dirxml

[ brummelhook public repository ]
With the introduction of IDM 4 driver configs can now be imported as packages from repositories. I've already packaged some of the drivers below and publish them via the Brummelhook Public repository. New stuff will most likely be added there as well. To connect your Designer 4 installation to the Brummelhook Public repo, go to Window -> Preferences -> Novell -> Package Manager -> Online Updates and add the URL on the right to your list of Package Update URLs.	Brummelhook Public repo at http://www.brummelhook.com/download/idm/packages/

[ password notification service driver ]
For quite a while, we used to run the password expiration email notification cool tool, which helped reducing password-related helpdesk calls a lot. Nevertheless, I never liked the fact that it runs outside the IDM environment and does not make use of the email template features IDM provides, thus making it a bit complicated to maintain a consistent look and feel throughout all email notifications. Luckily, though widely unknown, IDM supports time-triggered events that can be (mis)used to kick off custom actions: the publisher driver heartbeat. Add a schedule and a few policies that can read the clock, and there it is: an all-in-one IDM 2.x/3.x service driver for password notifications that can notify users, helpdesk and - still experimental - naudit on the following events: up to three times before passwords actually expire after passwords expired, when grace logins fall below a configurable limit when accounts get locked and passwords have to be reset by an administrator on intruder lockout And new in v2.0 for IDM 3.5/3.6: trigger notifications from the subscriber channel (via jobs, spolicy or WorkOrder driver) notify managers on direct report's upcoming account expiration uses ldap search instead of XdsQueryProcessor: much more efficient, especially in large tree environments (thanks to a hint by Father Ramon) Updates to v2.0.3 for IDM 3.5/3.6: now supports (and defaults to) secure ldap operations notify managers/helpdesk about idle accounts (no login for more than xx days) changed some GCVs and added more detailed comments on how to use them New in v2.1.1 for IDM 4.0: packaged version for easy import and maintenance through Designer removed dependency on bh-dirxmlutils.jar by porting bh_DecodeNetAddr and bh_b64ToHEX functions to ECMAscript code modularization and streamlining minor bug fixes New in v2.2: Changed policy naming scheme to include linkage weight Moved base filter to resource object Added suppport for Edir2Edir shim (to enable support for IDM Bundled Editions, which do not include NULL/LBACK shims), default for new installations. Added LDAP StartTLS support and LDAP tracing (through dependency on updated BH-BitsNPieces v1.0.3) Upgraded prompt stylesheets to latest versions Named LDAP Bind Password now takes precedence over bind user object's Distribution Password. Read Distribution Password (if used) on every notification cycle instead of only once per driver start minor bug fixes All notifiction types and their targets (user, helpdesk and/or naudit) can be individually enabled/disabled. The notification schedule operates on an hourly or daily basis and is easily configured through GCVs. Because IDM email templates are used, notifications can contain additional account data e.g. the time an intruder-locked account will be automatically unlocked again, or a company name for branding purposes. Email templates are maintained in iManager or Designer, making it easy to give them the same look and feel as the standard templates that come with IDM password synchronization. All versions up to 2.0.x require (and include) the java package bh-dirxmlutils.	download password notification service driver for IDM 2.x/3.0 (v1.1, .zip, 22kb) download password notification service driver for IDM 3.5/3.6 (v2.0.3, .zip, 86kb) import the password notification service driver packages (PWNotify*) for IDM 4.x from the Brummelhook Public repo (v2.2, Designer repository)

[ check_dxml_drvstate ]
Bash script to monitor Novell DirXML 1.1 and Identity Manager 2.x/3.x driver states from within Nagios or Icinga. Usage: check_dxml_drvstate [-s hostname\|ip-address] -u username -p password -d driver-dn Basically a wrapper for "dxcmd -getstate". Leave out the -s option to check drivers running on the same machine as nrpe.	download Nagios/Icinga plugin from MonitoringExchange import the BH-NagiosMon driver add-on package for IDM 4.x from the Brummelhook Public repo (v2.1.1, Designer repository)

[ fsf/nsm user storage service driver ]
Loopback driver to automatically assign File System Factory/Novell Storage Manager policies to users. assigns policies based on user's location ("L") attribute supports archive and fallback policies enables FSF/NSM user homedir management through pseudo-entitlements Requires IDM 2.x or above and FSF 1.21/NSM 2.x An entitlement-enabled version for IDM 3.5 is also available. It uses RBE to determine the appropriate FSF/NSM policy for a user, making it a lot easier to implement complex assignment rules.	download user storage service driver (v1.0, .zip, 7kb) download user storage service driver with entitlements (v1.2, .zip, 10kb)

[ idm ad pwfilter.dll updater inf ]
The IDM AD driver requires a filter DLL to be installed on all DCs for password synchronization. Unfortunately, it seems as if the IDM 3.5 setup does not always update a previously installed version of pwfilter.dll (and associated files) properly. This INF installer can be used to update those files so they will be used after the next reboot. Many thanks to Alex McHugh for adding x64 support and fixing some bugs! Requires IDM AD driver	download pwfilter.dll updater (v1.1, .zip, 2kb)

[ com.brummelhook.dirxml.utils ]
Utility java classes for dirxml. Currently implements B64Converter to help accessing octet string attribute values . Command line usage: java -cp nxsl.jar;bh-dirxmlutils.jar com.brummelhook.dirxml.utils.B64Converter [-B64toHEX \| -HEXtoB64 \| -B64toTXT \| -TXTtoB64 \| -DecodeIntruderAddress] string1 [string2 string3...] Policy usage: 1. copy bh-dirxmlutils.jar to your dirxml/idm server, make sure it's in the class path 2. define a java name space in your policy, e.g. : <policy xmlns:bh-B64Conv = "www.novell.com/nxsl/java/com.brummelhook.dirxml.utils.B64Converter"/> 3. call the desired function from xpath, e.g.: <token-xpath expression="bh-B64Conv:B64toHEX($current-value)"/>	download bh-dirxmlutils package (.zip, 4kb)

[ brummelhook public repository ]

With the introduction of IDM 4 driver configs can now be imported as packages from repositories. I've already packaged some of the drivers below and publish them via the Brummelhook Public repository. New stuff will most likely be added there as well.

To connect your Designer 4 installation to the Brummelhook Public repo, go to Window -> Preferences -> Novell -> Package Manager -> Online Updates and add the URL on the right to your list of Package Update URLs.

Brummelhook Public repo at http://www.brummelhook.com/download/idm/packages/

[ password notification service driver ]

For quite a while, we used to run the password expiration email notification cool tool, which helped reducing password-related helpdesk calls a lot. Nevertheless, I never liked the fact that it runs outside the IDM environment and does not make use of the email template features IDM provides, thus making it a bit complicated to maintain a consistent look and feel throughout all email notifications.

Luckily, though widely unknown, IDM supports time-triggered events that can be (mis)used to kick off custom actions: the publisher driver heartbeat. Add a schedule and a few policies that can read the clock, and there it is: an all-in-one IDM 2.x/3.x service driver for password notifications that can notify users, helpdesk and - still experimental - naudit on the following events:

up to three times before passwords actually expire
after passwords expired, when grace logins fall below a configurable limit
when accounts get locked and passwords have to be reset by an administrator
on intruder lockout

And new in v2.0 for IDM 3.5/3.6:

trigger notifications from the subscriber channel (via jobs, spolicy or WorkOrder driver)
notify managers on direct report's upcoming account expiration
uses ldap search instead of XdsQueryProcessor: much more efficient, especially in large tree environments (thanks to a hint by Father Ramon)

Updates to v2.0.3 for IDM 3.5/3.6:

now supports (and defaults to) secure ldap operations
notify managers/helpdesk about idle accounts (no login for more than xx days)
changed some GCVs and added more detailed comments on how to use them

New in v2.1.1 for IDM 4.0:

packaged version for easy import and maintenance through Designer
removed dependency on bh-dirxmlutils.jar by porting bh_DecodeNetAddr and bh_b64ToHEX functions to ECMAscript
code modularization and streamlining
minor bug fixes

New in v2.2:

Changed policy naming scheme to include linkage weight
Moved base filter to resource object
Added suppport for Edir2Edir shim (to enable support for IDM Bundled Editions, which do not include NULL/LBACK shims), default for new installations.
Added LDAP StartTLS support and LDAP tracing (through dependency on updated BH-BitsNPieces v1.0.3)
Upgraded prompt stylesheets to latest versions
Named LDAP Bind Password now takes precedence over bind user object's Distribution Password.
Read Distribution Password (if used) on every notification cycle instead of only once per driver start
minor bug fixes

All notifiction types and their targets (user, helpdesk and/or naudit) can be individually enabled/disabled. The notification schedule operates on an hourly or daily basis and is easily configured through GCVs.

Because IDM email templates are used, notifications can contain additional account data e.g. the time an intruder-locked account will be automatically unlocked again, or a company name for branding purposes. Email templates are maintained in iManager or Designer, making it easy to give them the same look and feel as the standard templates that come with IDM password synchronization.

All versions up to 2.0.x require (and include) the java package bh-dirxmlutils.

download password notification service driver for IDM 2.x/3.0
(v1.1, .zip, 22kb)

download password notification service driver for IDM 3.5/3.6
(v2.0.3, .zip, 86kb)

import the password notification service driver packages (PWNotify*) for IDM 4.x from the Brummelhook Public repo
(v2.2, Designer repository)

[ check_dxml_drvstate ]

Bash script to monitor Novell DirXML 1.1 and Identity Manager 2.x/3.x driver states from within Nagios or Icinga.

Usage:
check_dxml_drvstate [-s hostname|ip-address] -u username -p password -d driver-dn

Basically a wrapper for "dxcmd -getstate". Leave out the -s option to check drivers running on the same machine as nrpe.

download Nagios/Icinga plugin from MonitoringExchange

import the BH-NagiosMon driver add-on package for IDM 4.x from the Brummelhook Public repo
(v2.1.1, Designer repository)

[ fsf/nsm user storage service driver ]

Loopback driver to automatically assign File System Factory/Novell Storage Manager policies to users.

assigns policies based on user's location ("L") attribute
supports archive and fallback policies
enables FSF/NSM user homedir management through pseudo-entitlements

Requires IDM 2.x or above and FSF 1.21/NSM 2.x

An entitlement-enabled version for IDM 3.5 is also available. It uses RBE to determine the appropriate FSF/NSM policy for a user, making it a lot easier to implement complex assignment rules.

download user storage service driver
(v1.0, .zip, 7kb)

download user storage service driver with entitlements
(v1.2, .zip, 10kb)

[ idm ad pwfilter.dll updater inf ]

The IDM AD driver requires a filter DLL to be installed on all DCs for password synchronization. Unfortunately, it seems as if the IDM 3.5 setup does not always update a previously installed version of pwfilter.dll (and associated files) properly.
This INF installer can be used to update those files so they will be used after the next reboot.

Many thanks to Alex McHugh for adding x64 support and fixing some bugs!

Requires IDM AD driver

download pwfilter.dll updater
(v1.1, .zip, 2kb)

[ com.brummelhook.dirxml.utils ]

Utility java classes for dirxml. Currently implements B64Converter to help accessing octet string attribute values .

Command line usage:
java -cp nxsl.jar;bh-dirxmlutils.jar com.brummelhook.dirxml.utils.B64Converter [-B64toHEX | -HEXtoB64 | -B64toTXT | -TXTtoB64 | -DecodeIntruderAddress] string1 [string2 string3...]

Policy usage:
1. copy bh-dirxmlutils.jar to your dirxml/idm server, make sure it's in the class path
2. define a java name space in your policy, e.g. : <policy xmlns:bh-B64Conv = "www.novell.com/nxsl/java/com.brummelhook.dirxml.utils.B64Converter"/>
3. call the desired function from xpath, e.g.: <token-xpath expression="bh-B64Conv:B64toHEX($current-value)"/>

download bh-dirxmlutils package
(.zip, 4kb)