How to implement custom action to handle password self-change in DYN endpoints
search cancel

How to implement custom action to handle password self-change in DYN endpoints


Article ID: 3890


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On


There are two types of password changes that could take place in IM - (1) Administrative and (2) Self. The former change is typically performed by an administrator on behalf of the user to reset the password. The latter is initiated by the user. This type of change is typically triggered by the Password Synchronization Agent that intercepts password changes that occur natively on the endpoint.

This information may be relevant to certain DYN endpoints because there may be additional actions that need to occur following each type of password change mentioned above. For example, Novell eDirectory has an attribute called 'passwordExpirationTime' that needs to be updated following a password self-change. Else the newly-changed password will remain expired because a change on the password attribute alone is seen as an administrative change by Novell eDirectory.


DYN endpoint implementers face two main problems in handling this problem. First, the two types of password change must be distinguishable. Second, a method to handle custom action is needed.


Component: IDMGR


IM Provisioning Server 12.5 SP9 (and later) sets eTSelfChange=1 as part of the modification items when a password change is self-initiated. The strategy described here implements an operation binding to perform a custom action that checks for the presence of eTSelfChange and updates the passwordExpirationTime attribute accordingly.

Before proceeding with the steps below, you would need to create and deploy your DYN endpoint type because the steps below involve editing the metadata directly.

  1. In Connector Xpress, right click on your DYN endpoint on the right pane -> Edit metadata. 

  2. Drill down the Data Model tree: Classes -> eTDYNAccount -> Properties 

  3. Click Add, and define the new property as below: 

    1. Name: eTSelfChange, Type: Integer

    2. Metadata:

      1. isHidden, Type: Boolean, Value: true

      2. beanPropertyName, Type: String, Value: !eTSelfChange!

      3. connectorMapTo, Type: String, Value: !eTSelfChange!

  4. Click OK to save the metadata on the endpoint type.

  5. Right click on your DYN endpoint -> Export Data Model XML. Save it into an XML file. 

  6. Click on the main menu -> Metadata -> Merge. Select the XML file and choose the overwrite option. Click OK. 

  7. Save your Conn XP Project. This will ensure the metadata manual change is saved.

  8. Define a new Operation Binding for your User Account object class:

    1. Type: Script

    2. Operation: Modify

    3. Timing: Instead of

    4. Global Script: Load the contents from doCustomModify.txt
    5. Function Name: doCustomModify

  9. Save your Conn XP project and re-deploy metadata.

The eTSelfChange attribute will now be mapped to !eTSelfChange! and this will be present for password self-change operations. It is crucial for the operation binding to be defined correctly or the default modification function will cause an error to occur when it tries to modify !eTSelfChange! that does not exist on the endpoint account.

If you encounter problems, check jcs_stdout.log and look for debug messages written by the doCustomModify function.

Attachments get_app