To be in compliance with Sarbanes-Oxley auditing standards it may be required that, when a user account is disabled, a notification is sent to one or more individuals. This can be accomplished with a Loopback driver or with an existing driver that can detect the “Login Disabled” attribute.

If a driver does not already have “Login Disabled” in the filter, it can be added with iManager. Assuming the driver is processing the account-disabled event from eDirectory, set the attribute as “Notify” on the subscriber channel and “Ignore” on the publisher channel. If the attribute is already in the filter and synchronizing somehow, do not change the filter settings.

When the “Login Disabled” event takes place and an account is disabled (Login Disabled set to true), we want to send off an e-mail to one or more individuals. Sending it to a regular or dummy user configurable by another administrator may be a good option to allow that administrator to control who receives the notification without having them work with the driver configuration itself. The following rule was added to a new policy at the beginning of the Command Transform policyset for an Active Directory driver:

<?xml version="1.0" encoding="UTF-8"?><policy>
        <description>Email On Disabled User</description>
                <if-op-attr name="Login Disabled" op="changing-to">true</if-op-attr>
            <do-send-email id="emailAuthIDHere@somewhere.tld" password="putRealPasswordHere" server="mail.somewhere.tld">
                <arg-string name="to">
                    <token-text xml:space="preserve" xmlns:xml="">destinationAccountHere@somewhere.tld</token-text>;
                <arg-string name="from">
                    <token-text xml:space="preserve" xmlns:xml="">someUser@somewhere.tld</token-text>;
                <arg-string name="subject">
                    <token-text xml:space="preserve" xmlns:xml="">Disabled User Notification</token-text>
                <arg-string name="message">
                    <token-text xml:space="preserve" xmlns:xml="">A user has been disabled. The username is </token-text>
                    <token-src-attr name="CN"/>
                <arg-string name="to">
                    <token-text xml:space="preserve">anotherUser@somewhere.tld</token-text>

Depending on your e-mail server’s settings, you may need to log in with a valid e-mail address and password. In some cases that may not be required. To send to multiple recipients, add multiple ‘to’ strings as demonstrated in the example. It is also possible to change other strings, such as reply-to. The actual message is currently set to include the CN only of the disabled user.

If there are duplicate CNs in different contexts, changing that to reflect the full DN is advised to prevent confusion. The message itself can be customized to the user’s needs.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: ab
Feb 15, 2006
8:12 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow