Driver Overview

The NetIQ IDM product ships with a Password Notification Job which can be used to send out email reminders before password expiration.

The Email Notification Driver developed by Belkast Consulting is based on the NULL Driver and, to replicate the NetIQ solution, can be configured to send out password expiration reminders. But this is only a small part of what the Driver can do.

  • The Driver can notify before certain events happen
  • The Driver can notify of events that have happened in the past
  • Send a digest to any predefined email addresses
  • Send an email to any predefined email addresses if the Driver experiences an error

  • Each configuration blob can read data from any LDAP Server
  • Each configuration blob is assigned an LDAP Search Base
  • Each configuration blob reads data based on an LDAP Filter
  • Each configuration blob must be assigned to a Driver Job
  • If there are multiple configurations per Driver Job, the trigger document is duplicated as many times as are necessary

  • There can be multiple email configurations per configuration blob
  • Each configured email can be sent to multiple email addresses
  • The content of the email template can be:
    • Static text
    • XPATH lookup
    • An attribute value from a DN lookup

Configuration blobs

The Driver can have multiple configuration blobs, with each blob assigned to a Driver Job. Within each configuration blob, the value for the When is notification due Global Configuration Value takes a list of values corresponding to the days delta for when the notification should be sent.

This allows for one configuration blob to be used for multiple notifications of the same type. For example, Consultant Dis-enrollment or Password Expiration notifications.

If there are multiple configuration blobs per Driver Job, then the trigger document is duplicated as many times as are necessary. Furthermore, the number of trigger document duplication increases if there is configured more than one notification days.

LDAP Filter

If the LDAP filter has static dates, the Driver has a boolean setting which enables already processed Users to be removed from the LDAP result-set

Ability to set LDAP settings per configuration blob:

  • LDAP Server
  • LDAP Bind User
  • LDAP Search Base
  • LDAP Search Filter

Notify Days

Notify Days can be in the past or in the future, meaning that the Driver:

  • Can notify before certain events happen : Password expiration or User dis-enrollment
  • Can notify of events that have happened in the past : Users who have been dis-enrolled between two dates

Last Referenced Time

The ability to specify whether the Last Referenced Time on the Driver Job is updated each time the Driver Job runs. This can be useful for testing if the LDAP filter has dynamic dates.

Email

Email Templates

For both 'split' and 'consolidated' emails, you can specify which instances are included in the emails:

  • Setting 'When is Email Notification due' to ./attr[@attr-name="omx-country"]/value/text()#^SE$ will only include those instances who are in Sweden.
  • Please note that for Consolidated emails, only the 'to' recipients are considered

Ability to set static of xpath lookup values for the following configurations:

  • Who will receive the email
  • Email Subject
  • Email Intro
  • Email Details

Additionally, there is a configuration option, Extra Lookup Attribute, which enables one to perform a secondary lookup using a source attribute value:

  • The source attribute value must resolve to one or more Distinguished Names
  • The value from the secondary lookup can be:
    • Placed in any of the email template sections
    • Used as a notification address
  • For example, Full Name for the Users Manager
  • If the source attribute lookup returns multiple values, the Extra Lookup Attribute will be delimited by the GCV "String to use when 'xpath' Email content returns a nodeset"

Render Email content based on a predefined value retrieved from the LDAP server:

  • Use the GCV "XPATH expression for Email content tag" ( ./attr[@attr-name="srvprvPreferredLocale"]/value/text() )
  • {"_def_":"ORG Password Expiration Notification : Days to expiration: ", "fr":" Notification d'expiration du mot de passe ORG : jours avant l'expiration : "}

Email Digests

Send a digest to any predefined email addresses:

  • Job needs to be called digest
  • Email includes a copy of the notification log for the current month

Email on Error

Send an email to any predefined email addresses if the Driver experiences an error:

  • Email template configuration error
  • LDAP error

Remap Email Address

By using the Remap Email Addresses Global Configuration Value, all configured email addresses can be overwritten. This can be useful for testing.

Named Passwords

The Driver does not have any named passwords. The password to be used for LDAP binds is read from the nspmDistributionPassword attribute on the configured LDAP bind User.