The final piece of the puzzle is to now take the information that has been written to our LDAP store and push those changes to Domino. The blog article I mentioned in part one (where we got the modified password sync nsf from) uses TDI to accomplish this. Originally, that was our plan as well, until we found out how complicated TDI is to use. Despite working with a vendor who has used TDI before, we were unable to get all of the pieces working through TDI after a few hours. In fact, the recommendation was to have two TDI servers: one where the config changes were made and a second that actually ran the process. This seemed overly complex for what we wanted and took a lot more effort to maintain then I desired.
Because of that, I decided to fall back to my old familiar friend, PowerShell! Since the information is stored in AD, I can easily retrieve that information and process it. As we discussed requirements, we wanted to capture password changes at least every five minutes and retry changing the passwords if the initial attempt failed. To accomplish this, I wrote the following PowerShell function (that calls the function I created in part 1 to do the actual change):
function Get-USSPasswordChange { <# .SYNOPSIS Retrives passwords as they are changed in AD to update them to Domino. .DESCRIPTION This retrieves any password changes that were made in AD and writes those password changes to Domino. This attempts to do the password changes up to 3 times. If unsuccessful, it will send an email error message. This will only retrieve objects that have a password. Once password has been changed, it will be blanked in AD. .EXAMPLE PS C:\> Get-USSPasswordChange .NOTES =========================================================================== Created with: SAPIEN Technologies, Inc., PowerShell Studio 2017 v5.4.135 Created on: 2/27/2017 3:39 PM Created by: Doug Neely Organization: TSA Filename: Get-USSPasswordChange Version: 1.0.0 =========================================================================== #> [CmdletBinding()] param () BEGIN { Import-Module Domino Import-Module ADProxySAUSS } PROCESS { $UserToUpdate = Get-ADObject -Filter { (objectclass -eq "ibm-diPerson") } -Properties "ibm-diUserID", "ibm-diPassword", "ibm-diCustomData", "description" | Where-Object {$_."ibm-diPassword" -like "*"} foreach ($user in $UserToUpdate) { $IBMDIPersonDN = $user.DistinguishedName $DomainController = $user."ibm-diCustomData" $Attempt = $user.description $Username = $user.name $HexPassword = $user."ibm-diPassword" $PasswordArray = @() foreach ($Letter in $HexPassword) { $PasswordArray += [System.Text.Encoding]::ASCII.GetString($Letter) } $ADUser = Get-ADUser -Identity $user.Name -Properties tsaDominoAbbreviatedName #TODO: Add error handling for when their isn't a Domino account. $ADDomAbbreviatedName = $ADUser.tsaDominoAbbreviatedName If ($ADDomAbbreviatedName) { Write-Verbose "DN: $IBMDIPersonDN" Write-Verbose "Password: $PasswordArray" Write-Verbose "DominoAbbreviated: $ADDomAbbreviatedName" $DominoPwdChange = Set-USSDominoPassword -DominoAbbreviatedName $ADDomAbbreviatedName –Password $PasswordArray -DomainController $DomainController $HTTPChange = $DominoPwdChange.HTTPResultCode $IDVaultChange = $DominoPwdChange.IDVaultResultCode If ($HTTPChange -eq "HTTP Password changed successfully.") { $HTTPChange = "SUCCESS" } If ($IDVaultChange -eq "ID Password changed successfully.") { $IDVaultChange = "SUCCESS" } If (($HTTPChange -eq "SUCCESS") -and ($IDVaultChange -eq "SUCCESS")) { #If both changes are successful, I will clear the password. Otherwise, I will increment the attempts Set-ADObject -Identity $IBMDIPersonDN -Clear "ibm-diPassword" } Else { $Attempt = $Attempt + 1 If ($Attempt -eq 3) { Set-ADObject -Identity $IBMDIPersonDN -Clear "ibm-diPassword" $BodyContent = "Failed to change Domino Password <b>$Username</b>.</br> <b>HTTP Result: </b>$HTTPChange</br> <b>ID Vault Result: </b>$IDVaultChange</br>` <b>Domino Abbreviated Name: </b> $ADDomAbbreviatedName" Send-USSEMail -To $EmailErrors -Subject "Domino Password Change Failed: $UserName" -BodyContent $BodyContent -Verbose } Else { Set-ADObject -Identity $IBMDIPersonDN -Description $Attempt } } #End if HTTP and IDVault Password Successful } #End If ADDomAbbreviatedName #Remove-ADObject -Identity $IBMDIPersonDN -Confirm:$false } #End User } END { } }
I hope that this series will help you as you work with TDI 7.1.1 and AD to sync passwords between AD and Domino.