Quantcast
Channel: Novell User Communities - Novell Client
Viewing all articles
Browse latest Browse all 30

Using the Novell Client and/or SecureLogin to provide password expiration notification

0
0

Password Expiration Notification

Are you tired of intruder lockouts because someone didn't change their password in time? If you have SecureLogin, your solution is hours away.

Are you using Smart Cards, Windows 7, Novell Client and also maintaining NDS passwords? What are you doing to maintain the NDS passwords? Ever considered Self Service Password Reset and SecureLogin?

Use Case:

  1. Customer is using Smart Cards and don't receive NDS password expiration notifications. They don't want to implement an e-mail notification method as they are concerned it could be spoofed. They already had maintenance for SecureLogin. See Solution A.

    If a customer is not entitled to SecureLogin, they can use a login script, see Solution B.

  2. Customer is wanting password expiration / change prompts days before the password expires, similar to Microsoft.

Solution A:

Products to install for Solution A

  • Novell Client
  • NetIQ SecureLogin
  • SSPR (Self Service Password Reset)
  1. Create a NSL Startup Script to check for the current users password expiration

    After the SecureLogin product has been installed using eDirectory Mode, with the Novell Client, create a startup script that will run every time a user does a login. Below is an example startup script that will check the users password to see when it expires and notify the user.

    ### Password Expiration Notification script on startup###
    
    Subtract %Password_Expiration_Time %Login_time ?Remaining
    Divide ?remaining 86400 ?days
    
    ### If password is going to expire in 3 days or less, force user to be redirected to the password portal
    
    If ?days LT 4
    MessageBox %Full_Name ", Your password will expire in " ?days " days, you must change your password now to avoid interruption to services." \n \n \t "You will now be redirected to the Password Change Portal to change your password."
    Run "c:\Program Files\Internet Explorer\iexplore.exe"http://192.168.176.4:8080/sspr/private/ChangePassword 
    EndScript
    EndIf
    
    ### Notify user's that there password will change in 10 or fewer days and give them the option to change their password
    ### It will prompt them on each new login to change there password until they have successfully changed it 
    
    If ?days LT 11
      MessageBox -YesNo ?Result %Full_Name ", Your password will expire in " ?days " days, would you like to change it now?"
      If ?Result Eq "Yes"
        MessageBox "You will now be redirected to the Password Change portal to change your password."
        Run "c:\Program Files\Internet Explorer\iexplore.exe"http://192.168.176.4:8080/sspr/private/ChangePassword
      Else
        MessageBox "You will continue to receive these password change messages until your password has been changed."
      EndIf
         EndIf
    

    Notice that the script will pop up a message screen and you can then direct the user to a given portal that they would like to use for the user to change their password.

  2. Configure SSPR:

    To Setup SSPR as the portal to be directed to, the customer installed SLES 11 SP2 64bit and included Tomcat 6 in the install. Make sure users are already associated to an eDirectory Universal Password Policy.

    See the online documentation for SSPR. Currently the link you can go to is: https://www.netiq.com/documentation/sspr20/pdfdoc/nsl702_sspr/nsl702_sspr.pdf

    Once the server was installed, they simply followed the directions in the online documentation to place the WAR file, and then began the configuration of SSPR after restarting tomcat6. See the online documentation.

    The customer this was initially setup for wanted to use SSPR and did not want the users to have the ability to use challenge questions. eDirectory schema did not need to be extended.

  3. Script used to automatically login a user to the SSPR portal with their existing password, after being directed to the SSPR site from the password expiration startup script. Once logged in, user will see the prompt to enter in a new password.
    NSL Script -- SSPR web page login with current credentials
    
    
    #=============================================================
    # EXE/ID:        192.168.176.4
    # Name:         Password Self Service
    # Type:            Web
    # Version:        1
    # Created By:    
    #=============================================================
    
    GetReg "HKCU\Software\Protocom\SecureLogin\LastCacheUser"?UserIDAll
    RegSplit CN=(.*).OU=(.*) ?UserIDALL ?UserID1 ?junk ?junk2
    RegSplit (.*).OU=(.*) ?UserID1 ?UserID ?junk3
    #MessageBox "UserID: " ?UserID
    
    ## BeginSection: "Login Form"
    Site "Password Self Service" -initial
    DebugPrint "Conducting Match on login form Password Self Service"
    MatchForm #1 -name "login"
    MatchField #1:3 -type "text" -name "username"
    DebugPrint "Matched Field 'username'"
    MatchField #1:4 -type "password" -name "password"
    DebugPrint "Matched Field 'password'"
    MatchField #1:8 -type "submit" -name "button"
    DebugPrint "Matched Field 'button'"
    MatchField #1:5 -type "submit" -name "button"
    DebugPrint "Matched Field 'button'"
    EndSite
    DebugPrint "Successfully matched login form Password Self Service"
    OnException EnterVariablesCancelled Call N056893D0N052D5A40
    SetPrompt "Username"
    FocusInput #1:3
    #TextInput #1:3 -value "$username"
    TextInput #1:3 -value "?UserID"
    DebugPrint "Performed entry action TextInput $username into control id#1:3"
    SetPrompt "Current Password"
    FocusInput #1:4
    #TextInput #1:4 -value "$password"
    TextInput #1:4 -value "?syspassword"
    DebugPrint "Performed entry action TextInput $password into control id#1:4"
    SetPrompt "Please edit your login variables."
    FocusInput #1:5
    PressInput #1:5
    DebugPrint "PressInput action performed"
    EndScript
    ## EndSection: "Login Form"
    
    
    ## BeginSection: "Login Form"
    Site "Password Self Service" -recent 5000
    DebugPrint "Conducting Match on login form Password Self Service"
    MatchForm #1 -name "login"
    MatchField #1:3 -type "text" -name "username"
    DebugPrint "Matched Field 'username'"
    MatchField #1:4 -type "password" -name "password"
    DebugPrint "Matched Field 'password'"
    MatchField #1:8 -type "submit" -name "button"
    DebugPrint "Matched Field 'button'"
    MatchField #1:5 -type "submit" -name "button"
    DebugPrint "Matched Field 'button'"
    EndSite
    DebugPrint "Successfully matched login form Password Self Service"
    OnException EnterVariablesCancelled Call N056893D0N052D5A40
    if -exists $username
    Displayvariables  $username $password
    Endif
    SetPrompt "Username"
    FocusInput #1:3
    TextInput #1:3 -value "?UserID"
    DebugPrint "Performed entry action TextInput $username into control id#1:3"
    SetPrompt "Current Password"
    FocusInput #1:4
    TextInput #1:4 -value "?syspassword"
    DebugPrint "Performed entry action TextInput $password into control id#1:4"
    SetPrompt "Please edit your login variables."
    FocusInput #1:5
    PressInput #1:5
    DebugPrint "PressInput action performed"
    EndScript
    ## EndSection: "Login Form"
    
    
    ## BeginSection: "Login Form"
    Site "Password Self Service" -subsequent
    DebugPrint "Conducting Match on login form Password Self Service"
    MatchForm #1 -name "login"
    MatchField #1:3 -type "text" -name "username"
    DebugPrint "Matched Field 'username'"
    MatchField #1:4 -type "password" -name "password"
    DebugPrint "Matched Field 'password'"
    MatchField #1:8 -type "submit" -name "button"
    DebugPrint "Matched Field 'button'"
    MatchField #1:5 -type "submit" -name "button"
    DebugPrint "Matched Field 'button'"
    EndSite
    DebugPrint "Successfully matched login form Password Self Service"
    OnException EnterVariablesCancelled Call N056893D0N052D5A40
    MessageBox "Do you wish to re-login?" -YesNo ?Result -DefaultNo
    If ?Result Eq "No"
    EndScript
    EndIf
    SetPrompt "Username"
    FocusInput #1:3
    TextInput #1:3 -value "?UserID"
    DebugPrint "Performed entry action TextInput $username into control id#1:3"
    SetPrompt "Current Password"
    FocusInput #1:4
    TextInput #1:4 -value "?syspassword"
    DebugPrint "Performed entry action TextInput $password into control id#1:4"
    SetPrompt "Please edit your login variables."
    FocusInput #1:5
    PressInput #1:5
    DebugPrint "PressInput action performed"
    EndScript
    ## EndSection: "Login Form"
    
    ## BeginSection: "Login Form Subroutines"
    Sub N056893D0N052D5A40
    FocusInput #1:8
    PressInput #1:8
    DebugPrint "PressInput action performed"
    ClearException EnterVariablesCancelled
    EndScript
    EndSub
    ## EndSection: "Login Form Subroutines"
    
    --------------------------------------------------------------------------------------------------------------------
    --------------------------------------------------------------------------------------------------------------------
    

Solution B:

Another option is to use the login script to build the logic. See below for an example of how to use the login script. (compliments from RLJohnson)

Customer that don't license NSL, can use a pretty simple Novell Client login script to do some simple notification as well as send them to their User App portal.

**If the user's password is to expire in 1 to 5 days, they are sent to their Psswd Self Service Portal**

IF PASSWORD_EXPIRES<="5" AND PASSWORD_EXPIRES>"1" THEN

  WRITE "\n\n\n\7Hello, %LOGIN_NAME,\nyour password will expire in %PASSWORD_EXPIRES days,\nyou must change your password now to avoid interruption to services. \n\n\7Press any key to be redirected to the Password Self Service Portal."

  PAUSE

  @C:\Program Files\Internet Explorer\iexplore https://<ipaddr>:<port>/IDM/jsps/login/Login.jsp

END

**If the user's password expires today or using grace logins, they are sent to their Psswd Self Service Portal**

IF PASSWORD_EXPIRES<="1" THEN

  WRITE "\n\n\n\7%LOGIN_NAME,\nYOUR PASSWORD IS EXPIRED\n\n\7YOU MUST CHANGE YOUR PASSWORD\n\nPress any key to be redirected to the Password Self Service Portal."

  PAUSE

  @C:\Program Files\Internet Explorer\iexplore https://<ipaddr>:<port>/IDM/jsps/login/Login.jsp

END

Notice: An enhancement has been submitted to Novell Development to have the Novell Client have an option to handle password expiration, the same as Microsoft's solution, by notifying and allowing the user to change their password so many days prior to the expiration. Even though the enhancement has been submitted there is no current information on the consideration of the enhancement.


Viewing all articles
Browse latest Browse all 30

Latest Images

Trending Articles





Latest Images