For the last couple of IDM versions the product has had a nice API for manipulating the IDM engine and drivers, by using LDAP extensions calls through Java.
This API is a part of the com.novell.nds.dirxml.ldap package which you can find in the dirxml_misc.jar file that comes with IDM.
The package is documented in this Javadoc that you can find on the Novell developer site: http://developer.novell.com/documentation/dirxml/dirxmlbk/ref/javadocs/index.html
Unfortunately the docs are not updated for the latest IDM version...
Anyway, in IDM 4.0.1 Novell added two new classes to this package called:
GetNamedPasswordRequest
GetNamedPasswordResponse
When I tried to use the GetNamedPasswordRequest class from my application I would always get back a -672 error which means no access.
Since I had full supervisor rights to the driver this confused me.
Eventually I was able to find out that besides having rights to the driver there also needs to exist a GCV on the driver called "allow-fetch-named-passwords".
The GCV is a boolean and needs to be set to "true".
You can also find this information in the RBPM Administration Guide for 4.0.1 by searching for GetNamedPasswordRequest.
The manual has the following GCV example that you need to add to your driver:
<definitions>
<definition display-name="Allow Named Password to be retrieved over LDAP"
name="allow-fetch-named-passwords" type="boolean">
<value>true</value>
<description>Allow Named Password to be retrieved over LDAP. If the
value is true, then the named password value can be fetched using the LDAP
extension
com.novell.nds.dirxml.ldap.GetNamedPasswordRequest/
com.novell.nds.dirxml.ldap.GetNamedPasswordResponse.</description>
</definition>
</definitions>Besides the GCV you must have write rights to the DirXML-AccessConfigure attribute on the driver object.
So far this has worked for me but I haven't managed to retrieve named passwords stored on the driverset object.
Here is java code snippet that shows you how you can use the GetNamedPasswordRequest function.
In this example you pass two parameters to the GetNamedPasswordRequest constructor.
dn is the distinguished name of the driver in LDAP format.
passwordName is just what is sounds like, the name of the named password.
lc is the LDAPConnection object created using Novell JLDAP.
My LDAPConnection objects are always using SSLencryption and I don't know if this would work on a clear text connection.
try {
GetNamedPasswordRequest request = new GetNamedPasswordRequest(dn, passwordName);
LDAPExtendedResponse response = lc.extendedOperation(request);
if (response instanceof GetNamedPasswordResponse && response.getResultCode() == LDAPException.SUCCESS) {
GetNamedPasswordResponse rsp = (GetNamedPasswordResponse) response;
System.out.println("Named password is: " + rsp.getPasswordValue());
}
} catch (LDAPException e) {
System.err.println("Error getting named password: " + e.getMessage());
}