Problem

A Forum participant asked the following question:

“We have some problems updating the Notes HTTPPassword in the following scenario. We want to synchronize only HTTPPassword from eDirectory to Notes to update the web password of already existing Notes users. When an eDirectory user changes his password, we get the following output from the Notes Remote Loader trace log:

<input>
  <modify-password  class-name="Person"
     event-id="pwd-subscribe"
     src-dn="\PWDSYNCTREE\sync\dom\unit\JohnDoe"
     src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <password><!-- content suppressed --></password>
  </modify-password>
</input>

This seems correct to me. So why is the following error (status message) returned?”

<output>
  <status  event-id="pwd-subscribe"
           level="error"
           type="password-set-operation">
    <description>Subscriber: modify-password event failed: 
old HTTPPassword parameter for John Doe (UNID=D9628831A988381AC12570F9005BE6B3) 
does not match current HTTPPassword in Notes.</description>
  </status>
</output>

And here’s the response from Novell’s Perry Nuffer …

Solution

When processing a modify-password command, the NotesDriverShim checks for an existing and valid ‘old-password’ match. Thus, if the modify-password command is missing an <old-password> value and the existing Notes User already has an HTTPPassword (web password) value set, the modify-password command will fail (returning the status error you described). So, if the old HTTPPassword value is known (and currently valid in Notes), adding an <old-password> element with the old HTTPPassword value to the <modify-password> command should work … something like this:

<input>
  <modify-password	 class-name="Person" 
     event-id="pwd-subscribe" 
     src-dn="\PWDSYNCTREE\sync\dom\unit\JohnDoe"
     src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <old-password><!-- content suppressed -—></old-password>
    <password><!-- content suppressed --></password>
  </modify-password>
</input>

Sending a command similar to this can be achieved with a DirXML Script policy. The following DirXML script example sets the eDir DistributionPassword attribute (nspmDistributionPassword) value to the new password and uses my3secret as the old password:

<policy>
  <rule>
    <description>Send modify-password command with old-password value</description>
    <conditions>
      <and>
        <if-operation op="equal">modify</if-operation>
        <if-class-name op="equal">User</if-class-name>
        <if-op-attr name="nspmDistributionPassword" op="changing"/>
      </and>
    </conditions>
    <actions>
      <do-set-dest-password>
        <arg-string>
          <token-op-attr name="nspmDistributionPassword"/>
        </arg-string>
      </do-set-dest-password>
      <do-append-xml-element expression="../modify-password" name="old-password"/>
      <do-append-xml-text expression="../modify-password/old-password">
        <arg-string>
          <token-text xml:space="preserve">my3secret</token-text>
        </arg-string>
      </do-append-xml-text>
    </actions>
  </rule>
</policy>

And if you don’t know the old-password (or have a method of retrieving it), to overcome this security check, try setting the HTTPPassword attribute directly. A command like the following received by the NotesDriverShim should work:

<input>
  <modify class-name="Person"
      event-id="pwd-set-subscribe"
      src-dn="\PWDSYNCTREE\sync\dom\poc\JohnDoe"
      src-entry-id="35952">
    <association>D9628831A988381AC12570F9005BE6B3</association>
    <modify-attr attr-name="HTTPPassword" is-sensitive="true"
><!-- content suppressed -></modify-attr>
  </modify>
</input>

Sending a command similar to this can be achieved with a DirXML Script policy. The following DirXML script example sets the eDir DistributionPassword attribute (nspmDistributionPassword) value to the new Notes HTTPPassword:

<policy>
  <rule>
    <description>Set DistributionPassword as Notes HTTPPassword</description>
    <conditions>
      <and>
        <if-class-name op="equal">User</if-class-name>
        <if-op-attr name="nspmDistributionPassword" op="changing"/>
      </and>
    </conditions>
    <actions>
      <do-set-dest-attr-value class-name="User" name="HTTPPassword">
        <arg-value type="string">
          <token-op-attr name="nspmDistributionPassword"/>
        </arg-value>
      </do-set-dest-attr-value>
    </actions>
  </rule>
</policy>
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: pnuffer
Mar 15, 2006
4:11 am
Reads:
870
Score:
Unrated