| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
tutorial:adm:manage_ad [2021/06/24 07:07]
soval [Password mapping] |
tutorial:adm:manage_ad [2021/06/24 14:46]
soval [Password mapping] |
| * Attribute with password - true | * Attribute with password - true |
| |
| | ==== Forced password change ==== |
| | When mapping AD attributes, it is sometimes useful to be able to set a forced password change option. |
| |
| ==== Send additional attributes with password ==== | This requirement is often set for two different cases: |
| |
| It's possible to send additional attributes to provisioning, when password is changed (e.g. password expiration in extended attribute). New flag ''sendOnPasswordChange'' was added to system attribute mapping - attribute with this flag checked will be send together with changed password to provisioning. Two ways for provisioning additional attributes are implemented: | * We need to change the password when logging into AD **for a new user account** |
| - send additional attributes together with new password in one provisioning operation | * We need to force a password change but **only after a password reset** |
| - send additional attributes after password is changed in another provisioning operation | |
| Two ways are be configurable by application configuration ''idm.sec.acc.provisioning.sendPasswordAttributesTogether'': | |
| * ''true'': additional password attributes will be send in one provisioning operation together with password | |
| * ''false'': additional password attributes will be send in new provisioning operation, after password change operation (some systems doesn't support to change other attributes in the same request with password) | |
| |
| <note tip>Configuration is effective for all target systems. All target system will be using one configured way (configuration per-system is not implemented, coming soon).</note> | 1/ To force a password change for newly created users, map the **"pwdLastSet"** attribute. The attribute should be in the generated system schema, object "**\_\_ACCOUNT\_\_**" name "pwdLastSet", Data type "java.lang.Boolean". So add the attribute to the mapping and put "return true" in the transformation script(Transformation to system) and set the strategy "Write only on create of the entity". |
| |
| === Send attribute only on password change === | |
| Since version **11.0.0** a new flag **Send only on password change** was added to the attribute detail. | |
| |
| If is this flag checked, then the attribute will be send to the system only during change of password operation. It means that this attribute will be ignored in standard provisioning operations (create/update). | 2/ If we need to force password change every time password is reset, map attribute pwdLastSet too, but **with checkbox "Include on password" and "Include only when password is changed"** and strategy "Set value as it is". This can only be set since IdM version 11.0. |
| <note important>This checkbox can be use only if attribute has checked flag **Send additional attributes with password**.</note> | |
| |
| ===== Role for AD ===== | ===== Role for AD ===== |