First off the proper forum is the engine-drivers, and I think I set the
Reply-To correctly? (But I did it via NNTP, so no clue how that will
translate to the Web interface).

So this is an event on the SOAP driver pub channel.

You have 2 options. 1) Enforce it in the Web app. 2) Enforce it in your
driver. But what do you do if the password is bad in case #2?> Reject
the event? Skip the password?

Now you add some complexity, that the password policy differs by
container? Fun!

Turns out, if you use a tool that can honour password policy like User
App or PWM, this goes away. They read it in the web app and enforce it
at password change time. (PWM is open source on and Novell has a version called SSPR for
NAM available as well, if you need a supported product).

Otherwise, you CAN read the password policy, the NMAS settings are just
attributes, and then validate them against the password.

It would be a fun exersize in Policy to do so, but very doable. Complex
and tricky.

See, length is easy. You read the length from the attributes, (Look at
Schema in Designer (Click on tree, right click Manage Schema), find the
nspmPasswordPolicy object on the Object Class tab, select it, switch to
the Attributes and you see a list of attrs in that class.

Turns out they named them ALMOST perfectly. (Some of teh history ones
are wrong..)

So read nspmMaximumLength into a variable, (Hmm, I do not see an obvious
Min length) and then a simple test of length is easy.

If op attr nspmDistributionPassword (or Password, if you have not yet
mapped it) is greater than, numeric compare $MAX$ or less than numeric
compare $MIN$ then you are set.

Now there are a STACK of other options, you would have to read out the
settings and implement. I think it is almost completely doable, but a
lot of work.

If you could limit it to the number of possible cases, the scope gets

I.e. No extended chars, no upper/lowers or at least no restrictions on
first chars, etc.

NMAS does a LOT of cool stuff, that would be a pain to reinvent the
wheel. But you could, if you so desire.

On 5/10/2012 7:06 AM, robinkir wrote:
> Hi I am using a SOAP Driver to provision registrations of new Users.
> On the registration page it should be possible to set the password as
> well. When we receive the information on our driver we map the
> "password" attribute to "nspmDistributionPassword". For the creation of
> the user in a specific container in the eDirectory it should be possible
> to check if the provided password of the user full-fills the
> requirements of the corresponding Password-Policy, which is assigned to
> the container.
> With and without SOAP Password Sync Package on the driver it is not
> possible to veto/stop the add-event if the password is not in a valid
> format regarding to the Password-Policy.
> There will be always 3 log events which tell me that the user was
> created but later on that the password is not allowed.
> DirXML Log Event -------------------
> Driver: \eDir\system\driverset1\REG
> Channel: Publisher
> Object: aaaaaa (o=data\ou=users\ou=external\cn=00TETE000002)
> Status: Success
> [05/09/12 23:05:28.092]:REG PT:
> DirXML Log Event -------------------
> Driver: \eDir\system\driverset1\REG
> Channel: Publisher
> Object: aaaaaa (o=data\ou=users\ou=external\cn=00TETE000002)
> Status: Warning
> Message: Code(-8021) Unable to set NMAS password: -216
> [05/09/12 23:05:28.094]:REG PT:
> DirXML Log Event -------------------
> Driver: \iDor\system\driverset1\REGZ
> Channel: Publisher
> Object: aaaaaa (o=data\ou=users\ou=external\cn=00TETE000002)
> Status: Warning
> Message: Code(-8021) Unable to set NMAS password: -16049
> Is there anyway to veto the add event if the password is not in a valid
> format. The validation should be on the Driver, so that we only have one
> transaction and can give a response about the creation or not.
> Thanks for any reply