none
"user must change the password at next logon...." and Novell MA RRS feed

  • Question

  • Hello,

    i am using ILM 2007 to sync users from AD to Novell Edir (and PCNS to sync passwords). Everything is working very well but now i have problem. My client ask me to sync also the password reset. I mean, when the help desk operator reset a password in AD for a user, he checks the "user must change the password at next logon" check box. This won't be synched to Novell (that use another way to ask for a new password) and so the users can use the temporary password to login in Novell without to be prompted for a new password.

    Novell use attribute "passwordExpirationTime" that must be set to a date in the past (so for Novell the password is expired and asks for a new one). In AD, when "user must change the password at next logon" is checked, the attribute "pwdLastSet" is forced to ZERO.

    I can manage this, using a management agent extension to transform "pwdLastSet=0" to "passwordExpirationTime=01/01/1992". But the problem is that passwords are synchronize in real time, while the pwdLastSet attribute is synchronized only based on the run profile schedulation. I can't be sure that right after a password sync, a delta sync is run.

    I know that i can write a password extension, but probably i cannot it use with the Novell MA, is it right ? Do i have to write also a new MA ?

    Thanks !


    Bodo

    Monday, August 5, 2013 10:24 AM

All replies

  • Hi,

    In my opinion you are following right approach and as it doesn't shows error while we do pwlastset=0 into AD along with Password.So, As per my knowledge it will not show the error for Novell MA also.

    I never tried it but conceptwise or logicwise it should not throw any error.

    Thanks~

    Giriraj Singh

    Monday, August 5, 2013 2:28 PM
  • Thanks Giriraj,

    i have already done the MA extension and it works. But i still have the problem because in this way the flow is asynchronous..passwords are sync in real time but the attributes must wait for the schedulation. Between password sync and attributes sync, users can logon to EDir with NO prompt to change the password.

    My idea is to write a "password extension" to change the way passwords are sync to Novell. But i think it's not possible to use password extension with the Novell MA...anyone can confirm this ?


    Bodo

    Monday, August 5, 2013 2:43 PM