Changing user password on first login

Hi all,
I'm using a customised login panel on my external facing portal homepage. I have changed the look and feel of default sap login screen by modifying the logon.par file.
Now, I want to replicate the standard portal scenario. When an user logs in for the first time then a change password screen should be displayed (same as when we create a new user and log-in to the portal).
The problem as of now is that when i create a new user through user management and try to login to my external facing portal using this user id then it doesn't login nor it shows any error messages nor any password change prompts.
Please help me in this regard.
Thanks,
Prasanna

Hi Prasann,
It great that you have modified the Login par but have to done the necessary changes , refer to this weblog
Modifying The Logon Par(or customising the Logon Screen)
for changing Password at first login
Start the Config Tool C:usrsap<SID><instance>j2eeconfigtoolconfigtool.bat
Ex: D:usrsapF02JC00j2eeconfigtool --> configtool.bat
Navigate to cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
Look for the property "ume.logon.security_policy.password_change_allowed = TRUE"
Save & Restart the J2EE engine.
Thanx
Pankaj

Similar Messages

Restrict users from changing password on first login?

Hi,
I am doing mass user upload into UME using script import. How should I use the below functionality to restrict the users from changing password on first login?
IUserAccount uacc =UMFactory.getUserAccountFactory().newUserAccount(uid,newUser.getUniqueID());
uacc.setPassword("saras");
uacc.setPasswordChangeRequired(false);
How to implement above functionality with mass upload from script import?
Thanks
Srinivas
Edited by: srinivas M on Jan 20, 2009 9:05 PM

hi srinivas,
try this api
http://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IUserAccount.html#isPasswordChangeRequired()
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40d562b7-1405-2a10-dfa3-b03148a9bd19
this document able to retrive the password.. same positon u can disable the field
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10649c90-24af-2b10-1086-ea0667ec3655
thanks

Password policy "change password at first login" errors!

Complete panic!
I've updated to OS X Server 4.1 and all my users appear to be ok. All green lights within the server app. Computers are NOT giving the red light 'network accounts unavailable'. However, no one can login. Every user, new and old, are being prompted at login to create a new password (say: Password 1). They type in a new password (say: Password2), the box shakes like it didn't accept it. However, if they try to login again, it won't accept Password1. If they type Password2, they again get prompted to change the password.
So it looks like it's accepting the password, but stuck in this reset password loop.
I've checked in the server app and workgroup manager. Neither have 'reset password at first login' selected.

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.
2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
4. If you have accounts with network home directories, make sure the URL's are correct in the user settings. A return status of 45 from the authorizationhost daemon in the log may mean that the URL for mounting the home directory was not updated after a change in the hostname. If the server and clients are all running OS X 10.10 or later, directories should be shared with SMB rather than AFP.
5. Follow these instructions to rebuild the Kerberos configuration on the server.
6. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
7. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
8. Reboot the master and the clients.
9. Don't log in to the server with a network user's account.
10. Disable any internal firewalls in use, including third-party "security" software.
11. If you've created any replica servers, delete them.
12. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.
13. Reset the password policy database:
sudo pwpolicy -clearaccountpolicies
14. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.
If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

Require Change of Password on First Use

Gurus,
I need som help with regards to the Change of Password rule for users (new of APEX 3.0).
I read from the help text:
Select Yes to require the user of this account to change the password immediately after logging in the first time using the current password. This rule applies to the use of this account for workspace administration or development as well as to use of this account to log in to developed applications.
So, I add a user and set 'Require Change of Password on First Use' to TRUE and the user logins on the 'Main page' (http://apex.oracle.com/pls/otn/f?p=4550:1:1944788853821985) APEX redirects to a change password page. Extremly cool!
But here is the problem, if I build myself a little application (one empty page) and then have a user login to this application (not the same one, a brand new test user) the user is never challenged with the password change.
Is this the way it is supposed to be and I can't read the documentation correctly or is there something I have missed?
Cheers,
Andy

Andy,
The workspace needs to "enable" the account expiration/locking feature. If you don't have it enabled, the new features are not available for end user accounts. To enable it, use the workspace admin app: Home>Administration>Manage Services>Set Workspace Preferences and click the "Enable" radio button for Account Expiration and Locking. We could have disabled the Account Availability (Locked/Unlocked) and Requre Change of Password on First Use user account attributes disabled when this fetaure is not enabled for the workspace but then you wouldn't be able to create accounts and set those attributes as you require in anticipation of enabling the feature for the workspace.
Scott

How to change user passwords

On my Lion server, I want to create several user accounts, mainly for use with the wiki server. I want to force them all to change their passwords at next login. I see the checkbox in Workgroup Manager for this preference, but how do I use it? It doesn't seem to work with the wiki login, because if I enable that checkbox, the user cannot login; they get an error "incorrect user name or password". These users don't have access to login to the system GUI.

Thanks. Can you give me an example of "logging into their network accounts"? What are all the ways they could do this? I know SSH and AFP would work, but these users don't have access to either of those. I'm creating all these user accounts solely for wiki use.

Change User password not working in SAP ME 6.0

Hi,
In SAP ME 6.0 SP01 6.0.1.0 Counter 40, the activity "Change User Password" does not work for me or any other user.
The activity window (Netweaver) shows, but in the top it says "An error occurred - contact system administrator".
This is the output from the default trace file. Seems my user is not authorized, but where do I set this authorization?
Br,
Johan
#2.0 #2011 09 06 11:15:11:064#+0200#Error#com.sap.security.core.wd.jmxmodel.JmxModelComp#
#BC-JAS-SEC-UME#sap.com/tcsecumewduimodel#C0000AD3034800820000000100000450#9934850000000004#sap.com/tcsecumewdkit#com.sap.security.core.wd.jmxmodel.JmxModelComp#JONORD#16##380199ECD86811E088C3000000979802#ae0e9d52d86811e08e7a000000979802#ae0e9d52d86811e08e7a000000979802#0#Thread[HTTP Worker [@312363456],5,Dedicated_Application_Thread]#Plain##
public void supplyCompany(IPrivateJmxModelCompInterface.ICompanyNode node, IPrivateJmxModelCompInterface.IContextElement parentElement)
[EXCEPTION]
com.sap.engine.services.jmx.exception.JmxSecurityException: Caller JONORD not authorized, required permission missing (javax.management.MBeanPermission -\#getCompanyConceptEnabled[:SAP_J2EECluster="",j2eeType=UmeJmxServer,name=IJmxServer] invoke)
     at com.sap.engine.services.jmx.auth.UmeAuthorization.checkMBeanPermission(UmeAuthorization.java:100)
     at com.sap.engine.services.jmx.JmxServerFrame.checkMBeanPermission(JmxServerFrame.java:101)
     at com.sap.engine.services.jmx.MBeanServerSecurityWrapper.checkMBeanPermission(MBeanServerSecurityWrapper.java:438)
     at com.sap.engine.services.jmx.MBeanServerSecurityWrapper.invoke(MBeanServerSecurityWrapper.java:288)
     at com.sap.engine.services.jmx.ClusterInterceptor.invoke(ClusterInterceptor.java:813)
     at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:367)
     at com.sap.security.core.jmx._gen.IJmxServer$Impl.getCompanyConceptEnabled(IJmxServer.java:1415)
     at com.sap.security.core.wd.jmxmodel.JmxModelCompInterface.supplyCompany(JmxModelCompInterface.java:1498)
     at com.sap.security.core.wd.jmxmodel.wdp.InternalJmxModelCompInterface.supplyCompany(InternalJmxModelCompInterface.java:710)
     at com.sap.security.core.wd.jmxmodel.wdp.IPublicJmxModelCompInterface$ICompanyNode.doSupplyElements(IPublicJmxModelCompInterface.java:4301)
     at com.sap.tc.webdynpro.progmodel.context.DataNode.supplyElements(DataNode.java:110)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElementListAsObject(Node.java:263)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.createMappedElementList(MappedNode.java:78)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.supplyElements(MappedNode.java:71)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElementListAsObject(Node.java:263)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.createMappedElementList(MappedNode.java:78)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.supplyElements(MappedNode.java:71)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElementListAsObject(Node.java:263)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElements(Node.java:270)

Hi,
Change User Password screen is in fact user self services screen of NW UME and to access it, user must have Manage_My_Password action. Installation and Security Guide ask to assign this action to all roles.

How can i add a new user and change user'password with javamail?

how can i add a new user and change user'password from a mailserver with javamail?
email:[email protected]

Well user creation and updation is a system property..U need to go through that part...as it depends on the system you are hosting pout your application...
if it is linux...u have to use some shell programming\
bye for now let me know if this guides you or if you need some more stuff.
bye

Problem with Notifications on Create User/ Change User Password

Hello,
I'm having a problem sending emails to users when an account is created in OIM.
I added a notification to the user and user's manager on the Create User task in the Xellerate User process definition but the emails are not being sent.
I know that if I create another task with the purpose of sending emails and invoke it through the response in the Create User task, it will work.
My aim is to avoid adding tasks for something OIM should be able to do OOTB.
I'm also unable to send an email when a password is updated.. I did the same thing as for the Create User and I know the task (Change User Password) is being invoked by looking at the logs but the emails aren't being sent.
Has anyone ran into such problems?
I'm having these problems in the Xellerate User process task.. i've added notifications in other process tasks (mainly approval tasks) and they are working fine.
Thanks in advance

Hi,
I am just confuse with your response.Have you added the "Password Updated" task in xellerate user provisioning process?
Now if you changing password in OIM profile it will trigger "Change User Password" task not the "Password Updated" task and even if you add "Password Updated" task on Xellerate User provisioning task you can't see this task in Resource Details.
Now assume if you added your notification on "Password Updated" task of any resource which user is provisioned to even then when you change oim password it only trigger "Change User Password" task.So try to have your notification on "Change User Password" task.
Please clarify so that I can response correctly.
Regards
Nitesh

I recently changed my password and cant login

I just recently changed my password and cant login I'm getting an error do I need to change it again?

You can't login where?

Open Dir, SMB, AFP, Changing Password on first login (Windows)

Hey all...
I've read up on some documentation but have run into a roadblock trying to set up file sharing for Open Directory user accounts with OS X Server 10.5.6.
I have AFP and SMB (and Open dir) services enabled.
Using all default settings I am able to share files using other Windows and OS X machines.
Under the Open directory service settings in Server Admin, I tried to enforce that user passwords be reset on first log in.
When I log in using OS X, I get prompted to change my password and it works fine. When I'm using Windows (XP in this case), the username/password prompt that windows presents outright rejects the initial password. So when forcing users to change passwords, Windows users can no longer log in to share files.
I've attached the SMB log that correspond to the attempted log in from the Windows machine.
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_smb_pwd_checkntlmv1(383)
opendirectoryuser_auth_and_sessionkey gave -14161 [eDSAuthNewPasswordRequired]
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_opendirectory_ntlm_passwordcheck(598)
I'd appreciate any advice =)

Hey all...
I've read up on some documentation but have run into a roadblock trying to set up file sharing for Open Directory user accounts with OS X Server 10.5.6.
I have AFP and SMB (and Open dir) services enabled.
Using all default settings I am able to share files using other Windows and OS X machines.
Under the Open directory service settings in Server Admin, I tried to enforce that user passwords be reset on first log in.
When I log in using OS X, I get prompted to change my password and it works fine. When I'm using Windows (XP in this case), the username/password prompt that windows presents outright rejects the initial password. So when forcing users to change passwords, Windows users can no longer log in to share files.
I've attached the SMB log that correspond to the attempted log in from the Windows machine.
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_smb_pwd_checkntlmv1(383)
opendirectoryuser_auth_and_sessionkey gave -14161 [eDSAuthNewPasswordRequired]
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_opendirectory_ntlm_passwordcheck(598)
I'd appreciate any advice =)

Change password at first login

Hi all,
In my JSF web app, if a user has his password reset by an admin, the new password is emailled to him, and as soon as he logs with the new password in he MUST change his password, before being allowed to use any other part of the site.
How can I force the "change password" screen to appear?
My current "hack" is to add this code to the beginning of every single JSF page:
<%
 final boolean userMustChangePasswordAtNextLogin = ((Boolean) MyAbstractView.evaluateValueBinding("#{loggedInUser.userBean.mustChangePasswordAtNextLogin}")).booleanValue();
 if(userMustChangePasswordAtNextLogin) {
%>
 <html>
 <head>
 <META HTTP-EQUIV="Refresh" CONTENT="0; URL=ChangePassword.jsp">
 </head>
 </html>
<% } else { %>
 [Regular JSP/JSF page content...]
<% } %>Is there a graceful JSF way of doing this? I've investigated the NavigationHandler, but it doesn't get invoked until the user clicks on a CommandButton or such like. I've investigated ViewHandler as well, but cannot see how this would help.
Any advice appreciated & many thanks in advance...
- Adam.

Thanks a lot SirG ....
This is what I have done so far:
package com.abc.send.controller.security;
import javax.faces.component.UIViewRoot;
import javax.faces.context.FacesContext;
import javax.faces.event.PhaseEvent;
import javax.faces.event.PhaseId;
import javax.faces.event.PhaseListener;
public class LoginPasswordPhaseListener implements PhaseListener
 public void afterPhase(final PhaseEvent phaseEvent)
 // Nothing to do
 public void beforePhase(final PhaseEvent phaseEvent)
 if(phaseEvent.getPhaseId().equals(PhaseId.RENDER_RESPONSE))
 final FacesContext facesContext = phaseEvent.getFacesContext();
 final String viewId = facesContext.getViewRoot().getViewId();
 final boolean userMustChangePasswordAtNextLogin = true;
 if((!viewId.equals("/logout.jsp")) && userMustChangePasswordAtNextLogin)
 final UIViewRoot newRoot = facesContext.getApplication().getViewHandler().createView(facesContext,
 "/restricted/changePassword.jsp");
 facesContext.setViewRoot(newRoot);
 public PhaseId getPhaseId()
 // Seems that returning PhaseId.RESTORE_VIEW here doesn't work, so we
 // have to use an if expression in beforePhase(..)
 return PhaseId.ANY_PHASE;
}Then in the faces-config.xml:
<lifecycle>
 <phase-listener>com.abc.common.jsf.view.ViewScopePhaseListener</phase-listener>
 <phase-listener>com.abc.common.jsf.filter.secureserver.SecureServerPhaseListener</phase-listener>
 <phase-listener>com.abc.common.jsf.filter.browservalidation.BrowserValidationPhaseListener</phase-listener>
 <phase-listener>com.abc.common.jsf.filter.security.SecurityPhaseListener</phase-listener>
 <phase-listener>com.abc.common.jsf.filter.postback.PostBackValidationPhaseListener</phase-listener>
<phase-listener>com.abc.send.controller.security.LoginPasswordPhaseListener</phase-listener>
</lifecycle>So if final boolean userMustChangePasswordAtNextLogin = true; then on a successfull login currently I should be taken to the changePassword.jsp right ?

How can you create a customized page to change user password?

Hello to all,
I would like to create a customized page for a user to change their password. We are using Portal version 3.0.9 on Windows NT/2000. Currently there is a page in portal where a user can change their password.
I tried linking to that page by copying the shortcut url and adding it as an html portlet. The problem is that we want to direct the users to a
page of our choosing when they click on the "cancel" and "ok" buttons. I read in the forums that there is a selfreg.cmd script.
I also read that there is some code that has been available.
Has anyone implemented a customized user password change page? Do you know of any links that might have steps to follow or
more informatioin?
Thanks in advance,
Lindsay

Hi,
I was able to customize the change password screen through a procedure. This is what I did:
* Created a procedure under the Portal30_sso schema:
CREATE OR REPLACE procedure reports_chage_password
site2pstoretoken in varchar2 default null
,p_username in varchar2 default null
,p_error_code in varchar2 default null
,p_submit_url in varchar2 default null
,p_done_url in varchar2 default null
,p_pwd_is_exp in varchar2 default null
,p_password in varchar2 default null
is
begin
htp.htmlopen;
htp.headopen;
htp.title ('<TITLE of Page>');
htp.headclose;
htp.bodyopen;
htp.p('<table width="100%"><tr><td colspan=2 align=center><IMG SRC=<directory of image if you want>"> <hr> </td></tr>');
htp.p('<tr><td colspan=2 align=center>');
htp.p('');
htp.header(nsize => 1 ,cheader => 'Change Password');
htp.p('');
htp.p('</td></tr><tr><td align=right>');
htp.formopen(curl => p_submit_url );
htp.p('');
htp.p ('Username:');
htp.p('</td><td alight=left>');
htp.p(p_username);
htp.p('');
htp.p('</td></tr>');
htp.formHidden(cname => 'p_username',cvalue => p_username);
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('Old Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_old_password',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('New Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_new_password',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('Confirm New Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_new_password_confirm',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.p('<tr><td rowsapn=2>');
htp.formHidden(cname => 'p_done_url',cvalue => '<the url that you want users to go to when they are done>');
htp.formHidden(cname => 'p_pwd_is_exp',cvalue => p_pwd_is_exp);
htp.formHidden(cname => 'p_password',cvalue => p_password);
htp.formHidden(cname => 'site2pstoretoken',cvalue => site2pstoretoken);
htp.p('</td></tr>');
htp.p('<tr><td align=right>');
htp.formSubmit(cname => 'p_action',cvalue => 'OK');
htp.p('</td><td align=left>');
htp.formSubmit(cname => 'p_action',cvalue => 'CANCEL');
htp.p('</td></tr></table>');
if p_error_code is not null then
htp.br;
htp.fontOpen(ccolor=> 'red', csize=> 4);
if p_error_code = 'auth_fail_err' then
htp.p('Old password is incorrect');
elsif p_error_code = 'pwd_rule_err' then
htp.p('The new password does not follow '||
'the password policies.');
htp.br;
htp.p('Verify with your System Administrator '||
'about the Password Policies');
elsif p_error_code = 'confirm_pwd_fail_txt' then
htp.p('Confirmation for new passord is not '||
'the same as the New Passowrd');
elsif p_error_code = 'null_new_pwd_err' then
htp.p('New password cannot be null');
elsif p_error_code = 'null_old_pwd_err' then
htp.p('Old password cannot be null');
else
htp.p ('Error: ' || p_error_code );
end if;
htp.fontClose;
end if;
end;
* Grant this procedure to PUBLIC
* Update the portal30_sso.wwsso_ls_configuration_info_$:
UPDATE portal30_sso.wwsso_ls_configuration_info_$
SET LOGIN URL = '<YOUR CUSTOM LOGIN URL OR THE WORD UNUSED IF YOU DON'T HAVE ONE> http://<MACHINE_NAME>.<DOMAIN>/pls/portal30_sso/portal30_sso.<NAME OF PROCEDURE>';
* After you update the table, go to your account information link, and click on the change password link.
* Then copy the url that you see in your address line
* And if you want a change password link at the top of your portal page, just go to EDIT on your page, then edit the banner defaults. Then in the links add the Lable and the URL. The URL would be the URL you copied from the previous step.
Hope this helps.
I've customized the login page too if you would like some sample code for that. Let me know.
Martin

Unable to change user password (OD-Master)

Hi!
Running a xserve with 10.9.5 as an OD-Master with more than 1000 users I realized that I cannot change their passwords anymore.
I'm using WorkgroupManager, and get the following message:
"In order to set the password of a a user with an Open Directory Password, your own password type must be Open Directory. Administrators with other password types cannot set the password of a user with an Open Directory password."
In the server.app I cannot change the password too without any error-message. The dialog is just not disappearing.
Any ideas?
Thank you,
Peter

Well I had exactly the same problem here with OS X 10.9.5 Mavericks Server and Security Update 2015-004 applied.
I tried several things (rekerberize my server, reset my Open Dir Admin password) but finally what worked for me:
I renewed my Certificate with Server.app > Certificates > double click on your certificate > a new window opens with the certificate > click "Renew..." > then "OK"
After that I could create a new user with a password with "Server.app" without trashing my whole OD-Master :-)
Also what could help: In "Workgroup Manager.app" > try to login with a local admin credential > then click on the right "Lock" icon > and authenticate
with the "OpenDir-Admin" credential so that you will see "Authenticated as myopendiradmin to directory; /LDAPv3/127.0.0.1
hope this helps
Gilles

Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

Hello,
I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
*javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
*If anyone can help me figure out why it doesn't work, that would be great!*
P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
Here's my java code:
{code}import javax.naming.*;
import javax.security.auth.*;
import java.security.PrivilegedAction;
import java.io.UnsupportedEncodingException;
public void changeSecret((String uid, String oldPassword, String newPassword)
 throws NamingException, ACException{
try {
 K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
 LoginContext lc = new LoginContext("marker", cb);
 lc.login();
 Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
 catch(LoginException e) {
 try {
 lc.logout();
 catch(LoginException e) {
}ChangePasswordAction.java is:import javax.naming.*;
import javax.naming.naming.directory.*;
import java.io.UnsupportedEncodingException;
private class ChangePasswordAction implements PrivilegedAction {
 private String uid;
 private String quotedOldPassword;
 private String quotedNewPassword;
 public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
 this.uid = uid;
 quotedOldPassword = "\"" + oldPassword + "\"";
 quotedNewPassword = "\"" + newPassword + "\"";
 public Object run() {
 Hashtable env = new Hashtable(11);
 env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
 env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
 env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
 try {
 DirContext ctx = new InitialDirContext(env);
 ModificationItem[] mods = new ModificationItem[2];
 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
 ctx.modifyAttributes(uid, mods);
 ctx.close();
 } catch (NamingException e) {
 } catch (UnsupportedEncodingException e) {
 return null;
}K5CallbackHandler is:import javax.security.auth.callback.*;
final class K5CallbackHandler
implements CallbackHandler {
 private final String name;
 private final char[] passwd;
 public K5CallbackHandler(String nm, String pw) {
 name = nm;
 if(pw == null) {
 passwd = new char[0];
 else {
 passwd = pw.toCharArray();
 public void handle(Callback[] callbacks)
 throws java.io.IOException, UnsupportedCallbackException {
 for(int i = 0; i < callbacks.length; i++) {
 if(callbacks[i] instanceof NameCallback) {
 NameCallback cb = (NameCallback) callbacks;
 cb.setName(name);
 else {
 if(callbacks[i] instanceof PasswordCallback) {
 PasswordCallback cb = (PasswordCallback) callbacks[i];
 cb.setPassword(passwd);
 else {
 throw new UnsupportedCallbackException(callbacks[i]);
}The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
marker {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
//Eg. auth-conf; confidentiality, auth-int; integrity
//confidentiality is required to set a password
env.put("javax.security.sasl.qop","auth-conf");
//require high strength 128 bit crypto
env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
Good luck.

UCM 11g change user password

Hi,
I am not able to find out how users could change their passwords.
It is about UCM 11g.
Pls if anybody knows to tell me
Thanks in advance

This was actually the first custom component I created for 11g.
You should look into the 'self' features that are available in ldap security options. For example, as it seems that we're talking about the embedded ldap here:
for weblogic embedded server, add to acls.prop:
ou=people,ou=myrealm,dc=ecm_domain|subtree#grant:r,w,o,s#userpassword#this:
This will let people use their current password to bind into ldap and change their own password. they won't be able to change other passwords. This works well and you can put together a template that has the standard change pw format:
current password:
new password:
confirm password:
at least that's what I put together.
-ryan

Changing user password on first login

Similar Messages

Maybe you are looking for