The Password Notifier written by Lothar Haeger is a beautiful thing. If you are not using it, you should ask yourself why not!
Check it out here:
or on Lothar’s home page at:
This implementation is a wonderful use of the Loopback driver as a utility driver. This driver is very powerful, flexible and easy to configure.
You configure the driver after importing it into your tree, using Global Configuration Values to decide how it should behave. There is the obvious stuff, such as
– LDAP configuration
– Where to start monitoring
– How long an interval before a password expires
– Should a first )second, third) warning be sent
– For each warning, which Email template should it use
– Who it should send the email to (user, Helpdesk, both, neither)
– and much more.
The same basic settings are available for after the password expires, intruder lockout detected, account creations, and account expirations.
The LDAP configuration uses two approaches. The first is the self-configuration, in a very amusing fashion:
1) Check who the driver is security equivalent to.
2) Get that user’s nspmDistributionPassword.
3) Log in to LDAP using that credential set.
LDAP self configuration – what a concept! Otherwise, you enable the manual LDAP configuration and set the usual host, port, and credentials. One improvement would be to use a Named Password to store the password used for the LDAP bind.
Some default email templates are included but they are in German at this time. However, they are easy enough to create your own, or you can reuse existing ones.
A couple of errors may come up when you first install the driver. Here’s one:
Password Notify driver needs all the Email Template values in the GCV populated in order to load. 12:34:51 96E5EBA0 Drvrs: PasswordNotification ST:Reading XML attribute vnd.nds.stream://ACME-DEV/acme/services/idm/IDMSet/PasswordNotification/Subscriber/IntruderLockout#XmlData. 12:34:51 96E5EBA0 Drvrs: PasswordNotification ST:Global Configuration Value replacements made in vnd.nds.stream://ACME-DEV/acme/services/idm/IDMSet/PasswordNotification/Subscriber/IntruderLockout#XmlData: 12:34:51 96E5EBA0 Drvrs: PasswordNotification ST:Found DirXMLScript policy. 12:34:51 96E5EBA0 Drvrs: PasswordNotification ST:Error initializing policy. 12:34:51 96E5EBA0 Drvrs: PasswordNotification ST: DirXML Log Event ------------------- Driver: \ACME-DEV\acme\services\idm\IDMSet\PasswordNotification Channel: Subscriber Status: Error Message: Code(-9122) Error in vnd.nds.stream://ACME-DEV/acme/services/idm/IDMSet/PasswordNotification/Subscriber/IntruderLockout#XmlData:156 : A value is required for attribute 'template-dn' on element 'do-send-email-from-template'. 12:34:51 96E5EBA0 Drvrs: PasswordNotification ST:Driver terminated. 12:34:51 96E5EBA0 Drvrs: PasswordNotification ST:Transitioned from state 'Stopped' to state 'Stopped'.
Here we see, just after configuring the driver (I left values blank that I did not want to set) the driver errors on startup. The template-dn is expecting a value, and a blank DN is not valid. So be aware that you need to set ALL the various notification types to the DN of an email template. It does not matter if you are not using it; it is sufficient that it be set to anything. In fact, it would probably work pointing at ANY eDirectory object, since all it requires to satisfy this error is the DN of an object.
Here’s another error:
ldapSearch EcmaScript resource did not properly import. es:ldapSearch cannot be found. 12:46:01 8CA24BA0 Drvrs: PasswordNotification PT: Arg Value: "(&(loginExpirationTime>=20071212174601Z)(loginExpirationTime<=20080112174601Z)(&(objectClass=inetOrgPerson)(!(loginDisabled=true))))". 12:46:01 8CA24BA0 Drvrs: PasswordNotification PT: Action: do-clone-xpath(dest-expression="AccountExpires",src-expression="es:ldapSearch($LdapConnect, 389, $LdapLogin, $LdapPassword, 'OU=Users,O=acme', 'sub', $filter, $account-attrlist)"). 12:46:01 8CA24BA0 Drvrs: PasswordNotification PT: DirXML Log Event ------------------- Driver: \ACME-DEV\acme\services\idm\IDMSet\PasswordNotification Channel: Publisher Status: Error Message: Code(-9131) Error in vnd.nds.stream://ACME-DEV/acme/services/idm/IDMSet/PasswordNotification/Publisher/%232+Check+Accounts#XmlData:208 : Error evaluating XPATH expression 'do-clone-xpath(dest-expression="AccountExpires",src-expression="es:ldapSearch($LdapConnect, 389, $LdapLogin, $LdapPassword, 'OU=Users,O=acme', 'sub', $filter, $account-attrlist)")' : com.novell.xml.xpath.XPathEvaluationException: function 'es:ldapSearch' not found. 12:46:01 8CA24BA0 Drvrs: PasswordNotification PT:
This particular error happens because the ldapSearch ECMAScript object in the driver export has a typo. The latest versions of the driver have it fixed, but if you run across it, you will find the object is in your tree under the Driver object but is not properly linked. To fix this, change the MIME type, which is the problem and link it to get it to work. Or, you can grab the latest driver build, delete the current driver, and re-import it. The IDM error occurs because although the object is there, it is not linked and therefore the namespace cannot find the function being called.
You could also manually create the ldapSearch object by finding the
If you do include the <content> line, you will get this error:
(Driver.java:226) at com.novell.nds.dirxml.engine.DriverEntry.run(DriverEntry.java:537) at java.lang.Thread.run(Unknown Source)
Overall, this is an excellent and useful reporting tool. It's free, and it's a great example of how to do a number of tasks in Identity Manager!
Give it a try and see if it can help in your environment.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.