There are two types of password changes that could take place in IM - (1) Administrative and (2) Self. The former change is typically performed by an administrator on behalf of the user to reset the password. The latter is initiated by the user. This type of change is typically triggered by the Password Synchronization Agent that intercepts password changes that occur natively on the endpoint.
This information may be relevant to certain DYN endpoints because there may be additional actions that need to occur following each type of password change mentioned above. For example, Novell eDirectory has an attribute called 'passwordExpirationTime' that needs to be updated following a password self-change. Else the newly-changed password will remain expired because a change on the password attribute alone is seen as an administrative change by Novell eDirectory.
DYN endpoint implementers face two main problems in handling this problem. First, the two types of password change must be distinguishable. Second, a method to handle custom action is needed.
IM Provisioning Server 12.5 SP9 (and later) sets eTSelfChange=1 as part of the modification items when a password change is self-initiated. The strategy described here implements an operation binding to perform a custom action that checks for the presence of eTSelfChange and updates the passwordExpirationTime attribute accordingly.
Before proceeding with the steps below, you would need to create and deploy your DYN endpoint type because the steps below involve editing the metadata directly.
The eTSelfChange attribute will now be mapped to !eTSelfChange! and this will be present for password self-change operations. It is crucial for the operation binding to be defined correctly or the default modification function will cause an error to occur when it tries to modify !eTSelfChange! that does not exist on the endpoint account.
If you encounter problems, check jcs_stdout.log and look for debug messages written by the doCustomModify function.