Password shows as –suppressed– when writing a trace message in IDM 4.6

While upgrading a client to NetIQ IDM 4.6, I ran across some debug code that I had written to display a trace message with a user’s password that was no longer working as intended.  When trying to track down password sync issues, this type of policy can be extremely useful.  The problem is that in NetIQ IDM 4.6 they had implemented a change that stopped this, in to meet a compliance requirement, at least that is what back-line support said.

Here are some example traces the illustrate what shows now up in trace.

There are a few different ways I found to solve this problem.  The first involves using the XML Serialize verb in argument builder.  This action could be utilized for a job or sync event, as nspmDistributionPassword will not be in the document.   I have provided some sample code below.

The second would use XPath to read nspmDistributionPassword from the local document

The last involves writing the password value in clear text to any Case Ignore String attribute.  I strongly recommend that is you choose to use this method that you clear the value as quickly as possible.  For this example I chose to use the businessCategory attribute.


Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *