Adding password policies to historical instance.

Similar Messages

• Implementing password policie using Role and CoS

  Hy all,
  I have created a directory with the following partial structure (Sun directory 5.2 patch 2):
  ou=people,o=accounts,c=an
  |----- cn=user1
  |----- cn=user2
  |----- cn=user3
  ou=services,o=accounts,c=an
  |---------cn=user4
  |---------cn=user5
  |---------cn=user6
  I want to assign different password policies based on the ou.
  I read within the admin guide that there is a way to do that through CoS and Role: http://docs.sun.com/source/817-7613/useracct.html#wp19625
  So I create following records:
  - Customized Password Policy Container:
  dn: cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: nsContainer
  cn: Customized Password Policy
  - External User Customized Password Policy: (same as the global one)
  dn: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: externalUserPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 86400
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: on
  - Service Account Customized Password Policy: (same as the global one except that there is no expiration for password and the password minimum age is set to 2 days instead of one)
  dn: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: serviceAccountPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 172800
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: off
  - External User Role:
  dn: cn=externalUserRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=people*))
  Description: Filtered role for external users
  - Service Account Role
  dn: cn=serviceAccountRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=services*))
  Description: Filtered role for external services account
  - Template Container for Customized Password Policy:
  dn: cn=pwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: nscontainer
  - Class of Service (CoS) Definition for password policy:
  dn: cn=PwdPol_CoSDefinition, c=an
  objectClass: top
  objectClass: LDAPsubentry
  objectClass: cosSuperDefinition
  objectClass: cosClassicDefinition
  cn: PwdPol_CoSDefinition
  cosAttribute: passwordPolicySubentry operational
  cosTemplateDn: cn=pwdPolTemplateContainer, c=an
  cosSpecifier: nsRole
  - Class of Service (CoS) Template for ExternalUserRole:
  dn: cn="cn=externalUserRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  - Class of Service (CoS) Template for ServiceAccountRole:
  dn: cn="cn=serviceAccountRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  - The thing is that it does not to work: if I disable the global password policy, I can set a 3 caracters password even if I specified in the sub password policy that passwordminlengnt is equal to 8 caracters.
  Many thanks in advance for your help.
  Gregoire

  Hmm,
  Pretty cool.
  I just finished doing it the hard-way when I saw your post :(.
  I tried it anyways, and it did all the work that I had done by hand in the previous try. Which was ...
  1) Creating the filtered role (same in both approaches).
  2) Creating a Container for COS Templates.
  3) Creating a COS Template with a dn having a cn string of the full dn to the role in 1) above. Had to use generic entry editor to add all the additional attributes as below ...
  dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
  �cn=PolTempl,dc=example,dc=com
  objectclass: top
  objectclass: extensibleObject
  objectclass: LDAPsubentry
  objectclass: costemplate
  cosPriority: 1
  passwordPolicySubentry: cn=TempPolicy,dc=example,dc=com
  (started with a new costemplate and the added all the above attributes, also involved things like changing the naming attribute - the dn - from cosPriority to the one cn as shown above)
  4) Creatiing a COS with ...
  4.1) passwordpolicysubenty as a generated attribute that is overriding and operation (this is picked from the matched CoS template)
  4.2) Use the template container's dn from 2) above for the TemplateDN value.
  4.3) Use nsrole of the target enty to narrow down to the COS template as in 3) above. I.E. "template"->"attribute name" value is set to "nsRole"
  (So when a user's nsrole maps to a cn value of an entry under the TemplateDN subtree. That template applies.)

• Active directory Schema - Multiple password policies

  Hi All,
  I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
  on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
  dealer2loc3 and so on)
  I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
  be  creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
  Also, I have budet constraints to add new servers for each domain and separate password policies.
  What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
  Thanks.

  Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
  Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
  and I can set separate password policies for sales.example.com and admin.example.com.
  By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
  From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
  that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Help with Password Policies.

  Hi,
  I created two diffrent Password Policies, and applied it to xellerate user Resource Object.
  Now when i creating a new user of xellerate User type, the password policy doesnt applies, whatever password i gave it takes.
  But when i am changing the password, he policies are applied.
  Y so??
  Thanks
  SjiT

  Administration->Password Poicies
  Policy name_ PolicyTrial_sjit
  minimum Length=5
  Custom Policy Selected.
  Max Length=20
  Min Numeric=2
  Min UpperCase=2
  Resource managemnt-> Rule designer
  name = LastName_sjit
  Operator= AND(By Default it was selected, please explain what is the diffrence between AND/OR in this)
  Type =general
  Description-last Name =jain pass rule
  Rule Element:
  Last name==jain
  Resource Object:
  xellerate User
  (Here Order for organisation is pre-selected. What is the diff bw Order For User and Order fro oragnisation)
  Added a Password policy Rule
  Rule-LastName_sjit
  Policy-PolicyTrial_sjit
  ADmin and user COnsole GUide:
  logged as xelsysadm
  Create User::
  PAssword =2
  Oraganisation= xellerate User
  last Name =jain
  User Created :( :(
  user Details page..
  Clicked Change password.
  Password- abc
  Confirm- abc
  Password Policy Error
  Password must contain at least 1 numeric characters.
  Password must contain at least 2 alphabetic characters.
  Password must not be longer than 10 characters.
  Password must be at least 5 characters long. 
  what wil be the possible cause of such and error.??
  Edited by: sjit on Apr 1, 2010 12:17 AM

• Password policies in ODSEE 11.1.1.7.2

  Hi,
  we're running ODSEE 11.1.1.7.1 on our masters and most of our replicas, all in DS5-compatible-mode.
  I've a job running on the masters to export LDIF data to be able to setup easily new environments for test purposes.
  Inside our DIT we've setup special password policies for all users, ignoring the default policies completely.
  I now setup a new instance on another host and try to import complete DIT via dsconf import and got for every entry with passwordPolicySubentry-Attribute an error
  [11/Mar/2015:11:40:56 +0100] - INFORMATION - Config  - conn=-1 op=-1 msgId=-1 -  (Password Policy: get policy object from entry) Entry "<dn of policy>" not found (51). Reverting to default policy entry "cn=password policy,cn=config".
  I figured out, that our internal policies are not imported due to attributes from both objectclasses (sunPwdPolicy & pwdPolicy). I deleted manually the password*-Attributers and got them imported in the correct place in the DIT.
  Afterwards I tried to do dsconf import -K with all user entries with the relevant passwordPolicySubentry-Attribute and I got the same errors as written above again.
  I managed to import the data with ldapadd successful with the correct passwordPolicySubentry, but why not with the dsconf import???
  Thanks for your hints to find the problem!
  Regards,
  Roland

  Hello,
  You mean the password policy entries are not returned by a search ?
  Password policies stored in the data are stored as ldap sub entry. To get ldap sub entries, you must explicitely ask for it in the search filter, eg. (objectclass=LDAPsubentry)
  -Sylvain
  Please mark this response as correct or helpful when appropriate to make it easier for others to find it

• How Can I change all User Passwords Within a Directory Instance

  Hi Experts,
  I've been asked to refresh an old directory instance with some production data.  Easy enough I thought, however, the user has requested that all user passwords within the old directory instance are preserved.  Is that at all possible?  My chain of thought was that I can extract user passwords from the old instance into a file: -
  # ldapsearch -D cn="Directory Manager" -w xxxxxxxx -b o=xxxxxxx objectclass=* userpassword > <name of file>
  And then then use ldapmodify (or alike) to re-import the user passwords once I've refresh the old instance with the production data.  However, to my knowledge, in order to modify a particular entry via a file, i'd need the following format: -
  dn: gci=-1,ou=people,o=xxxxxxxx
  changetype: modify
  replace: userpassword
  userpassword: xxxxxxxxxxxxxxxx
  The only information I have in the file I created using the ldapsearch command above is as follows: -
  dn: gci=-1,ou=people,o=xxxxxxxx
  userpassword: xxxxxxxxxxxxxxxx
  I don't want to have to edit the file and add the relevant missing entries accordingly as the generated file has somewhere in the region of 150 thousand entries.
  Am I approaching this the correct way?  Is there any other mean of achieving my requirement.
  Thanks in Advance.

  Hi,
  It does not seem a big deal to add the missing lines to your output file.
  For instance, the following awk command should do the trick
  cat search.out
  dn: gci=-1,ou=people,o=xxxxxxxx
  userpassword: xxxxxxxxxxxxxxxx
  cat search.out | awk '/userpassword/ {print "changetype: modify} ; print "replace: userpassword"; }  {print $0}
  dn: gci=-1,ou=people,o=xxxxxxxx
  changetype: modify
  replace: userpassword
  userpassword: xxxxxxxxxxxxxxxx
  Then you can use ldapmodify to apply your changes
  -Sylvain

• Cannot update Global Password Policies, no SSL bind, etc

  Hello Community--
  This is day 3 of the Apple Server Hostage Crisis, and it looks like I'll started clean slate build #5.
  By way of background, I had a functioning ML/2.2.2 server that had RAID problems (and still does).  Attempting to rebuild array failed and I lost the boot hard drives.  I have access to dumpall.psql and all the user data (on an external drive).  I attempted a couple of times to build a clean Mavericks/3.0 server but I couldn't figure out how to get the service data back.  So I build a clean ML/2.2.2 system, got the wiki/calendar/contacts, etc data back in place to include establishment of an OD master using an archive.  Turns out the archive was from one of my Mavericks/3.0 attempts, and while it seemed to create the OD okay, every time I tried to edit the global password policy, Server.app crashed.  I decided to try to move up to Mavericks/3.0.  Server.app no longer crashed but still cannot change global password policies.  I get the following error:
  servermgrd[]: servermgr_dirserv: +[PWPolicy setGlobalPolicyFromDict] error: policy data modification failed: Object class violation: attribute 'apple-user-passwordpolicy' not allowed ()
  I deleted the OD master a couple of times and recreated it from a new archive.  On the second iteration, my PositiveSSL cert was deleted....
  Q1:  Has anyone seen this password policy error and know how to solve it?
  Additionally, although I have (had) the cert from PositiveSSL for my domain, the OD with Server 3 will not use it, instead reverting to a self-signed cert.  All other services seem to work with the PositiveSSL cert.  I've seen discussions in the community on this but have not found a solution. 
  Q2: Is this related to why I cannot create a secure binding?
  I have not even gotten to the point of trying to set up Profile Manager to manage users and devices.  I have not read anywhere that I *need* to have Profile Manger started to get a basic system running.  From a Mavericks-based client where I've logged in with a local user, I can su <OD User> and log in, but the automount of the user's home directory fails due to an authentication issue. 
  Q3:  In Mavericks, does a device have to be enrolled/configured in Profile Manager in order to bind and be usable?
  Well, I'm off to start my next rebuild, but would still appreciate comments and suggestions as I suspect this hostage crisis is not over yet.
  Thanks.
  Tim

  Rebuilt from scratch and reloaded databases for services and the OD archive.  But something was still jacked and passwords wouldn't take.  I was starting to suspect it was OD again, but then I decided to completely wipe the device_management database, which I did following these steps:  http://support.apple.com/kb/ht5349.
  That may have gotten me on track, which is good because I was getting ready to recreate each user account.  I'll continue the effort tomorrow (day 4). 
  I have not decided if I will try again for Mavericks/Server 3.  Sigh....
  Tim

• Cloud User Password Policies

  I am aware of the password policies listed in the documentation area.
  This is fine for the management of changing passwords or recovering ones you've lost (challenge questions), but have a question on the ability to set Password Aging Policies. Is it possible to set a Password aging policy as a user of the cloud service? I want to force the Passwords to expire every 45 days.
  Thanks

  Hi Rick -
  Thanks for your response.
  In researching this further I concur with your assessment that within the cloud service - there is not currently a password aging policy that can be changed by the end user.
  There is however an alternate way to arrive at the same result as password aging within the Cloud Service.
  That is - deploy the Single Sign On Solution for Fusion Applications within the cloud - and that provides identity federation capabilities.
  The OnPremise Identity Management solution can be configured to age the passwords and then when it's expiration date arrives - and the user updates the password within the on premise LDAP, the change will also be affected in the cloud service.
  Viola! we have the ability to ensure that passwords are changed within 'x' period of time.
  It is not a direct solution - but is one that ensures the intent of password aging is enforced.
  Thanks again for your response.
  Guy
  Edited by: ServiceGuy on Nov 19, 2012 3:59 PM

• Portal password Policies and MS Active directory Group Policies

  Has anybody worked with EP6 and Active directory (as the writeable directory). More specifically I am trying to find experience or good documentation about working with the password policies for each. For example if you have the Portal password expiry at 90 days in portals, does the password expiry need be matched in AD.What if it is not, does this casue problems. If anyone as some expereice with this please reply.
  Thanks
  Stephen

  Has anybody worked with EP6 and Active directory (as the writeable directory). More specifically I am trying to find experience or good documentation about working with the password policies for each. For example if you have the Portal password expiry at 90 days in portals, does the password expiry need be matched in AD.What if it is not, does this casue problems. If anyone as some expereice with this please reply.
  Thanks
  Stephen

• BAPI to get password policies in ABAP environement

  Hi all,
  I  am new to the SAP ABAP environement. (worked to some extent on  JAVA stack).
  I am working on the RFCSDK using  C language.
  I wanted to know how to see the password policies in ABAP environment.
  I went through the link
  http://help.sap.com/saphelp_nw04s/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
  Now my question are as follows:
  a)Which transaction should i use to see this values
  b)Is there a BAPI provided to access this values. (using C language)
  Best Regards
  Manoj

  this is not an abap question, but a basis question.
  password settings are maintained with system profile parameters.
  go to transaction RZ11 and search for passw parameters.
  I found a FM by searching for profilepar*
  in the code it uses  
  CALL 'C_SAPGPARAM'                               
       ID 'NAME' FIELD 'auth/object_disabling_active'
       ID 'VALUE' FIELD RET.                         
  I think this one checks the parameters
  regards, Rob,

• Enterprise User Security and Password Policies

  Hi!
  I'm testing Enterprise User Security. Till now everything has gone ok, I can connect to my db using oid users.
  Now I'm configuring OID password policies for my realm but it seems that these are not applied when I connect through db. For example, I can try to logon with a wrong password as many time as I want, although in policies a limit of three is set.
  Is this correct?!

  If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
  regards,
  --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                   

• How to implement extra password policies

  What is the best way to configure additional password policies? We are using the
  DefaultAuthenticator, and its only password policy is Minimum length. We'd like
  to add policies that force a change every 6 months, require a mix of numbers and
  alphas, prevent re-use of old passwords, etc.

  "Ken" <[email protected]> wrote in message
  news:3f900716$[email protected]..
  >
  What is the best way to configure additional password policies? We areusing the
  DefaultAuthenticator, and its only password policy is Minimum length. We'dlike
  to add policies that force a change every 6 months, require a mix ofnumbers and
  alphas, prevent re-use of old passwords, etc.There are currently no additional password policies that can be configured
  for the Default
  authenticator. If you need more, then you may have to move to either another
  LDAP
  server and use the external ldap provider or move to a custom solution and
  write your
  own atn provider.

• Chang system userid/password for another server instance

  It it possible to change the system userid/password for another server
  instance. If so , how ?
  I would like to allow certain groups to be able to start and stop ONLY their
  server without giving out the system account.
  Thanks in advance!

  the relationship between the infrastructure nodes and the application server nodes is a one to many relationship. The infrastructure home should be the only home that the EMWebsite service has been started for.
  the user to log in to em console is ias_admin/<password> if it does not accept the password that you set for this user then try it with caps lock on as you may have had it one when setting the password.
  As 9ias release 2 has been designed with a multiple machine install in mind, if you install more than one instance (multiple oracle homes) on the server then you will end up with multiple apache processes and oc4j processes. This means you will be able to connect to 2 apache server homepages under different ports. That is why you get the same page.

• Retrieve Historical Instances

  I am using the .NET Enterprise SDK.  When I use the code below - I am able to retrieve only Crystal Reports Historical instances.  If I try to retrieve Word or Excel or PDF, I get the following error message on the 325th line (If ReportInterface.ReportParameters.Count > 0 Then):
  Public member 'ReportParameters' on type 'InfoObject' not found.
  Any thoughts as to how to fix this to get the parameters on all datatypes?  In addition, how can I add a hyperlink to the datatable to open the instance (my page to pull instances is called viewer.aspx)?
  Thanks,
  Jeff
      Public Shared Function RetrieveReportInstances(ByVal myInfoStore As InfoStore, ByVal parentID As String) As Data.DataTable
          Dim dt As New Data.DataTable()
          'Declare an array to hold the various statuses that an instance can have.
          Dim status(14) As String
          status(0) = "Active"
          status(1) = "Complete"
          status(3) = "Failed"
          status(4) = "Loaded"
          status(5) = "Loading"
          status(6) = "Not Responding"
          status(7) = "On Hold"
          status(8) = "Paused"
          status(9) = "Scheduled"
          status(10) = "Error"
          status(11) = "Queued"
          status(12) = "Recurring"
          status(13) = "Terminated"
          status(14) = "Terminating"
          'Query for a report.
          'Dim result As String = "Select * From CI_INFOOBJECTS Where SI_PROGID = 'CrystalEnterprise.Report' And SI_PARENTID=" & parentID
          Dim result As String = "Select * From CI_INFOOBJECTS Where SI_PARENTID=" & parentID
          Dim myInfoObjects As InfoObjects = myInfoStore.Query(result)
          'Retrieve the first report returned.
          Dim myInfoObject As InfoObject
          If myInfoObjects.Count > 0 Then
              myInfoObject = myInfoObjects.Item(1)
              'Retrieve the report interface.
              Dim ReportInterface = myInfoObject.PluginInterface.Interface
              dt.Columns.Add(New Data.DataColumn("View"))
              dt.Columns.Add(New Data.DataColumn("Owner"))
              dt.Columns.Add(New Data.DataColumn("Run Date"))
              dt.Columns.Add(New Data.DataColumn("Status"))
              dt.Columns.Add(New Data.DataColumn("Duration"))
              If ReportInterface.ReportParameters.Count > 0 Then
                  'Retrieve the database logon information for each database that
                  'the report must logon to.
                  Dim j As Integer
                  Dim ParamName As String
                  For j = 1 To ReportInterface.ReportParameters.Count
                      ParamName = ReportInterface.ReportParameters.Item(j).ParameterName
                      dt.Columns.Add(New Data.DataColumn(ParamName))
                  Next
              Else
              End If
              ' Add some data to the DataTable.
              Dim myDataRow As Data.DataRow
              If myInfoObjects.Count > 0 Then
                  Dim Duration = 0
                  Dim i As Integer = 1
                  For Each myInfoObject In myInfoObjects
                      If myInfoObjects.Item(i).Properties("SI_UISTATUS").Value = 1 Then
                          Duration = FormatTimeSpan((myInfoObjects.Item(i).Properties("SI_ENDTIME").Value - myInfoObjects.Item(i).Properties("SI_NEXTRUNTIME").Value))
                          'Duration = ""
                      Else
                          Duration = ""
                      End If
                      myDataRow = dt.NewRow()
                      myDataRow(0) = myInfoObjects.Item(i).Properties("SI_KIND").Value
                      myDataRow(1) = myInfoObjects.Item(i).Properties("SI_OWNER").Value
                      myDataRow(2) = myInfoObjects.Item(i).Properties("SI_UPDATE_TS").Value
                      myDataRow(3) = status(myInfoObjects.Item(i).Properties("SI_UISTATUS").Value)
                      myDataRow(4) = Duration
                      Dim k As Integer
                      Dim L As Integer
                      For k = 1 To ReportInterface.ReportParameters.Count
                          L = 4 + k
                          myDataRow(L) = ReportInterface.ReportParameters.Item(k).ValueDisplayString
                      Next
                      dt.Rows.Add(myDataRow)
                      i = i + 1
                  Next
                  i = 1
              End If
          Else
              dt.Columns.Add(New Data.DataColumn("Report"))
              Dim myDataRow As Data.DataRow
              myDataRow = dt.NewRow()
              myDataRow(0) = "There are currently no instances of this report."
              dt.Rows.Add(myDataRow)
          End If
          Return dt
      End Function
      Public Shared Function FormatTimeSpan(ByVal time_span As _
          TimeSpan, Optional ByVal whole_seconds As Boolean = _
          True) As String
          Dim txt As String = ""
          If time_span.Days > 0 Then
              txt &= ", " & time_span.Days.ToString() & " days"
              time_span = time_span.Subtract(New _
                  TimeSpan(time_span.Days, 0, 0, 0))
          End If
          If time_span.Hours > 0 Then
              txt &= ", " & time_span.Hours.ToString() & " hours"
              time_span = time_span.Subtract(New TimeSpan(0, _
                  time_span.Hours, 0, 0))
          End If
          If time_span.Minutes > 0 Then
              txt &= ", " & time_span.Minutes.ToString() & " " & _
                  "minutes"
              time_span = time_span.Subtract(New TimeSpan(0, 0, _
                  time_span.Minutes, 0))
          End If
          If whole_seconds Then
              ' Display only whole seconds.
              If time_span.Seconds > 0 Then
                  txt &= ", " & time_span.Seconds.ToString() & " " & _
                      "seconds"
              End If
          Else
              ' Display fractional seconds.
              txt &= ", " & time_span.TotalSeconds.ToString() & " " & _
                  "seconds"
          End If
          ' Remove the leading ", ".
          If txt.Length > 0 Then txt = txt.Substring(2)
          ' Return the result.
          Return txt
      End Function

  Two things:
  1. Scheduled report instances to a different format has a PROGID specific to that format - for example, scheduling to PDF will result in ta instance of PROGID 'CrystalEnterprise.Pdf'.  You'll have to modify your InfoStore query accordingly.
  2. The returned InfoObject will be format specific, and not of type Report.  You'll have to recast the Plugin Interface:
  report = New Report(infoObjects.Item(1).GetPluginInterface("Report"))
  If Version 10 or older, you may try:
  report = New Report(infoObject.Item(1).PluginInterface)
  Sincerely,
  Ted Ueda

• Invoking password policies within a RequestValidator

  Hello gurus. I am looking for an API, or whatever, to match a user-supplied password against a password policy created via Design Console.
  My goal is to implement a password-consistency check at request level, so that a user is immediately notified if the supplied password does not meet the minimum security criteria for the target resource.
  This is my reference scenario:
  - a user creates a self-provision request for a target resource
  - the users fills the Request Dataset form in and submits the request. One of the Dataset fields contains the password for the account which will be created.
  - the supplied password is checked against resource's password policies
  - if the check is successful, the request is created an filed in for approval
  - otherwise, the user gets a "INVALID PASSWORD" pop-up error message and can make his/her correction immediately
  OIM implements password policies at process form level, i.e. after the request is submitted and approved, which is too late. What I'd love to do is to leverage that existing code by invoking OIM's password policies at request level, within a RequestValidator plugin. Is that possibile? What class/method would I have to call to verify a password against an existing policy?
  Thanks in advance,
  Patri

  Well, good news and bad news.
  Good News
  I was able to implement a RequestDataValidator that performed password validation at the object/account level using the tcPasswordUtilities.checkProcessPasswordUserID method.
  Bad News
  Our password policies all have history rules (i.e can't be one of last x passwords). In addition to validating the object/account password, the tcPasswordUtilities.checkProcessPasswordUserID also updates the password history table (PWH) with the validated password. Since we're doing this validation as part of the request process (RequestDataValidator), the new password will already be in the history table when the actual process form update is performed. Since the process form update will also validate the password, it will always fail because the password is already in the history table because of our request validator's check!
  Back to the drawing board...