Checking Synchronization between eDirectory Trees



By: jedijeff

August 1, 2007 8:10 am

Reads: 167

Comments:0

Rating:0

Problem

A Forum reader recently asked:

“I’m using the eDir to eDir driver. Does anyone have a good method for checking whether passwords are indeed synchronized between eDirectory trees? I can check my user account by simply logging in to both trees, but what about the remaining 150K users being sync’d? Has anyone done this on a mass scale?”

And here’s the response from Jeff Johnson …

Solution

I wrote something that does this. It entails setting an attribute on a user – or a zillion users via an LDAP script. Then an IDM policy looks for a changed attribute and reads src/dest passwords and compares them. It writes out the results to an attribute you can query later. For instance, setting “jeffpasswordsynccheck” to “checkreq” via LDAP will start the process. You should be able to follow the rest.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policy PUBLIC "policy-builder-dtd" 
"/home/jeff/designer/eclipse/plugins/com.novell.designer.idm.
policybuilder_2.0.0.200706011128/DTD/dirxmlscript.dtd"><policy>
<rule>
  <description>Veto If Needed</description>
  <conditions>
    <and>
      <if-op-attr mode="nocase" name="jeffPasswordSyncCheck"
op="not-changing-to">checkreq</if-op-attr>
    </and>
  </conditions>
  <actions>
    <do-break/>
  </actions>
</rule>
<rule>
<description>Read Passwords</description>
  <conditions>
    <and>
      <if-op-attr mode="nocase" name="jeffPasswordSyncCheck"
op="changing-to">checkreq</if-op-attr>
      <if-association op="associated"/>
    </and>
  </conditions>
  <actions>
    <do-set-local-variable name="srcpw">
      <arg-string>
        <token-src-attr class-name="User" name="nspmDistributionPassword"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="destpw">
      <arg-string>
        <token-dest-attr class-name="User" name="nspmDistributionPassword"/>
      </arg-string>
    </do-set-local-variable>
  </actions>
 </rule>

<rule>
<description>Compare Passwords True</description>
  <conditions>
    <and>
      <if-local-variable name="srcpw" op="available"/>
      <if-xpath op="true">$srcpw=$destpw</if-xpath>
    </and>
  </conditions>
  <actions>
    <do-add-src-attr-value class-name="User" name="jeffPasswordSync">
      <arg-value>
        <token-text xml:space="preserve">LDAP System is Synchronized</token-text>
      </arg-value>
    </do-add-src-attr-value>
    <do-break/>
  </actions>
</rule>

<rule>
<description>Compare Passwords False</description>
  <conditions>
    <and>
      <if-local-variable name="srcpw" op="available"/>
      <if-xpath op="not-true">$srcpw=$destpw</if-xpath>
    </and>
  </conditions>
  <actions>
    <do-add-src-attr-value class-name="User" name="jeffPasswordSync">
      <arg-value>
        <token-text xml:space="preserve">LDAP System is NOT Synchronized</token-text>
      </arg-value>
    </do-add-src-attr-value>
  </actions>
</rule>
</policy>

Editor’s Note: See also Lothar Haeger’s Cool Solutions tip:
http://www.novell.com/coolsolutions/tip/18389.html

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: eDirectory, Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment