When a user is locked out of eDirectory because of invalid password attempts, an intruder may continue trying passwords against another system with synchronized passwords. To prevent this, it is possible to disable connected systems’ accounts, if they support disabled accounts synchronized with the eDirectory “Login Disabled” attribute.
The first step to implementing this solution involves adding the “Locked By Intruder” attribute to the filter. Do not add it to the Schema Mapping policyset, as we will not be using that type of synchronization to implement this solution. With the attribute under the User class in the filter, set the Subscriber channel synchronization to “Notify” and the Publisher channel synchronization to “Ignore”. We will be retrieving the attribute’s value and using it before it synchronizes to the remote system.
Add the following rules into a new policy at the top of the Subscriber channel Command Transformation policyset. This can be done in iManager by creating a new policy with Policy Builder and then pasting the following XML in the policy directly (“Edit XML”).
<?xml version="1.0" encoding="UTF-8"?><policy> <rule disabled="true"> <description>DisableADUser</description> <conditions> <and> <if-op-attr name="Locked By Intruder" op="changing-to">true</if-op-attr> </and> </conditions> <actions> <do-clone-op-attr dest-name="Login Disabled" src-name="Locked By Intruder"/> </actions> </rule> <rule disabled="true"> <description>PossiblyEnableADUser</description> <conditions> <and> <if-op-attr name="Locked By Intruder" op="changing"/> <if-op-attr name="Locked By Intruder" op="not-equal">true</if-op-attr> <if-src-attr name="Login Disabled" op="not-equal">true</if-src-attr> </and> </conditions> <actions> <do-add-dest-attr-value name="Login Disabled"> <arg-value type="string"> <token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">false</token-text>; </arg-value> </do-add-dest-attr-value> </actions> </rule> </policy>
The first rule says that if an account is locked out, the connected-system account should be disabled.
The second rule states that if the “Locked By Intruder” attribute is changing, and it is not true (becomes enabled, perhaps), and the account is not legitimately disabled (by an administrator) in eDirectory, then the connected system account should be re-enabled. The second rule is not required for an account to be disabled but it may be nice to have it re-enabled when the account is unlocked in eDirectory. This unlocking functionality takes place automatically in eDirectory, depending on the settings being used.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.