Determine which password to use when transitioning from NDS to Universal Password.
When implementing Universal Password across the enterprise, there could be scenarios where both NDS passwords (private/public keys) and UP are available. This scripts determines which password to use.
If a private key change is detected, we look for the presence of a nspmDistributionPassword (UP). If the user’s object contains such an attibute, we drop the public and private keys from coming through and set the remote user’s password with the value from the nspmDistributionPassword. Once we set the password, we also drop the nspmDistributionPassword from flowing through.
For our environment, we added an additional “payload” with a separate “after” event. This additional payload helps clear out any lingering security attribute issues that may existing in our IDVault. The connected system is responsible for strong passwords, via policies, which get replicated to the remaining systems, including Active Directory and other eDir trees. The nspmDistributionPassword is sent out to the remaining systems without concerns for conflicting security attributes.
<rule> <description>MODIFY : Universal Password Detection and Support</description> <comment xml:space="preserve">This script detects if a password change (private key) is being made and determines whether to use the Universal Password (if available) or use the standard NDS public/private key combo.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-operation op="equal">modify</if-operation> <if-op-attr name="Private Key" op="changing"/> <if-attr name="nspmDistributionPassword" op="available"/> </and> </conditions> <actions> <do-strip-op-attr name="Private Key"/> <do-strip-op-attr name="Public Key"/> <do-set-dest-password> <arg-string> <token-op-attr name="nspmDistributionPassword"/> </arg-string> </do-set-dest-password> <do-strip-op-attr name="nspmDistributionPassword"/> <do-strip-op-attr name="SAS:Login Configuration"/> <do-strip-op-attr name="Password Expiration Time"/> <do-clear-dest-attr-value class-name="User" name="Password Expiration Time" when="after"/> <do-clear-dest-attr-value class-name="User" name="Login Grace Limit" when="after"/> <do-clear-dest-attr-value class-name="User" name="Login Grace Remaining" when="after"/> <do-clear-dest-attr-value class-name="User" name="Password Unique Required" when="after"/> <do-clear-dest-attr-value class-name="User" name="Password Required" when="after"/> </actions> </rule>
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.