Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2021/06/24 07:07]
soval [Password mapping] 		tutorial:adm:manage_ad [2021/06/25 12:41]
soval [Forced password change (User must change password at next logon)]
Line 165: Line 165:
   * Attribute with password - true   * Attribute with password - true
  
 +==== Forced password change (User must change password at next logon) ====  
 +When mapping AD attributes, it is sometimes useful to be able to set a forced password change option. This requirement is often set for two different cases:
  
-==== Send additional attributes with password ====+* We need to change the password when logging into AD **for a new user account** 
 +* We need to force a password change but **only after a password reset**
  
-It's possible to send additional attributes to provisioningwhen password is changed (e.g. password expiration in extended attribute)New flag ''sendOnPasswordChange'' was added to system attribute mapping - attribute with this flag checked will be send together with changed password to provisioning. Two ways for provisioning additional attributes are implemented: +1/ To force a password change for newly created usersmap the **"pwdLastSet"** attribute. The attribute should be in the generated system schema, object "**\_\_ACCOUNT\_\_**" name "pwdLastSet", Data type "java.lang.Boolean"So add the attribute to the mapping and put "return truein the transformation script(Transformation to systemand set the strategy "Write only on create of the entity".
-  - send additional attributes together with new password in one provisioning operation +
-  - send additional attributes after password is changed in another provisioning operation  +
-Two ways are be configurable by application configuration ''idm.sec.acc.provisioning.sendPasswordAttributesTogether'': +
-    * ''true'': additional password attributes will be send in one provisioning operation together with password +
-    * ''false'': additional password attributes will be send in new provisioning operation, after password change operation (some systems doesn't support to change other attributes in the same request with password)+
  
-<note tip>Configuration is effective for all target systems. All target system will be using one configured way (configuration per-system is not implemented, coming soon).</note> 
  
-=== Send attribute only on password change === +2/ If we need to force password change every time password is reset, map attribute pwdLastSet too, but **with checkbox "Include on password" and "Include only when password is changed"** and strategy "Set value as it is" This can only be set since IdM version 11.0. In the picture you can see the attribute in the active directory.
-Since version **11.0.0** a new flag **Send only on password change** was added to the attribute detail.+
  
-If is this flag checked, then the attribute will be send to the system only during change of password operationIt means that this attribute will be ignored in standard provisioning operations (create/update). +{{:tutorial:adm:user_must_change-password_properties.png|}}
-<note important>This checkbox can be use only if attribute has checked flag **Send additional attributes with password**.</note> +
  
 ===== Role for AD ===== ===== Role for AD =====
  • by neznajf