Password Expiration Notification
Are you tired of intruder lockouts because someone didn't change their password in time? If you have SecureLogin, your solution is hours away.
Are you using Smart Cards, Windows 7, Novell Client and also maintaining NDS passwords? What are you doing to maintain the NDS passwords? Ever considered Self Service Password Reset and SecureLogin?
Use Case:
- Customer is using Smart Cards and don't receive NDS password expiration notifications. They don't want to implement an e-mail notification method as they are concerned it could be spoofed. They already had maintenance for SecureLogin. See Solution A.
If a customer is not entitled to SecureLogin, they can use a login script, see Solution B.
- Customer is wanting password expiration / change prompts days before the password expires, similar to Microsoft.
Solution A:
Products to install for Solution A
- Novell Client
- NetIQ SecureLogin
- SSPR (Self Service Password Reset)
- Create a NSL Startup Script to check for the current users password expiration
After the SecureLogin product has been installed using eDirectory Mode, with the Novell Client, create a startup script that will run every time a user does a login. Below is an example startup script that will check the users password to see when it expires and notify the user.
### Password Expiration Notification script on startup### Subtract %Password_Expiration_Time %Login_time ?Remaining Divide ?remaining 86400 ?days ### If password is going to expire in 3 days or less, force user to be redirected to the password portal If ?days LT 4 MessageBox %Full_Name ", Your password will expire in " ?days " days, you must change your password now to avoid interruption to services." \n \n \t "You will now be redirected to the Password Change Portal to change your password." Run "c:\Program Files\Internet Explorer\iexplore.exe"http://192.168.176.4:8080/sspr/private/ChangePassword EndScript EndIf ### Notify user's that there password will change in 10 or fewer days and give them the option to change their password ### It will prompt them on each new login to change there password until they have successfully changed it If ?days LT 11 MessageBox -YesNo ?Result %Full_Name ", Your password will expire in " ?days " days, would you like to change it now?" If ?Result Eq "Yes" MessageBox "You will now be redirected to the Password Change portal to change your password." Run "c:\Program Files\Internet Explorer\iexplore.exe"http://192.168.176.4:8080/sspr/private/ChangePassword Else MessageBox "You will continue to receive these password change messages until your password has been changed." EndIf EndIf
Notice that the script will pop up a message screen and you can then direct the user to a given portal that they would like to use for the user to change their password.
- Configure SSPR:
To Setup SSPR as the portal to be directed to, the customer installed SLES 11 SP2 64bit and included Tomcat 6 in the install. Make sure users are already associated to an eDirectory Universal Password Policy.
See the online documentation for SSPR. Currently the link you can go to is: https://www.netiq.com/documentation/sspr20/pdfdoc/nsl702_sspr/nsl702_sspr.pdf
Once the server was installed, they simply followed the directions in the online documentation to place the WAR file, and then began the configuration of SSPR after restarting tomcat6. See the online documentation.
The customer this was initially setup for wanted to use SSPR and did not want the users to have the ability to use challenge questions. eDirectory schema did not need to be extended.
- Script used to automatically login a user to the SSPR portal with their existing password, after being directed to the SSPR site from the password expiration startup script. Once logged in, user will see the prompt to enter in a new password.
NSL Script -- SSPR web page login with current credentials #============================================================= # EXE/ID: 192.168.176.4 # Name: Password Self Service # Type: Web # Version: 1 # Created By: #============================================================= GetReg "HKCU\Software\Protocom\SecureLogin\LastCacheUser"?UserIDAll RegSplit CN=(.*).OU=(.*) ?UserIDALL ?UserID1 ?junk ?junk2 RegSplit (.*).OU=(.*) ?UserID1 ?UserID ?junk3 #MessageBox "UserID: " ?UserID ## BeginSection: "Login Form" Site "Password Self Service" -initial DebugPrint "Conducting Match on login form Password Self Service" MatchForm #1 -name "login" MatchField #1:3 -type "text" -name "username" DebugPrint "Matched Field 'username'" MatchField #1:4 -type "password" -name "password" DebugPrint "Matched Field 'password'" MatchField #1:8 -type "submit" -name "button" DebugPrint "Matched Field 'button'" MatchField #1:5 -type "submit" -name "button" DebugPrint "Matched Field 'button'" EndSite DebugPrint "Successfully matched login form Password Self Service" OnException EnterVariablesCancelled Call N056893D0N052D5A40 SetPrompt "Username" FocusInput #1:3 #TextInput #1:3 -value "$username" TextInput #1:3 -value "?UserID" DebugPrint "Performed entry action TextInput $username into control id#1:3" SetPrompt "Current Password" FocusInput #1:4 #TextInput #1:4 -value "$password" TextInput #1:4 -value "?syspassword" DebugPrint "Performed entry action TextInput $password into control id#1:4" SetPrompt "Please edit your login variables." FocusInput #1:5 PressInput #1:5 DebugPrint "PressInput action performed" EndScript ## EndSection: "Login Form" ## BeginSection: "Login Form" Site "Password Self Service" -recent 5000 DebugPrint "Conducting Match on login form Password Self Service" MatchForm #1 -name "login" MatchField #1:3 -type "text" -name "username" DebugPrint "Matched Field 'username'" MatchField #1:4 -type "password" -name "password" DebugPrint "Matched Field 'password'" MatchField #1:8 -type "submit" -name "button" DebugPrint "Matched Field 'button'" MatchField #1:5 -type "submit" -name "button" DebugPrint "Matched Field 'button'" EndSite DebugPrint "Successfully matched login form Password Self Service" OnException EnterVariablesCancelled Call N056893D0N052D5A40 if -exists $username Displayvariables $username $password Endif SetPrompt "Username" FocusInput #1:3 TextInput #1:3 -value "?UserID" DebugPrint "Performed entry action TextInput $username into control id#1:3" SetPrompt "Current Password" FocusInput #1:4 TextInput #1:4 -value "?syspassword" DebugPrint "Performed entry action TextInput $password into control id#1:4" SetPrompt "Please edit your login variables." FocusInput #1:5 PressInput #1:5 DebugPrint "PressInput action performed" EndScript ## EndSection: "Login Form" ## BeginSection: "Login Form" Site "Password Self Service" -subsequent DebugPrint "Conducting Match on login form Password Self Service" MatchForm #1 -name "login" MatchField #1:3 -type "text" -name "username" DebugPrint "Matched Field 'username'" MatchField #1:4 -type "password" -name "password" DebugPrint "Matched Field 'password'" MatchField #1:8 -type "submit" -name "button" DebugPrint "Matched Field 'button'" MatchField #1:5 -type "submit" -name "button" DebugPrint "Matched Field 'button'" EndSite DebugPrint "Successfully matched login form Password Self Service" OnException EnterVariablesCancelled Call N056893D0N052D5A40 MessageBox "Do you wish to re-login?" -YesNo ?Result -DefaultNo If ?Result Eq "No" EndScript EndIf SetPrompt "Username" FocusInput #1:3 TextInput #1:3 -value "?UserID" DebugPrint "Performed entry action TextInput $username into control id#1:3" SetPrompt "Current Password" FocusInput #1:4 TextInput #1:4 -value "?syspassword" DebugPrint "Performed entry action TextInput $password into control id#1:4" SetPrompt "Please edit your login variables." FocusInput #1:5 PressInput #1:5 DebugPrint "PressInput action performed" EndScript ## EndSection: "Login Form" ## BeginSection: "Login Form Subroutines" Sub N056893D0N052D5A40 FocusInput #1:8 PressInput #1:8 DebugPrint "PressInput action performed" ClearException EnterVariablesCancelled EndScript EndSub ## EndSection: "Login Form Subroutines" -------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------
Solution B:
Another option is to use the login script to build the logic. See below for an example of how to use the login script. (compliments from RLJohnson)
Customer that don't license NSL, can use a pretty simple Novell Client login script to do some simple notification as well as send them to their User App portal.
**If the user's password is to expire in 1 to 5 days, they are sent to their Psswd Self Service Portal** IF PASSWORD_EXPIRES<="5" AND PASSWORD_EXPIRES>"1" THEN WRITE "\n\n\n\7Hello, %LOGIN_NAME,\nyour password will expire in %PASSWORD_EXPIRES days,\nyou must change your password now to avoid interruption to services. \n\n\7Press any key to be redirected to the Password Self Service Portal." PAUSE @C:\Program Files\Internet Explorer\iexplore https://<ipaddr>:<port>/IDM/jsps/login/Login.jsp END **If the user's password expires today or using grace logins, they are sent to their Psswd Self Service Portal** IF PASSWORD_EXPIRES<="1" THEN WRITE "\n\n\n\7%LOGIN_NAME,\nYOUR PASSWORD IS EXPIRED\n\n\7YOU MUST CHANGE YOUR PASSWORD\n\nPress any key to be redirected to the Password Self Service Portal." PAUSE @C:\Program Files\Internet Explorer\iexplore https://<ipaddr>:<port>/IDM/jsps/login/Login.jsp END
Notice: An enhancement has been submitted to Novell Development to have the Novell Client have an option to handle password expiration, the same as Microsoft's solution, by notifying and allowing the user to change their password so many days prior to the expiration. Even though the enhancement has been submitted there is no current information on the consideration of the enhancement.