For the last couple of IDM versions the product has had a nice API for manipulating the IDM engine and drivers, by using LDAP extensions calls through Java.

This API is a part of the com.novell.nds.dirxml.ldap package which you can find in the dirxml_misc.jar file that comes with IDM.

The package is documented in this Javadoc that you can find on the Novell developer site:

Unfortunately the docs are not updated for the latest IDM version…

Anyway, in IDM 4.0.1 Novell added two new classes to this package called:


When I tried to use the GetNamedPasswordRequest class from my application I would always get back a -672 error which means no access.

Since I had full supervisor rights to the driver this confused me.

Eventually I was able to find out that besides having rights to the driver there also needs to exist a GCV on the driver called “allow-fetch-named-passwords“.

The GCV is a boolean and needs to be set to “true“.

You can also find this information in the RBPM Administration Guide for 4.0.1 by searching for GetNamedPasswordRequest.

The manual has the following GCV example that you need to add to your driver:

    <definition display-name="Allow Named Password to be retrieved over LDAP"
name="allow-fetch-named-passwords" type="boolean">
        <description>Allow Named Password to be retrieved over LDAP. If the
value is true, then the named password value can be fetched using the LDAP

Besides the GCV you must have write rights to the DirXML-AccessConfigure attribute on the driver object.

So far this has worked for me but I haven’t managed to retrieve named passwords stored on the driverset object.

Here is java code snippet that shows you how you can use the GetNamedPasswordRequest function.

In this example you pass two parameters to the GetNamedPasswordRequest constructor.
dn is the distinguished name of the driver in LDAP format.
passwordName is just what is sounds like, the name of the named password.
lc is the LDAPConnection object created using Novell JLDAP.
My LDAPConnection objects are always using SSL encryption and I don’t know if this would work on a clear text connection.

try {
            GetNamedPasswordRequest request = new GetNamedPasswordRequest(dn, passwordName);

            LDAPExtendedResponse response = lc.extendedOperation(request);

            if (response instanceof GetNamedPasswordResponse && response.getResultCode() == LDAPException.SUCCESS) {
                GetNamedPasswordResponse rsp = (GetNamedPasswordResponse) response;

                System.out.println("Named password is: " + rsp.getPasswordValue());


        } catch (LDAPException e) {
            System.err.println("Error getting named password: " + e.getMessage());

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

  • jwilleke says:

    You will get better responses if you first “register” the Response as an extended response.

    Simply call:

    Did you ever find out how to call the driverSet for the named Passwords?

    Thanks for all your cool tools and help!

Nov 11, 2011
1:46 pm
Active Directory Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management Knowledge Depot LDAP Migrating from Windows XP or 2003 to SUSE Linux Monitoring Open Enterprise Server Passwords Reporting Secure Access Sentinel Supported Troubleshooting Workflow