dirxml

[ password notification service driver ]
For quite a while, we used to run the password expiration email notification cool tool, which helped reducing password-related helpdesk calls a lot. Nevertheless, I never liked the fact that it runs outside the IDM environment and does not make use of the email template features IDM provides, thus making it a bit complicated to maintain a consistent look and feel throughout all email notifications. Luckily, though widely unknown, IDM supports time-triggered events that can be (mis)used to kick off custom actions: the publisher driver heartbeat. Add a schedule and a few policies that can read the clock, and there it is: an all-in-one IDM 2.x/3.x service driver for password notifications that can notify users, helpdesk and - still experimental - naudit on the following events: up to three times before passwords actually expire after passwords expired, when grace logins fall below a configurable limit when accounts get locked and passwords have to be reset by an administrator on intruder lockout And new in v2.0 for IDM 3.5: trigger notifications from the subscriber channel (via policy or WorkOrder driver) notify managers on direct report's upcoming account expiration uses ldap search instead of XdsQueryProcessor: much more efficient, especially in large tree environments (thanks to a hint by Father Ramon) Updates to v2.0.3 for IDM 3.5: now supports (and defaults to) secure ldap operations notify managers/helpdesk about idle accounts (no login for more than xx days) changed some GCVs and added more detailed comments on how to use them All notifiction types and their targets (user, helpdesk and/or naudit) can be individually enabled/disabled. The notification schedule operates on an hourly or daily basis and is easily configured through GCVs. Because IDM email templates are used, notifications can contain additional account data e.g. the time an intruder-locked account will be automatically unlocked again, or a company name for branding purposes. Email templates are maintained in iManager or Designer, making it easy to give them the same look and feel as the standard templates that come with IDM password synchronization. Requires (and includes) java package bh-dirxmlutils.	download password notification service driver for IDM 2.x/3.0.x (v1.1, .zip, 22kb) download password notification service driver for IDM 3.5.x (v2.0.3, .zip, 86kb)

[ fsf/nsm user storage service driver ]
Loopback driver to automatically assign File System Factory/Novell Storage Manager policies to users. assigns policies based on user's location ("L") attribute supports archive and fallback policies enables FSF/NSM user homedir management through pseudo-entitlements Requires IDM 2.x or above and FSF 1.21/NSM 2.x An entitlement-enabled version for IDM 3.5 is also available. It uses RBE to determine the appropriate FSF/NSM policy for a user, making it a lot easier to implement complex assignment rules.	download user storage service driver (v1.0, .zip, 7kb) download user storage service driver with entitlements (v1.2, .zip, 10kb)

[ idm 3.5 pwfilter.dll updater inf ]
The IDM AD driver requires a filter DLL to be installed on all DCs for password synchronization. Unfortunately, it seems as if the IDM 3.5 setup does not always update a previously installed version of pwfilter.dll (and associated files) properly. This INF installer can be used to update those files so they will be used after the next reboot. Requires IDM 3.5 AD driver	download pwfilter.dll updater (v1.0, .zip, 2kb)

[ check_dxml_drvstate ]
Bash script to monitor Novell DirXML 1.1 and Identity Manager 2.x/3.x driver states from within Nagios. Usage: check_dxml_drvstate [-s hostname\|ip-address] -u username -p password -d driver-dn Basically a wrapper for "dxcmd -getstate". Leave out the -s option to check drivers running on the same machine as nrpe.	download from NagiosExchange

[ com.brummelhook.dirxml.utils ]
Utility java classes for dirxml. Currently implements B64Converter to help accessing octet string attribute values . Command line usage: java -cp bh-dirxmlutils.jar com.brummelhook.dirxml.utils.B64Converter [-B64toHEX \| -HEXtoB64 \| -DecodeIntruderAddress] string1 [string2 string3...] Policy usage: 1. copy bh-dirxmlutils.jar to your dirxml/idm server, make sure it's in the class path 2. define a java name space in your policy, e.g. : <policy xmlns:bh-B64Conv = "www.novell.com/ nxsl/ java/ com. brummelhook. dirxml. utils. B64Converter"/> 3. call the desired function from xpath, e.g.: <token-xpath expression="bh-B64Conv:B64toHEX($current-value)"/>	download bh-dirxmlutils package (.zip, 2kb)

[ password notification service driver ]

For quite a while, we used to run the password expiration email notification cool tool, which helped reducing password-related helpdesk calls a lot. Nevertheless, I never liked the fact that it runs outside the IDM environment and does not make use of the email template features IDM provides, thus making it a bit complicated to maintain a consistent look and feel throughout all email notifications.

Luckily, though widely unknown, IDM supports time-triggered events that can be (mis)used to kick off custom actions: the publisher driver heartbeat. Add a schedule and a few policies that can read the clock, and there it is: an all-in-one IDM 2.x/3.x service driver for password notifications that can notify users, helpdesk and - still experimental - naudit on the following events:

up to three times before passwords actually expire
after passwords expired, when grace logins fall below a configurable limit
when accounts get locked and passwords have to be reset by an administrator
on intruder lockout

And new in v2.0 for IDM 3.5:

trigger notifications from the subscriber channel (via policy or WorkOrder driver)
notify managers on direct report's upcoming account expiration
uses ldap search instead of XdsQueryProcessor: much more efficient, especially in large tree environments (thanks to a hint by Father Ramon)

Updates to v2.0.3 for IDM 3.5:

now supports (and defaults to) secure ldap operations
notify managers/helpdesk about idle accounts (no login for more than xx days)
changed some GCVs and added more detailed comments on how to use them

All notifiction types and their targets (user, helpdesk and/or naudit) can be individually enabled/disabled. The notification schedule operates on an hourly or daily basis and is easily configured through GCVs.

Because IDM email templates are used, notifications can contain additional account data e.g. the time an intruder-locked account will be automatically unlocked again, or a company name for branding purposes. Email templates are maintained in iManager or Designer, making it easy to give them the same look and feel as the standard templates that come with IDM password synchronization.

Requires (and includes) java package bh-dirxmlutils.

download password notification service driver for IDM 2.x/3.0.x
(v1.1, .zip, 22kb)

download password notification service driver for IDM 3.5.x
(v2.0.3, .zip, 86kb)

[ fsf/nsm user storage service driver ]

Loopback driver to automatically assign File System Factory/Novell Storage Manager policies to users.

assigns policies based on user's location ("L") attribute
supports archive and fallback policies
enables FSF/NSM user homedir management through pseudo-entitlements

Requires IDM 2.x or above and FSF 1.21/NSM 2.x

An entitlement-enabled version for IDM 3.5 is also available. It uses RBE to determine the appropriate FSF/NSM policy for a user, making it a lot easier to implement complex assignment rules.

download user storage service driver
(v1.0, .zip, 7kb)

download user storage service driver with entitlements
(v1.2, .zip, 10kb)

[ idm 3.5 pwfilter.dll updater inf ]

The IDM AD driver requires a filter DLL to be installed on all DCs for password synchronization. Unfortunately, it seems as if the IDM 3.5 setup does not always update a previously installed version of pwfilter.dll (and associated files) properly.
This INF installer can be used to update those files so they will be used after the next reboot.

Requires IDM 3.5 AD driver

download pwfilter.dll updater
(v1.0, .zip, 2kb)

[ check_dxml_drvstate ]

Bash script to monitor Novell DirXML 1.1 and Identity Manager 2.x/3.x driver states from within Nagios.

Usage:
check_dxml_drvstate [-s hostname|ip-address] -u username -p password -d driver-dn

Basically a wrapper for "dxcmd -getstate". Leave out the -s option to check drivers running on the same machine as nrpe.

download from NagiosExchange

[ com.brummelhook.dirxml.utils ]

Utility java classes for dirxml. Currently implements B64Converter to help accessing octet string attribute values .

Command line usage:
java -cp bh-dirxmlutils.jar com.brummelhook.dirxml.utils.B64Converter [-B64toHEX | -HEXtoB64 | -DecodeIntruderAddress] string1 [string2 string3...]

Policy usage:
1. copy bh-dirxmlutils.jar to your dirxml/idm server, make sure it's in the class path
2. define a java name space in your policy, e.g. : <policy xmlns:bh-B64Conv = "www.novell.com/ nxsl/ java/ com. brummelhook. dirxml. utils. B64Converter"/>
3. call the desired function from xpath, e.g.: <token-xpath expression="bh-B64Conv:B64toHEX($current-value)"/>

download bh-dirxmlutils package
(.zip, 2kb)