenge/Response functionality and configure the Java keystore to make the LDAPS connection to eDirectory’s LDAPS interface:

  1. Copy required .jar files into the DirXML engine’s classpath

    The driver is dependent upon the following .jar files: jdom.jar, NMASToolkit.jar and NMASChallengeResponseWrapper.jar. On NetWare the path is sys:\system\lib. On Linux/Unix with eDir 8.7.3.x, the default path is ‘/usr/lib/dirxml/classes’ and for 8.8.x it is ‘/opt/novell/eDirectory/lib/dirxml/classes’.
  2. Import certificate into Java Runtime Environment (JRE)

    Communication from the driver to the tree is done securely using SSL through the use of Java extension calls. The JRE in which DirXML runs must have a trusted certificate stored for this to work. This is done by importing an X.509 Trusted Root certificate from eDirectory into the running JRE. A Trusted Root certificate from an eDirectory CA will work for all certificates signed by that CA, which, by default, means for every certificate in eDirectory. If other Trusted Root certificates are used for eDirectory LDAP servers then those must also be imported. To export and store a Trusted Root certificate for a given certificate (Key Material Object (KMO)) in eDirectory follow these steps:

    1. From iManager go to Directory Administration, Modify Object, and browse to the Key Material Object (KMO) linked to the LDAP Server object used for the LDAP connection from the engine for setting the Challenge/Response information. This KMO can also be seen as configured by browsing to the LDAP Server object and viewing the name in the Server Certificate field (LDAP: LDAP Options: LDAP Servers: [pick the valid server]: Connections: Server Certificate).
    2. Select the Certificates tab and then ensure that ‘Trusted Root Certificate’ is selected (vs. Self Signed Certificate). Check the checkbox next to the Certificate name (‘SSL CertificateDNS’, for example).
    3. Click Export
    4. Do not export the private key (be sure that the Organizational CA certificate is exported).
    5. Choose Base64 format.
    6. Save the exported certificate to a file and, if needed, copy this file to the IDM server.
    7. From a command prompt, navigate to the ‘bin’ directory of DirXML’s JRE (i.e. ‘/opt/novell/eDirectory/lib/nds-modules/jre/bin’ on Linux/Unix with eDirectory 8.8.x; ‘/usr/lib/nds-modules/jre/bin’ on Linux/Unix with eDirectory 8.7.3.x :
    8. Execute the following command to add the certificate to your keystore:
      ./keytool -import -trustcacerts -alias <aliasName> -file <certFile> -keystore ../lib/security/cacerts -storepass <password>
      Replace <aliasName> with a unique name of your choice for the certificate
      Replace <certFile> with the full path and name of the certificate
      Replace <password> with the password to your keystore (the default is ‘changeit’)
      For example: ./keytool -import -trustcacerts -alias ldapServerTrustedRoot0 -file /tmp/cert.b64 -keystore ../lib/security/cacerts -storepass changeit

An alternative is to use the steps to secure the Remote Loader within the IDM 3.6.1 documentation (currently located here: http://www.novell.com/documentation/idm36/idm_remoteloader/data/bf7vb78.html ) to perform the same export of the certificate from eDirectory. Regardless of the method used to get the .b64 file it should be able to be used with another LDAP utility (perhaps in DER format, though) to connect to the LDAPS port for the server.

Import the driver configuration into eDirectory:

  1. From iManager, choose Identity Manager Overview -> select a driverset (or search the entire tree).
  2. Click on the ‘Add Driver’ from the ‘Drivers’ menu drop-down, then click the ‘Next’ button.
  3. Choose the ‘Import a driver configuration from the client (XML file)’ radio button and select the XML file representing the Challenge Set Driver default configuration.
  4. Answer any questions prompted for during the import. This will typically include the Challenge Response administrative user, the password for the Challenge Response administrative user, the LDAP server and the LDAPS (LDAP SSL) port.
  5. Define the driver’s security equivalence (typically an admin when starting out to rule out other problems; see later in the documentation for granular rights required by the driver and configured users) and set excluded users (administrative users, other users or objects that should not be affected by the driver).
  6. Click the ‘Finish’ button and the driver should now be imported into your driver set.
  7. If prompts were not presented for the options mentioned above go to the driver’s list of Global Configuration Values and set them in there. The Challenge Response user’s password will be under the list of Named Passwords for the driver.

Stylesheet

The first question you might have is why a stylesheet as opposed to a DirXML Script policy is used for processing. The answer is that iterating through the challenge set questions can only be accomplished in a stylesheet. Through policy we can only iterate over a nodeset, which doesn’t provide the functionality we need. (Although if that functionality existed, and hopefully it will in the future, it could have been implemented via policy instead.)

Understanding what is happening via XSLT is critical to making changes to fit your specific business cases or handling other events, etc. With that in mind, lets examine the stylesheet section by section for a thorough description. If you are unfamiliar with Identity Manager functionality, this may be somewhat difficult to understand. Please see the available documentation on IDM for further information.

NOTE: All <xsl:message> elements are purely for informational purposes to ensure proper handling and, if desired, may be removed. They were intentionally left in for debugging purposes.

Namespaces

xmlns:arlist="http://www.novell.com/nxsl/java/java.util.ArrayList"  xmlns:crobject="http://www.novell.com/nxsl/java/com.novell.security.nmas.mgmt.crwrapper.ChallengeResponseObject" xmlns:crwrapper="http://www.novell.com/nxsl/java/com.novell.security.nmas.mgmt.crwrapper.NMASChallengeResponseWrapper" xmlns:dncv="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.DNConverter" xmlns:iter="http://www.novell.com/nxsl/java/java.util.Iterator" xmlns:jstring="http://www.novell.com/nxsl/java/java.lang.String" 

These are the key namespaces used throughout the transform and must be present.

Events

<!-- a user add triggers the update of the challenge response set -->
<xsl:template match="add[@class-name='User']" priority="1">

The stylesheet is designed to operate only on User add events – any other events are ignored and adds for any other objectclass are ignored. The template would have to be adjusted to trigger on any other objects or events. The user must first exist in order to set challenge questions or responses – this is why the Null driver was used to implement this functionality. The user can be added via any other system (PeopleSoft, SAP, Delimited Text, JDBC, etc.) and the driver picks up the add event in eDirectory and does its work.

Since the original release of this driver configuration the policies and stylesheets used have been moved to the Matching policyset. This was done so that any modification that results in a synthetic add will also be a valid operation for the configuration to act on. For example if this configuration were to be used in an existing environment a modification adding an attribute used for Challenge/Response information, or a sync event, would be valid for generating Challenge/Response information for an object. A downside to this implementation is that objects could be sent through the driver repeatedly, overwriting old Challenge/Response data. For this reason a basic check for an add event was added on the Event Transformation policyset which can be quickly disabled if not needed to prevent objects from being processed repeatedly.

Initialization

<!-- SETUP CONTEXT VARIABLES -->
<xsl:variable name="cr-host">~cr-host~</xsl:variable>
<xsl:message>HOST: <xsl:value-of select="$cr-host"/>
</xsl:message>
<xsl:variable name="cr-port">~cr-ssl-port~</xsl:variable>
<xsl:message>PORT: <xsl:value-of select="$cr-port"/>
</xsl:message>
<xsl:variable name="cr-admin-dn">~cr-admin-dn~</xsl:variable>
<xsl:message>ADMIN DN: <xsl:value-of select="$cr-admin-dn"/>
</xsl:message>
<xsl:variable name="cr-admin-pwd">
	<xsl:value-of select="query:getNamedPassword($srcQueryProcessor, 'cr-admin-pwd')"/>
</xsl:variable>

All the necessary parameters are obtained to make the secure connection to the server. NOTE: using named passwords keeps the password value secure unless shown in a trace, which can be disabled.

<!-- CONVERT USER DN TO LDAP FORM -->
<xsl:variable name="cr-user-dn" select="dncv:convert($dnConverter, @qualified-src-dn, 'qualified-slash', 'ldap')"/>
<xsl:message>USER DN: <xsl:value-of select="$cr-user-dn"/>
</xsl:message>
<!-- OBTAIN VALID CONTEXT -->
<xsl:variable name="ldap-ctx" select="crwrapper:getLdapContext($cr-host, $cr-admin-dn, $cr-admin-pwd, $cr-port)"/>
<xsl:variable name="cr-wrapper" select="crwrapper:new($ldap-ctx)"/>

The user’s qualified-src-dn is converted to a form compatible with the API and used (with the connection parameters) to securely retrieve the challenge set assigned that user.

<!-- OBTAIN CHALLENGE OBJECTS FOR USER -->
<xsl:variable name="cr-objects" select="crwrapper:getChallengeResponseObjects($cr-wrapper, $cr-user-dn)"/>
<!-- INITIATE CHALLENGE RESPONSE DEFINITION -->
<xsl:call-template name="set-challenge-responses">
	<xsl:with-param name="cr-iterator" select="arlist:iterator($cr-objects)"/>
	<xsl:with-param name="cr-count" select="1"/>
</xsl:call-template>

The individual challenge questions/response pairs are retrieved (an ArrayList object). A count (explained later) and an iterator (an Iterator object from the ArrayList) is passed to the main processing template.

<!-- SAVE RESULTS -->
<xsl:variable name="dummy" select="crwrapper:saveChallengeResponses($cr-wrapper)"/>
<xsl:message>Challenge Set Questions and Responses set!</xsl:message>

Once we return from the main processing template, the results are saved for the user.

Setting the Challenge Questions and Responses

It must be said that there is always going to be a certain amount of modification to this portion of the stylesheet because it MUST match the number of, and type of, questions that are contained in the challenge set. In this example, our challenge set is defined by three (3) Required questions and four (4) random questions. The required questions are comprised of two (2) admin and one (1) user-defined questions. The random questions are comprised of two (2) admin and two (2) user-defined questions (see graphic below).

<!-- RECURSIVE TEMPLATE TO DEFINE EACH CHALLENGE QUESTION / RESPONSE PAIR -->
<!-- It is assumed that admin defined questions will only require setting a response, whereas a user defined challenge will require setting both the question and response -->
<xsl:template name="set-challenge-responses">
	<xsl:param name="cr-iterator"/>
	<xsl:param name="cr-count"/>
	<xsl:message>COUNT: <xsl:value-of select="$cr-count"/>
	</xsl:message>
	
	

As noted before, this template is recursive in nature. Called by itself, it makes use of the iterator passed in to process each question/response pair in the challenge set.

<xsl:if test="iter:hasNext($cr-iterator)">
	<xsl:variable name="cr-object" select="iter:next($cr-iterator)"/>
	<xsl:choose>
	<!-- ADMIN DEFINED -->
	<xsl:when test="crobject:isChallengeAdminDefined($cr-object)">
	
	

Each question is determined to be administrator or user defined because each is handled differently.

<xsl:variable name="cr-question" select="crobject:getChallengeText($cr-object)"/>

If admin-defined, the question text is known and retrieved into this variable.

<!-- if admin defined, we match on question text to set response -->
<xsl:if test="jstring:equalsIgnoreCase($cr-question, '~cr-admin-q1~')">
	<xsl:message>MATCHED ADMIN QUESTION 1</xsl:message>
	<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-object, add-attr[@attr-name='~cr-resp1-attr~'])"/>
</xsl:if>

In order to set the proper response, the right question must be matched. This is done by matching the question text against a GCV. In this example (and the next two), the response value is pulled from the document, referencing an attribute value which is also specified by a GCV.

<xsl:if test="jstring:equalsIgnoreCase($cr-question, '~cr-admin-q2~')">
	<xsl:message>MATCHED ADMIN QUESTION 2</xsl:message>
	<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-object, add-attr[@attr-name='~cr-resp2-attr~'])"/>
</xsl:if>

Remember we had four (4) total admin-defined questions? That is why the contents of the <xsl:if> element is repeated that many times. There should be one per question – so you can cut and paste this section as many times as needed.

<xsl:if test="jstring:equalsIgnoreCase($cr-question, '~cr-admin-q3~')">
	<xsl:message>MATCHED ADMIN QUESTION 3</xsl:message>
	<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-object, add-attr[@attr-name='~cr-resp3-attr~'])"/>
</xsl:if>
<xsl:if test="jstring:equalsIgnoreCase($cr-question, '~cr-admin-q4~')">
	<xsl:message>MATCHED ADMIN QUESTION 4</xsl:message>
	<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-object, '~cr-resp4~')"/>
</xsl:if>

For this question, the response is static text, but specified by a GCV.

<xsl:call-template name="set-challenge-responses">
	<xsl:with-param name="cr-iterator" select="$cr-iterator"/>
	<xsl:with-param name="cr-count" select="$cr-count"/>
</xsl:call-template>

Once done processing the question, we call the same template again, hence the recursion.

</xsl:when>
<!-- USER DEFINED -->
<!-- NOTE:  Required challenges will always come first because they are read in first from the challenge set by the wrapper object -->

User-defined questions are different because we don’t know what the question text is to match on. That is what the count variable is used for – essentially enumerating the number of questions. The wrapper object returns the required questions first and since we have one (1) required, user-defined question – it will be #1 in the count.

<xsl:otherwise>
	<xsl:if test="$cr-count = 1">
		<xsl:message>USER DEFINED QUESTION 1</xsl:message>
		<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-object, 'test1')"/>
		<xsl:call-template name="set-user-defined-challenge-text">
			<xsl:with-param name="qtext" select="'User defined question 1 (Required)'"/>
			<xsl:with-param name="object" select="$cr-object"/>
		</xsl:call-template>
	</xsl:if>

Since it’s user-defined, the question text is set in addition to the response. A call to another template is used to set the question text because it requires special handling when it is user-defined.

	<xsl:if test="$cr-count = 2">
		<xsl:message>USER DEFINED QUESTION 2</xsl:message>
		<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-object, 'test2')"/>
		<xsl:call-template name="set-user-defined-challenge-text">
			<xsl:with-param name="qtext" select="'User defined question 2 (Random)'"/>
			<xsl:with-param name="object" select="$cr-object"/>
		</xsl:call-template>
	</xsl:if>

Just like the admin-defined questions, there will be a <xsl:if> section for each user-defined question, so you can cut and paste this section as needed too. Note that the count value is used to determine the appropriate question.

	<xsl:if test="$cr-count = 3">
		<xsl:message>USER DEFINED QUESTION 3</xsl:message>
		<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-object, 'test3')"/>
		<xsl:call-template name="set-user-defined-challenge-text">
			<xsl:with-param name="qtext" select="'User defined question 3 (Random)'"/>
			<xsl:with-param name="object" select="$cr-object"/>
		</xsl:call-template>
	</xsl:if>
	<xsl:call-template name="set-challenge-responses">
		<xsl:with-param name="cr-iterator" select="$cr-iterator"/>
		<xsl:with-param name="cr-count" select="number($cr-count) + 1"/>
	</xsl:call-template>
The recursion is continued by calling into the same template, but for user-defined questions we increment the count variable.
</xsl:otherwise>
</xsl:choose>
</xsl:if>
</xsl:template>
<!-- TEMPLATE USED WHEN SETTING USER DEFINED QUESTIONS WHICH REQUIRES SOME SPECIAL HANDLING -->
<xsl:template name="set-user-defined-challenge-text">
	<xsl:param name="qtext"/>
	<xsl:param name="object"/>
	<xsl:choose>
		<xsl:when test="crobject:isChallengeTextSet($object)">
			<xsl:variable name="dummy" select="crobject:resetUserDefinedChallengeText($object, $qtext)"/>
		</xsl:when>
		<xsl:otherwise>
			<xsl:variable name="dummy" select="crobject:setUserDefinedChallengeText($object, $qtext)"/>
		</xsl:otherwise>
	</xsl:choose>
</xsl:template>

The proper call has to be made to either ‘set’ or ‘reset’ the user question text for user-defined challenges so that things are cleaned up properly in eDirectory. This template takes care of making the right call.

Driver Settings

An attempt has been made to simplify configuring the driver as much as possible through the use of global configuration values (GCV’s) and named passwords – features of Identity Manager.

Connection GCVs & Named Password

The driver utilizes API calls that require a secure connection (done via SSL) to the source of the challenge sets. There are three (3) GCVs defining connection information:

cr-admin-dn fully-qualified LDAP DN of the administrative user used to connect with
cr-host the hostname or ip address of the server to connect to
cr-ssl-port an integer value for the LDAPS (SSL) port to connect to eDirectory

The following named password is also used:

cr-admin-pwd the password for the administrative user defined for the LDAPS connection

Question GCVs

The remaining GCVs defined are used to help in setting administrator defined questions and responses in the stylesheet. For administrator defined challenges, the text of the question is a known value and is used to match against a GCV in order to set the appropriate response. There are also GCVs representing the responses – the first three define what attribute should be used to provide the value for the response, the fouth is static text. Examining a piece of the stylesheet, one can see how these are used:

	<xsl:if test="jstring:equalsIgnoreCase($cr-question, '~cr-admin-q1~')">
		<xsl:message>MATCHED ADMIN QUESTION 1</xsl:message>
		<xsl:variable name="dummy" select="crobject:setChallengeResponseText($cr-				object, add-attr[@attr-name='~cr-resp1-attr~'])"/>
	</xsl:if>
	
	

The first line tests if the text of the question matches that of the GCV representing the first question (cr-admin-q1). If true, the response value is set using the value of the attribute specified by the GCV defining which attribute (cr-resp1-attr).

It should be noted that the actual question and/or attribute text could have been substituted instead of the GCV. The idea is that once the configuration has been setup, it can be changed from the driver GCVs instead of having to manipulate the stylesheet.

Configuring for Your System

As was mentioned earlier, the stylesheet must contain instructions to set the exact same number of questions specified in the challenge set. Using the default as a template, the stylesheet should be modified to reflect the same number of admin and user defined challenge questions.

The default configuration only handles the generic case of User adds. Some of the responses are defined by attributes on the incoming add – but what if the attribute changes? Further customization will have to be made, probably in another stylesheet, to modify the response when that particular attribute changes.

Another possibility is utilizing user-defined questions in a contextual manner – for example: defining a static question for each department. Ask one question for users in the “Finance” department, another for those in the “Engineering” department. (Of course, you might have two different challenge sets assigned to different OU’s in the tree – thus placement defines which set is associated to the user which is probably the more appropriate thing to do.)

The default configuration shows how to implement the important API calls on the classes used to manipulate the challenge sets. These can be moved and structured in whatever way needed to meet your business needs and requirements.

Permissions

When setting up your environment granular permission assignments will likely be desired to maintain an environment following Least Privilege principles. The user binding via LDAP both reads the settings from the Challenge Set object as well as writes the Challenge/Response information to the user objects. For the former operation the user must be able to read nsimNumberRandomQuestion, nsimRandomQuestion and nsimRequiredQuestions on the Challenge Set. This also means the user must be able to find the Challenge Set by DN. The Challenge Set’s DN is stored on the Universal Password Policy applied to the user along with a Challenge Set GUID, both which must be readable by the LDAP user. Finally the LDAP user must be able to determine which password policy is applied to the user by reading the nspmPasswordPolicyDN attribute on the first of the user object, the user’s container, the user’s partition root, and finally the ‘cn=Login Policy,cn=Security’ object.

The driver configuration object in eDirectory must also be able to read any attributes which may be used by the driver configuration in creating responses for the challenges. For example if one of the question is, ‘What is your first name?’ then the driver config must be secuity equivalent to an object that can read the Given Name attribute (or whichever attributes has the user’s first name). The default driver configuration uses the Given Name, Surname, and workforceID attributes so the driver object in eDirectory must have rights to read those off the users getting Challenge/Response information set.

When writing the challenge/response information the user accessing eDirectory via LDAP must be able to write to the various attributes on each user, including ‘SAS:Login Configuration’, ‘SAS:Login Configuration Key’, ‘SAS:Login Secret’ and ‘SAS:Login Secret Key’.

Environment Data

From my environment the following objects may be useful for testing. Notice that the ACL attributes I left in were for the user accessing the objects via LDAP.

dn: cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=Security
nsimNumberRandomQuestions: 1
nsimRandomQuestions:: PFJhbmRvbVF1ZXN0aW9ucz48VXNlckRlZmluZWQgTWF4TGVuZ3RoPSIy
 NTUiIE1pbkxlbmd0aD0iMSIvPjxVc2VyRGVmaW5lZCBNYXhMZW5ndGg9IjI1NSIgTWluTGVuZ3RoP
 SIxIi8+PEFkbWluRGVmaW5lZD48UXVlc3Rpb24gTWF4TGVuZ3RoPSIyNTUiIE1pbkxlbmd0aD0iMS
 I+PCFbQ0RBVEFbV2hhdCBpcyB5b3VyIHNvY2lhbCBzZWN1cml0eSBudW1iZXI/XV0+PGRpc3BsYXk
 gZGVmYXVsdD0idHJ1ZSIgeG1sOmxhbmc9ImVuIj48IVtDREFUQVtXaGF0IGlzIHlvdXIgc29jaWFs
 IHNlY3VyaXR5IG51bWJlcj9dXT48L2Rpc3BsYXk+PC9RdWVzdGlvbj48UXVlc3Rpb24gTWF4TGVuZ
 3RoPSIyNTUiIE1pbkxlbmd0aD0iMSI+PCFbQ0RBVEFbV2hhdCBpcyB0aGUgbmFtZSBvZiB0aGUgY2
 9tcGFueSB5b3Ugd29yayBmb3I/XV0+PGRpc3BsYXkgZGVmYXVsdD0idHJ1ZSIgeG1sOmxhbmc9ImV
 uIj48IVtDREFUQVtXaGF0IGlzIHRoZSBuYW1lIG9mIHRoZSBjb21wYW55IHlvdSB3b3JrIGZvcj9d
 XT48L2Rpc3BsYXk+PC9RdWVzdGlvbj48L0FkbWluRGVmaW5lZD48L1JhbmRvbVF1ZXN0aW9ucz4=
nsimRequiredQuestions:: PFJlcXVpcmVkUXVlc3Rpb25zPjxVc2VyRGVmaW5lZCBNYXhMZW5ndG
 g9IjI1NSIgTWluTGVuZ3RoPSIxIi8+PEFkbWluRGVmaW5lZD48UXVlc3Rpb24gTWF4TGVuZ3RoPSI
 yNTUiIE1pbkxlbmd0aD0iMSI+PCFbQ0RBVEFbV0hBVCBJUyBZT1VSIEZJUlNUIE5BTUU/XV0+PGRp
 c3BsYXkgZGVmYXVsdD0idHJ1ZSIgeG1sOmxhbmc9ImVuIj48IVtDREFUQVtXSEFUIElTIFlPVVIgR
 klSU1QgTkFNRT9dXT48L2Rpc3BsYXk+PC9RdWVzdGlvbj48UXVlc3Rpb24gTWF4TGVuZ3RoPSIyNT
 UiIE1pbkxlbmd0aD0iMSI+PCFbQ0RBVEFbd2hhdCBpcyB5b3VyIGxhc3QgbmFtZT9dXT48ZGlzcGx
 heSBkZWZhdWx0PSJ0cnVlIiB4bWw6bGFuZz0iZW4iPjwhW0NEQVRBW3doYXQgaXMgeW91ciBsYXN0
 IG5hbWU/XV0+PC9kaXNwbGF5PjwvUXVlc3Rpb24+PC9BZG1pbkRlZmluZWQ+PC9SZXF1aXJlZFF1Z
 XN0aW9ucz4=
objectClass: nsimChallengeSet
objectClass: Top
cn: testCSForChallengeSetDriver00
ACL: 2#entry#cn=challengesetadmin,dc=user,dc=system#nsimNumberRandomQuestions
ACL: 2#entry#cn=challengesetadmin,dc=user,dc=system#nsimRandomQuestions
ACL: 2#entry#cn=challengesetadmin,dc=user,dc=system#nsimRequiredQuestions

#Password Policy which links to the Challenge Set above (import the other first)
dn: cn=testChallengeSetPasswordPolicy,cn=Password Policies,cn=Security
nsimPwdRuleEnforcement: FALSE
nsimChallengeSetGUID: 1254198040500
nsimChallengeSetDN: cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=S
 ecurity
nsimAssignments: ou=testChallengeSet00,o=suse,dc=org
nsimForgottenAction:: PEZvcmdvdHRlblBhc3N3b3JkPjxFbmFibGVkPnRydWU8L0VuYWJsZWQ+
 PFNlcXVlbmNlPjxBdXRoZW50aWNhdGlvbj48IVtDREFUQVt0ZXN0Q1NGb3JDYWxsZW5nZVNldERya
 XZlcjAwLlBhc3N3b3JkIFBvbGljaWVzLlNlY3VyaXR5XV0+PC9BdXRoZW50aWNhdGlvbj48QWN0aW
 9uPkNoYW5nZVBhc3N3b3JkPC9BY3Rpb24+PC9TZXF1ZW5jZT48L0ZvcmdvdHRlblBhc3N3b3JkPg=
 =
nsimForgottenLoginConfig: TRUE
nspmExtendedCharactersAllowed: TRUE
nspmCaseSensitive: TRUE
nspmSpecialAsLastCharacter: TRUE
nspmSpecialAsFirstCharacter: TRUE
nspmSpecialCharactersAllowed: TRUE
nspmNumericAsLastCharacter: TRUE
nspmNumericAsFirstCharacter: TRUE
nspmNumericCharactersAllowed: TRUE
nspmAdminsDoNotExpirePassword: FALSE
nspmConfigurationOptions: 852
passwordUniqueRequired: FALSE
passwordMinimumLength: 6
passwordAllowChange: TRUE
objectClass: nspmPasswordPolicy
objectClass: Top
description: For using with the testChallengeSet00 driver configuration.
cn: testChallengeSetPasswordPolicy

Troubleshooting:

A lack of rights to read the ChallengeSet attributes (must be able to read nsimNumberRandomQuestion, nsimRandomQuestion and nsimRequiredQuestions) may result in an exception like the following:

[09/28/09 21:32:05.247]:testChallengeSet00 ST:  %13Cxsl:message -> USER DN: CN=challengesetadmin,dc=user,dc=system
[09/28/09 21:32:05.361]:testChallengeSet00 ST:
DirXML Log Event -------------------
     Driver:   \IDM0TREE0\system\service\idm\driverset0\testChallengeSet00
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9061) Error processing XSLT policy: vnd.nds.stream://IDM0TREE0/system/service/idm/driverset0/testChallengeSet00/Subscriber/Populate+Challenge+Response+Set#XmlData (44): <xsl:variable
>: expression evaluation error: function call to 'crwrapper:getChallengeResponseObjects' resulted in an error: 'com.novell.security.nmas.mgmt.crwrapper.exceptions.ChallengeResponseNotApplicableException'
[09/28/09 21:32:05.382]:testChallengeSet00 ST:
DirXML Log Event -------------------
     Driver:   \IDM0TREE0\system\service\idm\driverset0\testChallengeSet00
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9010) An exception occurred: java.lang.NullPointerException
        at com.novell.xml.xpath.FunctionCall.frameArguments(FunctionCall.java:191)
        at com.novell.xml.xpath.FunctionCall.evaluate(FunctionCall.java:88)
        at com.novell.xml.xpath.ExpressionContext.evaluate(ExpressionContext.java:67)
        at com.novell.xsl.process.WithParamTemplate.instantiate(WithParamTemplate.java:69)
        at com.novell.xsl.process.CallTemplate.instantiate(CallTemplate.java:72)
        at com.novell.xsl.process.TemplateRule.instantiate(TemplateRule.java:148)
        at com.novell.xsl.process.ProcessingEnv.processWithRule(ProcessingEnv.java:314)
        at com.novell.xsl.process.ProcessingEnv.process(ProcessingEnv.java:228)
        at com.novell.xsl.process.ApplyTemplatesTemplate.instantiate(ApplyTemplatesTemplate.java:220)
        at com.novell.xsl.process.TemplateCollection.instantiateTemplates(TemplateCollection.java:102)
        at com.novell.xsl.process.CopyTemplate.instantiate(CopyTemplate.java:100)
        at com.novell.xsl.process.TemplateRule.instantiate(TemplateRule.java:148)
        at com.novell.xsl.process.ProcessingEnv.processWithRule(ProcessingEnv.java:314)
        at com.novell.xsl.process.ProcessingEnv.process(ProcessingEnv.java:228)
        at com.novell.xsl.process.ApplyTemplatesTemplate.instantiate(ApplyTemplatesTemplate.java:220)
        at com.novell.xsl.process.TemplateCollection.instantiateTemplates(TemplateCollection.java:102)
        at com.novell.xsl.process.CopyTemplate.instantiate(CopyTemplate.java:100)
        at com.novell.xsl.process.TemplateRule.instantiate(TemplateRule.java:148)
        at com.novell.xsl.process.ProcessingEnv.processWithRule(ProcessingEnv.java:314)
        at com.novell.xsl.process.ProcessingEnv.process(ProcessingEnv.java:228)
        at com.novell.xsl.process.ApplyTemplatesTemplate.instantiate(ApplyTemplatesTemplate.java:220)
        at com.novell.xsl.process.BuiltInTemplateRule.instantiate(BuiltInTemplateRule.java:98)
        at com.novell.xsl.process.ProcessingEnv.processWithRule(ProcessingEnv.java:314)
        at com.novell.xsl.process.ProcessingEnv.process(ProcessingEnv.java:228)
        at com.novell.xsl.Stylesheet.process(Stylesheet.java:1612)
        at com.novell.xsl.Stylesheet.process(Stylesheet.java:1489)
        at com.novell.nds.dirxml.engine.rules.XSLTRuleProcessor.applyRules(XSLTRuleProcessor.java:185)
        at com.novell.nds.dirxml.engine.rules.DirXMLScriptProcessor.applyRules(DirXMLScriptProcessor.java:405)
        at com.novell.nds.dirxml.engine.Subscriber.processEvents(Subscriber.java:854)
        at com.novell.nds.dirxml.engine.Driver.submitTransaction(Driver.java:624)
        at com.novell.nds.dirxml.engine.DriverEntry.submitTransaction(DriverEntry.java:1050)
        at com.novell.nds.dirxml.engine.DriverEntry.processCachedTransaction(DriverEntry.java:934)
        at com.novell.nds.dirxml.engine.DriverEntry.eventLoop(DriverEntry.java:756)
        at com.novell.nds.dirxml.engine.DriverEntry.run(DriverEntry.java:561)

		

An inability to read the Named Password (cr-admin-pwd) value will look similar to the following (notice the lack of a password in the return document as well as in the debugging message that should show the password’s text; a policy named ‘testGetNamedPass0′ is also in the driver configuration though not linked to any particular policyset and can be used, if enabled, to trace the Challenge Response user’s password for debugging purposes):

[09/28/09 17:38:27.303]:testChallengeSet00 ST:  Submitting document to subscriber shim:
[09/28/09 17:38:27.304]:testChallengeSet00 ST:
<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.10.4789">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <get-named-password event-id="0">cr-admin-pwd</get-named-password>
  </input>
</nds>
[09/28/09 17:38:27.309]:testChallengeSet00 ST:  SubscriptionShim.execute() returned:
[09/28/09 17:38:27.310]:testChallengeSet00 ST:
<nds dtdversion="3.5">
  <source>
    <product instance="testChallengeSet00" version="3.6.10.4747">DirXML Null Driver</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <status event-id="0" level="success"/>
  </output>
</nds>
[09/28/09 17:38:27.311]:testChallengeSet00 ST:  No input transformation policies.
[09/28/09 17:38:27.312]:testChallengeSet00 ST:  Applying schema mapping policies to input.
[09/28/09 17:38:27.312]:testChallengeSet00 ST:  Applying policy: %+C%14CMappingRule%-C.
[09/28/09 17:38:27.314]:testChallengeSet00 ST:  Resolving association references.
[09/28/09 17:38:27.318]:testChallengeSet00 ST:  Query from policy result
[09/28/09 17:38:27.319]:testChallengeSet00 ST:
<nds dtdversion="3.5">
  <source>
    <product instance="testChallengeSet00" version="3.6.10.4747">DirXML Null Driver</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <status event-id="0" level="success"/>
  </output>
</nds>
[09/28/09 17:38:27.321]:testChallengeSet00 ST:  %13Cxsl:message -> ADMIN PWD:
[09/28/09 17:38:27.322]:testChallengeSet00 ST:  %13Cxsl:message -> USER DN: CN=testcs00,OU=testChallengeSet00,O=suse,dc=org

Errors resulting from a user’s password policy not being set to a valid Challenge Response policy:

[09/29/09 00:36:08.558]:testChallengeSet00 ST:  %13Cxsl:message -> USER DN: CN=test0,OU=testChallengeSet00,O=suse,dc=org
[09/29/09 00:36:08.660]:testChallengeSet00 ST:
DirXML Log Event -------------------
     Driver:   \IDM0TREE0\system\service\idm\driverset0\testChallengeSet00
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9061) Error processing XSLT policy: vnd.nds.stream://IDM0TREE0/system/service/idm/driverset0/testChallengeSet00/Subscriber/Populate+Challenge+Response+Set#XmlData (44): <xsl:variable>: expression evaluation error: function call to 'crwrapper:getChallengeResponseObjects' resulted in an error: 'com.novell.security.nmas.mgmt.crwrapper.exceptions.ChallengeResponseNotApplicableException'
[09/29/09 00:36:08.674]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 00:36:08.675]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 1
[09/29/09 00:36:08.676]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 00:36:08.677]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 2
[09/29/09 00:36:08.678]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 00:36:08.679]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 3
[09/29/09 00:36:08.680]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 00:36:08.681]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 4
[09/29/09 00:36:08.682]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 00:36:08.684]:testChallengeSet00 ST:
DirXML Log Event -------------------
     Driver:   \IDM0TREE0\system\service\idm\driverset0\testChallengeSet00
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9061) Error processing XSLT policy: vnd.nds.stream://IDM0TREE0/system/service/idm/driverset0/testChallengeSet00/Subscriber/Populate+Challenge+Response+Set#XmlData (51): <xsl:variable>: expression evaluation error: function call to 'crwrapper:saveChallengeResponses' resulted in an error: 'java.lang.NullPointerException'
[09/29/09 00:36:08.696]:testChallengeSet00 ST:  %13Cxsl:message -> Challenge Set Questions and Responses set!
[09/29/09 00:36:08.697]:testChallengeSet00 ST:
DirXML Log Event -------------------
     Driver:   \IDM0TREE0\system\service\idm\driverset0\testChallengeSet00
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9037) One or more errors occurred while processing an XSLT policy.
[09/29/09 00:36:08.708]:testChallengeSet00 ST:
DirXML Log Event -------------------
     Driver:   \IDM0TREE0\system\service\idm\driverset0\testChallengeSet00
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9083) Error submitting event to subscriber: Code(-9037) One or more errors occurred while processing an XSLT policy.

ndstrace output showing NMAS, AUTH, and LDAP output from a successful user creation and Challenge/Response driver processing:

3062406048 LDAP: [2009/09/28 22:46:17.109] New cleartext connection 0x9fd8c80 from 164.99.194.2:45935, monitor = 0x9d150ba0, index = 1
2628512672 LDAP: [2009/09/28 22:46:17.110] (164.99.194.2:45935)(0x0001:0x60) DoBind on connection 0x9fd8c80
2628512672 LDAP: [2009/09/28 22:46:17.110] (164.99.194.2:45935)(0x0001:0x60) Bind name:cn=admin,dc=user,dc=system, version:3, authentication:simple
2628512672 NMAS: [2009/09/28 22:46:17.110] 28: Create NMAS Session
2628512672 NMAS: [2009/09/28 22:46:17.110] 28: Trying local password login shortcut for CN=admin.dc=user.dc=system
2628512672 NMAS: [2009/09/28 22:46:17.114] 28: IP client network address
3064511392 AUTH: [2009/09/28 22:46:17.123] Starting SEV calculation for conn 24, entry .admin.user.system.IDM0TREE0..
3064511392 AUTH: [2009/09/28 22:46:17.123] 1 GlobalGetSEV.
3064511392 AUTH: [2009/09/28 22:46:17.123] 4 GlobalGetSEV succeeded.
3064511392 AUTH: [2009/09/28 22:46:17.123] SEV calculation complete for conn 24, (0:0 s:ms).
2628512672 NMAS: [2009/09/28 22:46:17.124] 28: NMAS Audit 0x290005 logged
2628512672 NMAS: [2009/09/28 22:46:17.124] 28: Local password login shortcut successful
2628512672 NMAS: [2009/09/28 22:46:17.124] 28: Client Session Destroy Request
2628512672 NMAS: [2009/09/28 22:46:17.124] 28: Destroy NMAS Session
2628512672 NMAS: [2009/09/28 22:46:17.124] 28: Aborted Session Destroyed (with MAF)
2628512672 AUTH: [2009/09/28 22:46:17.124] SPM Login for user [0000802e] <.admin.user.system.IDM0TREE0.> returned NMAS error = 0, fallback to NDS = false
2628512672 AUTH: [2009/09/28 22:46:17.124] [0000802e] <.admin.user.system.IDM0TREE0.> LocalLoginRequest. Error success, conn: 16.
2628512672 LDAP: [2009/09/28 22:46:17.124] (164.99.194.2:45935)(0x0001:0x60) Sending operation result 0:"":"" to connection 0x9fd8c80
2634349472 LDAP: [2009/09/28 22:46:17.196] (164.99.194.2:45935)(0x0002:0x68) DoAdd on connection 0x9fd8c80
2634349472 LDAP: [2009/09/28 22:46:17.196] (164.99.194.2:45935)(0x0002:0x68)     add: dn (cn=test0,ou=testchallengeset00,o=suse,dc=org)
2634349472 NMAS: [2009/09/28 22:46:17.216] Attempting to create key
2634349472 NMAS: [2009/09/28 22:46:17.223] Encryption key created for CN=test0.OU=testChallengeSet00.O=suse.dc=org
2634349472 NMAS: [2009/09/28 22:46:17.230] NMAS Audit 0x29006a logged
3062406048 LDAP: [2009/09/28 22:46:17.243] New TLS connection 0x9fd8780 from 151.155.130.10:8626, monitor = 0x9d150ba0, index = 3
2635402144 LDAP: [2009/09/28 22:46:17.247] Monitor 0x9d150ba0 initiating TLS handshake on connection 0x9fd8780
2638302112 LDAP: [2009/09/28 22:46:17.248] (151.155.130.10:8626)(0x0000:0x00) DoTLSHandshake on connection 0x9fd8780
2634349472 NMAS: [2009/09/28 22:46:17.254] Successful set password for CN=test0.OU=testChallengeSet00.O=suse.dc=org
2634349472 AUTH: [2009/09/28 22:46:17.254] SPM Set Password for user [00041307] <.test0.testChallengeSet00.suse.org.IDM0TREE0.> returned NMAS error = 0, fallback to NDS = false
2634349472 LDAP: [2009/09/28 22:46:17.255] (164.99.194.2:45935)(0x0002:0x68) Sending operation result 0:"":"" to connection 0x9fd8c80
2638302112 LDAP: [2009/09/28 22:46:17.299] BIO ctrl called with unknown cmd 7
2638302112 LDAP: [2009/09/28 22:46:17.299] (151.155.130.10:8626)(0x0000:0x00) Completed TLS handshake on connection 0x9fd8780
2634349472 LDAP: [2009/09/28 22:46:17.301] (151.155.130.10:8626)(0x0001:0x60) DoBind on connection 0x9fd8780
2634349472 LDAP: [2009/09/28 22:46:17.301] (151.155.130.10:8626)(0x0001:0x60) Bind name:cn=challengesetadmin,dc=user,dc=system, version:3, authentication:simple
2634349472 NMAS: [2009/09/28 22:46:17.302] 29: Destroy NMAS Session for reuse
2634349472 NMAS: [2009/09/28 22:46:17.302] 29: Create NMAS Session
2634349472 NMAS: [2009/09/28 22:46:17.302] 29: Trying local password login shortcut for CN=challengesetadmin.dc=user.dc=system
2634349472 NMAS: [2009/09/28 22:46:17.307] 29: IP client network address
2633296800 AUTH: [2009/09/28 22:46:17.312] Starting SEV calculation for conn 25, entry .challengesetadmin.user.system.IDM0TREE0..
2633296800 AUTH: [2009/09/28 22:46:17.312] 1 GlobalGetSEV.
2633296800 AUTH: [2009/09/28 22:46:17.312] 4 GlobalGetSEV succeeded.
2633296800 AUTH: [2009/09/28 22:46:17.312] SEV calculation complete for conn 25, (0:0 s:ms).
2634349472 NMAS: [2009/09/28 22:46:17.313] 29: NMAS Audit 0x290005 logged
2634349472 NMAS: [2009/09/28 22:46:17.313] 29: Local password login shortcut successful
2634349472 NMAS: [2009/09/28 22:46:17.313] 29: Client Session Destroy Request
2634349472 NMAS: [2009/09/28 22:46:17.313] 29: Destroy NMAS Session
2634349472 NMAS: [2009/09/28 22:46:17.313] 29: Aborted Session Destroyed (with MAF)
2634349472 AUTH: [2009/09/28 22:46:17.313] SPM Login for user [00041301] <.challengesetadmin.user.system.IDM0TREE0.> returned NMAS error = 0, fallback to NDS = false
2634349472 AUTH: [2009/09/28 22:46:17.313] [00041301] <.challengesetadmin.user.system.IDM0TREE0.> LocalLoginRequest. Error success, conn: 16.
2634349472 LDAP: [2009/09/28 22:46:17.313] (151.155.130.10:8626)(0x0001:0x60) Sending operation result 0:"":"" to connection 0x9fd8780
3051879328 LDAP: [2009/09/28 22:46:17.315] (151.155.130.10:8626)(0x0002:0x77) DoExtended on connection 0x9fd8780
3051879328 LDAP: [2009/09/28 22:46:17.315] (151.155.130.10:8626)(0x0002:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.19
3051879328 LDAP: [2009/09/28 22:46:17.317] (151.155.130.10:8626)(0x0002:0x77) Sending operation result 0:"":"" to connection 0x9fd8780
3053984672 LDAP: [2009/09/28 22:46:17.319] (151.155.130.10:8626)(0x0003:0x63) DoSearch on connection 0x9fd8780
3053984672 LDAP: [2009/09/28 22:46:17.319] (151.155.130.10:8626)(0x0003:0x63) Search request:
        base: "cn=testChallengeSetPasswordPolicy,cn=Password Policies,cn=Security"
        scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectClass=*)"
        attribute: "nsimChallengeSetDN"
3053984672 LDAP: [2009/09/28 22:46:17.321] (151.155.130.10:8626)(0x0003:0x63) Sending search result entry "cn=testChallengeSetPasswordPolicy,cn=Password Policies,cn=Security" to connection 0x9fd8780
3053984672 NMAS: [2009/09/28 22:46:17.321] 30: Create NMAS Session
3053984672 NMAS: [2009/09/28 22:46:17.322] 30: Proxy client address 151 155 130 10
3053984672 NMAS: [2009/09/28 22:46:17.323] 30: NMAS Client supplied user DN CN=challengesetadmin.dc=user.dc=system
3051879328 LDAP: [2009/09/28 22:46:17.330] (164.99.194.2:45935)(0x0003:0x42) DoUnbind on connection 0x9fd8c80
3051879328 LDAP: [2009/09/28 22:46:17.330] Connection 0x9fd8c80 closed
3053984672 NMAS: [2009/09/28 22:46:17.332] 30: Create thread request
3053984672 NMAS: [2009/09/28 22:46:17.332] 30: Using thread 0x8dac3e8
3053984672 NMAS: [2009/09/28 22:46:17.332] 30: Server thread started
3053984672 NMAS: [2009/09/28 22:46:17.332] 30: Proxy client started local server session
2624244640 NMAS: [2009/09/28 22:46:17.332] 30: Pool thread 0x8dac3e8 awake with new work
3053984672 NMAS: [2009/09/28 22:46:17.333] 30: NMAS Audit 0x290032 logged
2624244640 NMAS: [2009/09/28 22:46:17.334] 30: NMAS Audit 0x290002 logged
2624244640 NMAS: [2009/09/28 22:46:17.334] 30: CanDo
2624244640 NMAS: [2009/09/28 22:46:17.335] 30: IP client network address
2624244640 NMAS: [2009/09/28 22:46:17.336] 30: Selected default login sequence == "NDS"
2624244640 NMAS: [2009/09/28 22:46:17.337] 30: Login Method 0x00000007
2624244640 NMAS: [2009/09/28 22:46:17.337] 30: Server Module 0x00000007 Get attribute AID: 1
2624244640 NMAS: [2009/09/28 22:46:17.337] 30: Begin Server Module 0x00000007
2624244640 NMAS: [2009/09/28 22:46:17.337] 30: Server Module 0x00000007 Get attribute AID: 39
2624244640 NMAS: [2009/09/28 22:46:17.338] 30: Server Module 0x00000007 Get Password
2624244640 NMAS: [2009/09/28 22:46:17.338] 30: Server Module 0x00000007 Write
2624244640 NMAS: [2009/09/28 22:46:17.338] 30: Server Module 0x00000007 XWrite
2624244640 NMAS: [2009/09/28 22:46:17.338] 30: Server Module 0x00000007 XRead
3053984672 NMAS: [2009/09/28 22:46:17.338] 30: Begin Client Module 0x00000007
3053984672 NMAS: [2009/09/28 22:46:17.338] 30: Client Module 0x00000007 Get attribute AID: 6
3053984672 NMAS: [2009/09/28 22:46:17.338] 30: Client Module 0x00000007 Get attribute AID: 40
3053984672 NMAS: [2009/09/28 22:46:17.338] 30: Client Module 0x00000007 Read
3053984672 NMAS: [2009/09/28 22:46:17.338] 30: Client Module 0x00000007 XRead
3053984672 NMAS: [2009/09/28 22:46:17.338] 30: Client Module 0x00000007 XWrite
3053984672 NMAS: [2009/09/28 22:46:17.338] 30: Client Module 0x00000007 XRead
2624244640 NMAS: [2009/09/28 22:46:17.339] 30: NMAS Audit 0x290001 logged
2624244640 NMAS: [2009/09/28 22:46:17.339] 30: Server Module 0x00000007 XWrite
2624244640 NMAS: [2009/09/28 22:46:17.339] 30: Server Module 0x00000007 Read
3053984672 NMAS: [2009/09/28 22:46:17.340] 30: NMAS Audit 0x290031 logged
3053984672 NMAS: [2009/09/28 22:46:17.340] 30: Client Module 0x00000007 Write
3053984672 NMAS: [2009/09/28 22:46:17.340] 30: Client Module 0x00000007 Finished
2624244640 NMAS: [2009/09/28 22:46:17.340] 30: Server Module 0x00000007 Successful
2624244640 NMAS: [2009/09/28 22:46:17.340] 30: NDS Login Method Successful
3053984672 NMAS: [2009/09/28 22:46:17.340] 30: NMAS Audit 0x290034 logged
2624244640 NMAS: [2009/09/28 22:46:17.341] 30: NMAS Audit 0x290004 logged
2624244640 NMAS: [2009/09/28 22:46:17.341] 30: WhatNext
2624244640 NMAS: [2009/09/28 22:46:17.344] 30: Successful login
3053984672 NMAS: [2009/09/28 22:46:17.344] 30: NMAS Audit 0x290036 logged
2624244640 NMAS: [2009/09/28 22:46:17.345] 30: Acknowledge
2624244640 NMAS: [2009/09/28 22:46:17.346] 30: NMAS Audit 0x290005 logged
2624244640 NMAS: [2009/09/28 22:46:17.346] 30: Server thread exited
2624244640 NMAS: [2009/09/28 22:46:17.346] 30: Pool thread 0x8dac3e8 work complete
3053984672 NMAS: [2009/09/28 22:46:17.348] 30: Connection identity set successfully
3053984672 NMAS: [2009/09/28 22:46:17.348] 30: Client Session Destroy Request
3053984672 AUTH: [2009/09/28 22:46:17.348] SPM Login for user [00041301] <.challengesetadmin.user.system.IDM0TREE0.> returned NMAS error = 0, fallback to NDS = false
3053984672 LDAP: [2009/09/28 22:46:17.349] (151.155.130.10:8626)(0x0003:0x63) Sending operation result 0:"":"" to connection 0x9fd8780
3051879328 LDAP: [2009/09/28 22:46:17.351] (151.155.130.10:8626)(0x0004:0x77) DoExtended on connection 0x9fd8780
3051879328 LDAP: [2009/09/28 22:46:17.351] (151.155.130.10:8626)(0x0004:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.3
3051879328 NMAS: [2009/09/28 22:46:17.354] NMAS Audit 0x290062 logged
3051879328 NMAS: [2009/09/28 22:46:17.355] NMAS Audit 0x290062 logged
3051879328 NMAS: [2009/09/28 22:46:17.355] ERROR: -16049 Failed to retrieve data in login config with tag: ChallengeResponseQuestions
3051879328 LDAP: [2009/09/28 22:46:17.355] (151.155.130.10:8626)(0x0004:0x77) Sending operation result 0:"":"" to connection 0x9fd8780
2638302112 LDAP: [2009/09/28 22:46:17.357] (151.155.130.10:8626)(0x0005:0x63) DoSearch on connection 0x9fd8780
2638302112 LDAP: [2009/09/28 22:46:17.357] (151.155.130.10:8626)(0x0005:0x63) Search request:
        base: "cn=testChallengeSetPasswordPolicy,cn=Password Policies,cn=Security"
        scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectClass=*)"
        attribute: "nsimChallengeSetGUID"
2638302112 LDAP: [2009/09/28 22:46:17.358] (151.155.130.10:8626)(0x0005:0x63) Sending search result entry "cn=testChallengeSetPasswordPolicy,cn=Password Policies,cn=Security" to connection 0x9fd8780
2638302112 LDAP: [2009/09/28 22:46:17.359] (151.155.130.10:8626)(0x0005:0x63) Sending operation result 0:"":"" to connection 0x9fd8780
3073985440 LDAP: [2009/09/28 22:46:17.362] (151.155.130.10:8626)(0x0006:0x63) DoSearch on connection 0x9fd8780
3073985440 LDAP: [2009/09/28 22:46:17.362] (151.155.130.10:8626)(0x0006:0x63) Search request:
        base: "cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=Security"
        scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectClass=*)"
        attribute: "nsimNumberRandomQuestions"
3073985440 LDAP: [2009/09/28 22:46:17.363] (151.155.130.10:8626)(0x0006:0x63) Sending search result entry "cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=Security" to connection 0x9fd8780
3073985440 LDAP: [2009/09/28 22:46:17.363] (151.155.130.10:8626)(0x0006:0x63) Sending operation result 0:"":"" to connection 0x9fd8780
3051879328 LDAP: [2009/09/28 22:46:17.366] (151.155.130.10:8626)(0x0007:0x63) DoSearch on connection 0x9fd8780
3051879328 LDAP: [2009/09/28 22:46:17.366] (151.155.130.10:8626)(0x0007:0x63) Search request:
        base: "cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=Security"
        scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectClass=*)"
        attribute: "nsimRequiredQuestions"
3051879328 LDAP: [2009/09/28 22:46:17.368] (151.155.130.10:8626)(0x0007:0x63) Sending search result entry "cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=Security" to connection 0x9fd8780
3051879328 LDAP: [2009/09/28 22:46:17.368] (151.155.130.10:8626)(0x0007:0x63) Sending operation result 0:"":"" to connection 0x9fd8780
2628512672 LDAP: [2009/09/28 22:46:17.374] (151.155.130.10:8626)(0x0008:0x63) DoSearch on connection 0x9fd8780
2628512672 LDAP: [2009/09/28 22:46:17.374] (151.155.130.10:8626)(0x0008:0x63) Search request:
        base: "cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=Security"
        scope:0  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectClass=*)"
        attribute: "nsimRandomQuestions"
2628512672 LDAP: [2009/09/28 22:46:17.375] (151.155.130.10:8626)(0x0008:0x63) Sending search result entry "cn=testCSForChallengeSetDriver00,cn=Password Policies,cn=Security" to connection 0x9fd8780
2628512672 LDAP: [2009/09/28 22:46:17.376] (151.155.130.10:8626)(0x0008:0x63) Sending operation result 0:"":"" to connection 0x9fd8780
2634349472 LDAP: [2009/09/28 22:46:17.397] (151.155.130.10:8626)(0x0009:0x77) DoExtended on connection 0x9fd8780
2634349472 LDAP: [2009/09/28 22:46:17.397] (151.155.130.10:8626)(0x0009:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.1
2634349472 NMAS: [2009/09/28 22:46:17.400] NMAS Audit 0x290061 logged
2634349472 NMAS: [2009/09/28 22:46:17.400] Attempting to create key
2634349472 NMAS: [2009/09/28 22:46:17.409] Stored data in login config with tag: ChallengeResponseQuestions
2634349472 LDAP: [2009/09/28 22:46:17.409] (151.155.130.10:8626)(0x0009:0x77) Sending operation result 0:"":"" to connection 0x9fd8780
2638302112 LDAP: [2009/09/28 22:46:17.411] (151.155.130.10:8626)(0x000a:0x77) DoExtended on connection 0x9fd8780
2638302112 LDAP: [2009/09/28 22:46:17.411] (151.155.130.10:8626)(0x000a:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.7
2638302112 NMAS: [2009/09/28 22:46:17.414] NMAS Audit 0x290064 logged
2638302112 NMAS: [2009/09/28 22:46:17.415] Attempting to create key
2638302112 LDAP: [2009/09/28 22:46:17.423] (151.155.130.10:8626)(0x000a:0x77) Sending operation result 0:"":"" to connection 0x9fd8780
2628512672 LDAP: [2009/09/28 22:46:17.425] (151.155.130.10:8626)(0x000b:0x77) DoExtended on connection 0x9fd8780
2628512672 LDAP: [2009/09/28 22:46:17.425] (151.155.130.10:8626)(0x000b:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.7
2628512672 NMAS: [2009/09/28 22:46:17.428] NMAS Audit 0x290064 logged
2628512672 LDAP: [2009/09/28 22:46:17.431] (151.155.130.10:8626)(0x000b:0x77) Sending operation result 0:"":"" to connection 0x9fd8780
2633296800 LDAP: [2009/09/28 22:46:17.433] (151.155.130.10:8626)(0x000c:0x77) DoExtended on connection 0x9fd8780
2633296800 LDAP: [2009/09/28 22:46:17.433] (151.155.130.10:8626)(0x000c:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.7
2633296800 NMAS: [2009/09/28 22:46:17.437] NMAS Audit 0x290064 logged
2633296800 LDAP: [2009/09/28 22:46:17.440] (151.155.130.10:8626)(0x000c:0x77) Sending operation result 0:"":"" to connection 0x9fd8780
3073985440 LDAP: [2009/09/28 22:46:17.442] (151.155.130.10:8626)(0x000d:0x77) DoExtended on connection 0x9fd8780
3073985440 LDAP: [2009/09/28 22:46:17.442] (151.155.130.10:8626)(0x000d:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.7
3073985440 NMAS: [2009/09/28 22:46:17.445] NMAS Audit 0x290064 logged
3073985440 LDAP: [2009/09/28 22:46:17.448] (151.155.130.10:8626)(0x000d:0x77) Sending operation result 0:"":"" to connection 0x9fd8780



IDM trace showing a successful set of the various challenges and responses:

[09/29/09 16:50:50.801]:testChallengeSet00 ST:Start transaction.                                                                                                                                           
[09/29/09 16:50:50.803]:testChallengeSet00 ST:Processing events for transaction.                                                                                                                           
[09/29/09 16:50:50.804]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input>                                                                                                                                                                                                  
    <sync cached-time="20090929225050.767Z" class-name="User" event-id="idm2-a#20090929225050#2#1" qualified-src-dn="dc=org\O=suse\OU=testChallengeSet00\CN=test0" src-dn="\IDM0TREE0\org\suse\testChallengeSet00\test0" src-entry-id="267037" timestamp="0#0">                                                                                                                                                       
      <association state="manual"></association>                                                                                                                                                           
    </sync>                                                                                                                                                                                                
  </input>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:50:50.807]:testChallengeSet00 ST:Applying event transformation policies.                                                                                                                      
[09/29/09 16:50:50.808]:testChallengeSet00 ST:Applying policy: %+C%14CVetoNonAddEvents%-C.                                                                                                                 
[09/29/09 16:50:50.809]:testChallengeSet00 ST:  Applying to sync #1.                                                                                                                                       
[09/29/09 16:50:50.809]:testChallengeSet00 ST:    Evaluating selection criteria for rule 'VetoUndesirableEventsEarly'.                                                                                     
[09/29/09 16:50:50.810]:testChallengeSet00 ST:      (if-operation not-equal "add") = TRUE.                                                                                                                 
[09/29/09 16:50:50.811]:testChallengeSet00 ST:    Rule selected.                                                                                                                                           
[09/29/09 16:50:50.811]:testChallengeSet00 ST:    Applying rule 'VetoUndesirableEventsEarly'.                                                                                                              
[09/29/09 16:50:50.812]:testChallengeSet00 ST:      Action: do-veto().                                                                                                                                     
[09/29/09 16:50:50.813]:testChallengeSet00 ST:Policy returned:                                                                                                                                             
[09/29/09 16:50:50.813]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input/>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:50:50.815]:testChallengeSet00 ST:End transaction.                                                                                                                                             
[09/29/09 16:51:02.257]:testChallengeSet00 ST:Start transaction.                                                                                                                                           
[09/29/09 16:51:02.269]:testChallengeSet00 ST:Processing events for transaction.                                                                                                                           
[09/29/09 16:51:02.270]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input>                                                                                                                                                                                                  
    <delete cached-time="20090929225102.222Z" class-name="User" event-id="idm2-a#20090929225102#2#1" qualified-src-dn="dc=org\O=suse\OU=testChallengeSet00\CN=test0" src-dn="\IDM0TREE0\org\suse\testChallengeSet00\test0" src-entry-id="267037" timestamp="1254263713#7">                                                                                                                                            
      <association state="manual"></association>                                                                                                                                                           
    </delete>                                                                                                                                                                                              
  </input>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:51:02.273]:testChallengeSet00 ST:Applying event transformation policies.                                                                                                                      
[09/29/09 16:51:02.274]:testChallengeSet00 ST:Applying policy: %+C%14CVetoNonAddEvents%-C.                                                                                                                 
[09/29/09 16:51:02.275]:testChallengeSet00 ST:  Applying to delete #1.                                                                                                                                     
[09/29/09 16:51:02.275]:testChallengeSet00 ST:    Evaluating selection criteria for rule 'VetoUndesirableEventsEarly'.                                                                                     
[09/29/09 16:51:02.276]:testChallengeSet00 ST:      (if-operation not-equal "add") = TRUE.                                                                                                                 
[09/29/09 16:51:02.277]:testChallengeSet00 ST:    Rule selected.                                                                                                                                           
[09/29/09 16:51:02.277]:testChallengeSet00 ST:    Applying rule 'VetoUndesirableEventsEarly'.                                                                                                              
[09/29/09 16:51:02.278]:testChallengeSet00 ST:      Action: do-veto().                                                                                                                                     
[09/29/09 16:51:02.278]:testChallengeSet00 ST:Policy returned:                                                                                                                                             
[09/29/09 16:51:02.279]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input/>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:51:02.280]:testChallengeSet00 ST:End transaction.                                                                                                                                             
[09/29/09 16:51:05.922]:testChallengeSet00 ST:Start transaction.                                                                                                                                           
[09/29/09 16:51:05.928]:testChallengeSet00 ST:Processing events for transaction.                                                                                                                           
[09/29/09 16:51:05.930]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input>                                                                                                                                                                                                  
    <add cached-time="20090929225105.850Z" class-name="User" event-id="idm2-a#20090929225105#2#1" qualified-src-dn="dc=org\O=suse\OU=testChallengeSet00\CN=test0" src-dn="\IDM0TREE0\org\suse\testChallengeSet00\test0" src-entry-id="267039" timestamp="1254264665#12">                                                                                                                                              
      <add-attr attr-name="Given Name">                                                                                                                                                                    
        <value timestamp="1254264665#12" type="string">test0</value>                                                                                                                                       
      </add-attr>                                                                                                                                                                                          
      <add-attr attr-name="Surname">                                                                                                                                                                       
        <value timestamp="1254264665#10" type="string">test0lname</value>                                                                                                                                  
      </add-attr>                                                                                                                                                                                          
      <add-attr attr-name="workforceID">                                                                                                                                                                   
        <value timestamp="1254264665#9" type="string">0</value>                                                                                                                                            
      </add-attr>                                                                                                                                                                                          
    </add>                                                                                                                                                                                                 
  </input>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:51:05.935]:testChallengeSet00 ST:Applying event transformation policies.                                                                                                                      
[09/29/09 16:51:05.936]:testChallengeSet00 ST:Applying policy: %+C%14CVetoNonAddEvents%-C.                                                                                                                 
[09/29/09 16:51:05.937]:testChallengeSet00 ST:  Applying to add #1.                                                                                                                                        
[09/29/09 16:51:05.938]:testChallengeSet00 ST:    Evaluating selection criteria for rule 'VetoUndesirableEventsEarly'.                                                                                     
[09/29/09 16:51:05.938]:testChallengeSet00 ST:      (if-operation not-equal "add") = FALSE.                                                                                                                
[09/29/09 16:51:05.939]:testChallengeSet00 ST:    Rule rejected.                                                                                                                                           
[09/29/09 16:51:05.939]:testChallengeSet00 ST:Policy returned:                                                                                                                                             
[09/29/09 16:51:05.940]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input>                                                                                                                                                                                                  
    <add cached-time="20090929225105.850Z" class-name="User" event-id="idm2-a#20090929225105#2#1" qualified-src-dn="dc=org\O=suse\OU=testChallengeSet00\CN=test0" src-dn="\IDM0TREE0\org\suse\testChallengeSet00\test0" src-entry-id="267039" timestamp="1254264665#12">                                                                                                                                              
      <add-attr attr-name="Given Name">                                                                                                                                                                    
        <value timestamp="1254264665#12" type="string">test0</value>                                                                                                                                       
      </add-attr>                                                                                                                                                                                          
      <add-attr attr-name="Surname">                                                                                                                                                                       
        <value timestamp="1254264665#10" type="string">test0lname</value>                                                                                                                                  
      </add-attr>                                                                                                                                                                                          
      <add-attr attr-name="workforceID">                                                                                                                                                                   
        <value timestamp="1254264665#9" type="string">0</value>                                                                                                                                            
      </add-attr>                                                                                                                                                                                          
    </add>                                                                                                                                                                                                 
  </input>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:51:05.945]:testChallengeSet00 ST:Subscriber processing add for \IDM0TREE0\org\suse\testChallengeSet00\test0.                                                                                  
[09/29/09 16:51:05.946]:testChallengeSet00 ST:Applying object matching policies.                                                                                                                           
[09/29/09 16:51:05.946]:testChallengeSet00 ST:Applying policy: %+C%14CVerifyRequiredAttrsExist%-C.                                                                                                         
[09/29/09 16:51:05.947]:testChallengeSet00 ST:  Applying to add #1.                                                                                                                                        
[09/29/09 16:51:05.948]:testChallengeSet00 ST:    Evaluating selection criteria for rule 'VerifyAttributesPresent'.                                                                                        
[09/29/09 16:51:05.948]:testChallengeSet00 ST:    Rule selected.                                                                                                                                           
[09/29/09 16:51:05.949]:testChallengeSet00 ST:    Applying rule 'VerifyAttributesPresent'.                                                                                                                 
[09/29/09 16:51:05.949]:testChallengeSet00 ST:      Action: do-veto-if-op-attr-not-available("Given Name").                                                                                                
[09/29/09 16:51:05.950]:testChallengeSet00 ST:      Action: do-veto-if-op-attr-not-available("Surname").                                                                                                   
[09/29/09 16:51:05.951]:testChallengeSet00 ST:      Action: do-veto-if-op-attr-not-available("workforceID").                                                                                               
[09/29/09 16:51:05.952]:testChallengeSet00 ST:Policy returned:                                                                                                                                             
[09/29/09 16:51:05.952]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input>                                                                                                                                                                                                  
    <add cached-time="20090929225105.850Z" class-name="User" event-id="idm2-a#20090929225105#2#1" qualified-src-dn="dc=org\O=suse\OU=testChallengeSet00\CN=test0" src-dn="\IDM0TREE0\org\suse\testChallengeSet00\test0" src-entry-id="267039" timestamp="1254264665#12">                                                                                                                                              
      <add-attr attr-name="Given Name">                                                                                                                                                                    
        <value timestamp="1254264665#12" type="string">test0</value>                                                                                                                                       
      </add-attr>                                                                                                                                                                                          
      <add-attr attr-name="Surname">                                                                                                                                                                       
        <value timestamp="1254264665#10" type="string">test0lname</value>                                                                                                                                  
      </add-attr>                                                                                                                                                                                          
      <add-attr attr-name="workforceID">                                                                                                                                                                   
        <value timestamp="1254264665#9" type="string">0</value>                                                                                                                                            
      </add-attr>                                                                                                                                                                                          
    </add>                                                                                                                                                                                                 
  </input>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:51:05.956]:testChallengeSet00 ST:Applying XSLT policy: %+C%14CPopulate+Challenge+Response+Set%-C.                                                                                             
[09/29/09 16:51:05.959]:testChallengeSet00 ST:  %13Cxsl:message -> HOST: idm2.lab.novell.com                                                                                                               
[09/29/09 16:51:05.959]:testChallengeSet00 ST:  %13Cxsl:message -> PORT: 636                                                                                                                               
[09/29/09 16:51:05.960]:testChallengeSet00 ST:  %13Cxsl:message -> ADMIN DN: cn=challengesetadmin,dc=user,dc=system                                                                                        
[09/29/09 16:51:05.961]:testChallengeSet00 ST:  Query from policy                                                                                                                                          
[09/29/09 16:51:05.962]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">                                                                                                                                                                    
  <source>                                                                                                                                                                                                 
    <product version="3.6.10.4789">DirXML</product>                                                                                                                                                        
    <contact>Novell, Inc.</contact>                                                                                                                                                                        
  </source>                                                                                                                                                                                                
  <input>                                                                                                                                                                                                  
    <get-named-password>cr-admin-pwd</get-named-password>                                                                                                                                                  
  </input>                                                                                                                                                                                                 
</nds>                                                                                                                                                                                                     
[09/29/09 16:51:05.963]:testChallengeSet00 ST:  Pumping XDS to eDirectory.                                                                                                                                 
[09/29/09 16:51:05.964]:testChallengeSet00 ST:  Performing operation get-named-password for .                                                                                                              
[09/29/09 16:51:05.964]:testChallengeSet00 ST:  Retrieving password value for named password 'cr-admin-pwd'.                                                                                               
[09/29/09 16:51:05.969]:testChallengeSet00 ST:  Query from policy result                                                                                                                                   
[09/29/09 16:51:05.970]:testChallengeSet00 ST:                                                                                                                                                             
<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.10.4789">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <password><!-- content suppressed --></password>
    <status level="success"></status>
  </output>
</nds>
[09/29/09 16:51:05.971]:testChallengeSet00 ST:  %13Cxsl:message -> ADMIN PWD: Chall3ng3s3tadminpass
[09/29/09 16:51:05.972]:testChallengeSet00 ST:  %13Cxsl:message -> USER DN: CN=test0,OU=testChallengeSet00,O=suse,dc=org
[09/29/09 16:51:06.117]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 16:51:06.118]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 1
[09/29/09 16:51:06.119]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 16:51:06.120]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 2
[09/29/09 16:51:06.121]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 1
[09/29/09 16:51:06.122]:testChallengeSet00 ST:  %13Cxsl:message -> USER DEFINED QUESTION 1
[09/29/09 16:51:06.125]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 2
[09/29/09 16:51:06.125]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 3
[09/29/09 16:51:06.126]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 2
[09/29/09 16:51:06.127]:testChallengeSet00 ST:  %13Cxsl:message -> MATCHED ADMIN QUESTION 4
[09/29/09 16:51:06.128]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 2
[09/29/09 16:51:06.129]:testChallengeSet00 ST:  %13Cxsl:message -> USER DEFINED QUESTION 2
[09/29/09 16:51:06.130]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 3
[09/29/09 16:51:06.131]:testChallengeSet00 ST:  %13Cxsl:message -> USER DEFINED QUESTION 3
[09/29/09 16:51:06.132]:testChallengeSet00 ST:  %13Cxsl:message -> COUNT: 4
[09/29/09 16:51:06.208]:testChallengeSet00 ST:  %13Cxsl:message -> Challenge Set Questions and Responses set!
[09/29/09 16:51:06.209]:testChallengeSet00 ST:Policy returned:
[09/29/09 16:51:06.209]:testChallengeSet00 ST:
<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.10.4789">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input/>
</nds>
[09/29/09 16:51:06.211]:testChallengeSet00 ST:Processing returned document.
[09/29/09 16:51:06.211]:testChallengeSet00 ST:Processing operation <status> for .
[09/29/09 16:51:06.212]:testChallengeSet00 ST:
DirXML Log Event -------------------
     Driver:   \IDM0TREE0\system\service\idm\driverset0\testChallengeSet00
     Channel:  Subscriber
     Object:   \IDM0TREE0\org\suse\testChallengeSet00\test0
     Status:   Warning
     Message:  Code(-8016) Operation vetoed by object matching policy.
[09/29/09 16:51:06.214]:testChallengeSet00 ST:End transaction.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment