Cloud User Password Policies

I am aware of the password policies listed in the documentation area.
This is fine for the management of changing passwords or recovering ones you've lost (challenge questions), but have a question on the ability to set Password Aging Policies. Is it possible to set a Password aging policy as a user of the cloud service? I want to force the Passwords to expire every 45 days.
Thanks

Hi Rick -
Thanks for your response.
In researching this further I concur with your assessment that within the cloud service - there is not currently a password aging policy that can be changed by the end user.
There is however an alternate way to arrive at the same result as password aging within the Cloud Service.
That is - deploy the Single Sign On Solution for Fusion Applications within the cloud - and that provides identity federation capabilities.
The OnPremise Identity Management solution can be configured to age the passwords and then when it's expiration date arrives - and the user updates the password within the on premise LDAP, the change will also be affected in the cloud service.
Viola! we have the ability to ensure that passwords are changed within 'x' period of time.
It is not a direct solution - but is one that ensures the intent of password aging is enforced.
Thanks again for your response.
Guy
Edited by: ServiceGuy on Nov 19, 2012 3:59 PM

Similar Messages

Creative Cloud User Password

I have sent users invites to join my CC Team, they except and it asks them for a password. Where do I set CC users passwords?

Hi Shawn Meyer,
If the Email ID from which the invite to CC Team has been accepted is being used for the first time for Adobe products & you have not set the password , then do click on the option "Trouble signing in",
it will resend a password reset link to the email ID .
In this way the password can be obtained.
Please let us know if it worked.
Regards
Rajshree

Enterprise User Security and Password Policies

Hi!
I'm testing Enterprise User Security. Till now everything has gone ok, I can connect to my db using oid users.
Now I'm configuring OID password policies for my realm but it seems that these are not applied when I connect through db. For example, I can try to logon with a wrong password as many time as I want, although in policies a limit of three is set.
Is this correct?!

If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
regards,
--Olaf

HT204053 How do I create an Apple ID for my kids which are linked to my Apple ID so that they can make purchases without me having to tell them my user/password?

How do I create an Apple ID for my kids which are linked to my Apple ID so that they can make purchases without me having to tell them my user/password?

Welcome to the community.
Unfortunately, you cannot do that. The first hurdle that you are going to face, is that mobile devices, by virtue of being prone to loss, will always require that a password is entered before a purchase of any kind is made.
If your concern about the password, is related to your privacy in regard to your mail, contacts and calendar information rather than their acces to make purchases, then the best solution would be for you to use another Apple ID for iCloud.
Apple have called the whole cloud thing iCloud, there are a number of features under the iCloud umbrella, some of which require their own login. iTunes is one of these, another is what Apple have unfortunately also called iCloud too.
You can use the same Apple ID (account) to login to both iCloud and iTunes, but you don't need to and often users will login to each service using a different ID.
The part that you need to remember is that the services available when you log into iCloud are completely different and unrelated to those when you log in to iTunes. Your iCloud login enables mail, contacts, calendars, find my phone, Back to My Mac, Documents & Data sharing and photostream, it does not affect any of your iTunes services.

How to prevent user password being reset to the same password?

Hi,
As you all know, domain admin has the power to reset user password. Let's think of the following scenario:
if an admin lets a user reset his password to use the same string, this action means he could nullify company policy on password which requires user's last N passwords being recorded in the history.
We could very well imagine that the admin reset his own personal password in order to bypass company policy.
I have asked partner forum to see if there's a way to prevent such thing, but the reply I got is "No".
I wanted to know if anyone of you have any idea to prevent such thing from happening?
Or if it's possible to get the hash value of users past N password to see if he's always using the same password?
Thanks in advance for your ideas.

Good rules is better alternative to complex policy.
Combine password history with time interval between changes.
Regards
Milos
You don't understand what I mean.
He knows exactly what you mean.
check out this link below:
http://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx
Enforce password history
The Enforce password history policy setting determines the number of unique new passwords that must be associated with a
user account before an old password can be reused .
The possible values for this Group Policy setting are:
A user-defined number from 0 through 24.
Not defined.
Discussion
Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for
a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but nothing prevents them from using the old password or continually reusing a
small number of passwords, the effectiveness of a good password policy is greatly reduced.
Specifying a low number for Enforce password history allows users to continually use the same small number of passwords repeatedly. If you do not also set Minimum
password age, users can change their password as many times in a row as necessary in order to reuse their original password.
If you set Enforce password history to a number greater than zero, users must come up with a new password every time they are required to change their old one. This
improves security, but it can increase the risk that users will write down their passwords so they do not forget them.
If you set the value to the maximum of 24, it helps to ensure that vulnerabilities caused by password reuse are kept to a minimum.
For this policy setting to be effective in your organization, configure Minimum password age so that you do not allow passwords to be changed immediately. Enforce
password history should be set at the level that combines a reasonable maximum password age with a reasonable password change interval requirement for users.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\
Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
IT Stuff Quick Bytes

How can you create a customized page to change user password?

Hello to all,
I would like to create a customized page for a user to change their password. We are using Portal version 3.0.9 on Windows NT/2000. Currently there is a page in portal where a user can change their password.
I tried linking to that page by copying the shortcut url and adding it as an html portlet. The problem is that we want to direct the users to a
page of our choosing when they click on the "cancel" and "ok" buttons. I read in the forums that there is a selfreg.cmd script.
I also read that there is some code that has been available.
Has anyone implemented a customized user password change page? Do you know of any links that might have steps to follow or
more informatioin?
Thanks in advance,
Lindsay

Hi,
I was able to customize the change password screen through a procedure. This is what I did:
* Created a procedure under the Portal30_sso schema:
CREATE OR REPLACE procedure reports_chage_password
site2pstoretoken in varchar2 default null
,p_username in varchar2 default null
,p_error_code in varchar2 default null
,p_submit_url in varchar2 default null
,p_done_url in varchar2 default null
,p_pwd_is_exp in varchar2 default null
,p_password in varchar2 default null
is
begin
htp.htmlopen;
htp.headopen;
htp.title ('<TITLE of Page>');
htp.headclose;
htp.bodyopen;
htp.p('<table width="100%"><tr><td colspan=2 align=center><IMG SRC=<directory of image if you want>"> <hr> </td></tr>');
htp.p('<tr><td colspan=2 align=center>');
htp.p('');
htp.header(nsize => 1 ,cheader => 'Change Password');
htp.p('');
htp.p('</td></tr><tr><td align=right>');
htp.formopen(curl => p_submit_url );
htp.p('');
htp.p ('Username:');
htp.p('</td><td alight=left>');
htp.p(p_username);
htp.p('');
htp.p('</td></tr>');
htp.formHidden(cname => 'p_username',cvalue => p_username);
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('Old Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_old_password',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('New Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_new_password',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('Confirm New Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_new_password_confirm',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.p('<tr><td rowsapn=2>');
htp.formHidden(cname => 'p_done_url',cvalue => '<the url that you want users to go to when they are done>');
htp.formHidden(cname => 'p_pwd_is_exp',cvalue => p_pwd_is_exp);
htp.formHidden(cname => 'p_password',cvalue => p_password);
htp.formHidden(cname => 'site2pstoretoken',cvalue => site2pstoretoken);
htp.p('</td></tr>');
htp.p('<tr><td align=right>');
htp.formSubmit(cname => 'p_action',cvalue => 'OK');
htp.p('</td><td align=left>');
htp.formSubmit(cname => 'p_action',cvalue => 'CANCEL');
htp.p('</td></tr></table>');
if p_error_code is not null then
htp.br;
htp.fontOpen(ccolor=> 'red', csize=> 4);
if p_error_code = 'auth_fail_err' then
htp.p('Old password is incorrect');
elsif p_error_code = 'pwd_rule_err' then
htp.p('The new password does not follow '||
'the password policies.');
htp.br;
htp.p('Verify with your System Administrator '||
'about the Password Policies');
elsif p_error_code = 'confirm_pwd_fail_txt' then
htp.p('Confirmation for new passord is not '||
'the same as the New Passowrd');
elsif p_error_code = 'null_new_pwd_err' then
htp.p('New password cannot be null');
elsif p_error_code = 'null_old_pwd_err' then
htp.p('Old password cannot be null');
else
htp.p ('Error: ' || p_error_code );
end if;
htp.fontClose;
end if;
end;
* Grant this procedure to PUBLIC
* Update the portal30_sso.wwsso_ls_configuration_info_$:
UPDATE portal30_sso.wwsso_ls_configuration_info_$
SET LOGIN URL = '<YOUR CUSTOM LOGIN URL OR THE WORD UNUSED IF YOU DON'T HAVE ONE> http://<MACHINE_NAME>.<DOMAIN>/pls/portal30_sso/portal30_sso.<NAME OF PROCEDURE>';
* After you update the table, go to your account information link, and click on the change password link.
* Then copy the url that you see in your address line
* And if you want a change password link at the top of your portal page, just go to EDIT on your page, then edit the banner defaults. Then in the links add the Lable and the URL. The URL would be the URL you copied from the previous step.
Hope this helps.
I've customized the login page too if you would like some sample code for that. Let me know.
Martin

Error while trying to change the user password on OSX Lion

Hello,
I am trying to change the user password ( no admin user ) using the webinterface. I enabled the functionality in webservices on the server.
I can loginto the three line password changing form. After I enter the old and two times the new password, I get the information
"Your request could not be completed. The password server may be unavailable."
How can I fix this problem? I also tried https://discussions.apple.com/thread/2485167?start=0&tstart=0.
Thanks in advance for help.

I currently have this error on my 10.6.8 ML server when trying to change password.
In my situation, the message definitely comes from the password policies. As soon as I use a new password that respects minimum complexity (e.g. 8 characters min, 1 lowercase letter, 1 uppercase letter, 1 number), the password changes flawlessly.
It would be nice to change this horrible message to something more meaningful... If someone has any ideas on how to do this, thanks for sharing!

Cannot update Global Password Policies, no SSL bind, etc

Hello Community--
This is day 3 of the Apple Server Hostage Crisis, and it looks like I'll started clean slate build #5.
By way of background, I had a functioning ML/2.2.2 server that had RAID problems (and still does). Attempting to rebuild array failed and I lost the boot hard drives. I have access to dumpall.psql and all the user data (on an external drive). I attempted a couple of times to build a clean Mavericks/3.0 server but I couldn't figure out how to get the service data back. So I build a clean ML/2.2.2 system, got the wiki/calendar/contacts, etc data back in place to include establishment of an OD master using an archive. Turns out the archive was from one of my Mavericks/3.0 attempts, and while it seemed to create the OD okay, every time I tried to edit the global password policy, Server.app crashed. I decided to try to move up to Mavericks/3.0. Server.app no longer crashed but still cannot change global password policies. I get the following error:
servermgrd[]: servermgr_dirserv: +[PWPolicy setGlobalPolicyFromDict] error: policy data modification failed: Object class violation: attribute 'apple-user-passwordpolicy' not allowed ()
I deleted the OD master a couple of times and recreated it from a new archive. On the second iteration, my PositiveSSL cert was deleted....
Q1: Has anyone seen this password policy error and know how to solve it?
Additionally, although I have (had) the cert from PositiveSSL for my domain, the OD with Server 3 will not use it, instead reverting to a self-signed cert. All other services seem to work with the PositiveSSL cert. I've seen discussions in the community on this but have not found a solution.
Q2: Is this related to why I cannot create a secure binding?
I have not even gotten to the point of trying to set up Profile Manager to manage users and devices. I have not read anywhere that I *need* to have Profile Manger started to get a basic system running. From a Mavericks-based client where I've logged in with a local user, I can su <OD User> and log in, but the automount of the user's home directory fails due to an authentication issue.
Q3: In Mavericks, does a device have to be enrolled/configured in Profile Manager in order to bind and be usable?
Well, I'm off to start my next rebuild, but would still appreciate comments and suggestions as I suspect this hostage crisis is not over yet.
Thanks.
Tim

Rebuilt from scratch and reloaded databases for services and the OD archive. But something was still jacked and passwords wouldn't take. I was starting to suspect it was OD again, but then I decided to completely wipe the device_management database, which I did following these steps: http://support.apple.com/kb/ht5349.
That may have gotten me on track, which is good because I was getting ready to recreate each user account. I'll continue the effort tomorrow (day 4).
I have not decided if I will try again for Mavericks/Server 3. Sigh....
Tim

Implementing password policie using Role and CoS

Hy all,
I have created a directory with the following partial structure (Sun directory 5.2 patch 2):
ou=people,o=accounts,c=an
|----- cn=user1
|----- cn=user2
|----- cn=user3
ou=services,o=accounts,c=an
|---------cn=user4
|---------cn=user5
|---------cn=user6
I want to assign different password policies based on the ou.
I read within the admin guide that there is a way to do that through CoS and Role: http://docs.sun.com/source/817-7613/useracct.html#wp19625
So I create following records:
- Customized Password Policy Container:
dn: cn=Customized Password Policy, c=an
objectClass: top
objectClass: nsContainer
cn: Customized Password Policy
- External User Customized Password Policy: (same as the global one)
dn: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
objectClass: top
objectClass: passwordPolicy
cn: externalUserPwdPolicy
passwordInHistory: 5
passwordWarning: 432000
passwordExpireWithoutWarning: on
passwordRootdnMayBypassModsChecks: on
passwordLockout: on
passwordMaxFailure: 3
passwordMaxAge: 5184000
passwordCheckSyntax: off
passwordResetFailureCount: 1200
passwordMinLength: 8
passwordStorageScheme: SHA
passwordChange: on
passwordMinAge: 86400
passwordMustChange: off
passwordUnlock: off
passwordLockoutDuration: 3600
passwordExp: on
- Service Account Customized Password Policy: (same as the global one except that there is no expiration for password and the password minimum age is set to 2 days instead of one)
dn: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
objectClass: top
objectClass: passwordPolicy
cn: serviceAccountPwdPolicy
passwordInHistory: 5
passwordWarning: 432000
passwordExpireWithoutWarning: on
passwordRootdnMayBypassModsChecks: on
passwordLockout: on
passwordMaxFailure: 3
passwordMaxAge: 5184000
passwordCheckSyntax: off
passwordResetFailureCount: 1200
passwordMinLength: 8
passwordStorageScheme: SHA
passwordChange: on
passwordMinAge: 172800
passwordMustChange: off
passwordUnlock: off
passwordLockoutDuration: 3600
passwordExp: off
- External User Role:
dn: cn=externalUserRole,c=an
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: externalUserRole
nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=people*))
Description: Filtered role for external users
- Service Account Role
dn: cn=serviceAccountRole,c=an
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: externalUserRole
nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=services*))
Description: Filtered role for external services account
- Template Container for Customized Password Policy:
dn: cn=pwdPolTemplateContainer, c=an
objectClass: top
objectClass: nscontainer
- Class of Service (CoS) Definition for password policy:
dn: cn=PwdPol_CoSDefinition, c=an
objectClass: top
objectClass: LDAPsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cn: PwdPol_CoSDefinition
cosAttribute: passwordPolicySubentry operational
cosTemplateDn: cn=pwdPolTemplateContainer, c=an
cosSpecifier: nsRole
- Class of Service (CoS) Template for ExternalUserRole:
dn: cn="cn=externalUserRole, c=an", cn=PwdPolTemplateContainer, c=an
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: LDAPsubentry
cosPriority: 2
passwordPolicySubentry: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
- Class of Service (CoS) Template for ServiceAccountRole:
dn: cn="cn=serviceAccountRole, c=an", cn=PwdPolTemplateContainer, c=an
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: LDAPsubentry
cosPriority: 2
passwordPolicySubentry: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
- The thing is that it does not to work: if I disable the global password policy, I can set a 3 caracters password even if I specified in the sub password policy that passwordminlengnt is equal to 8 caracters.
Many thanks in advance for your help.
Gregoire

Hmm,
Pretty cool.
I just finished doing it the hard-way when I saw your post :(.
I tried it anyways, and it did all the work that I had done by hand in the previous try. Which was ...
1) Creating the filtered role (same in both approaches).
2) Creating a Container for COS Templates.
3) Creating a COS Template with a dn having a cn string of the full dn to the role in 1) above. Had to use generic entry editor to add all the additional attributes as below ...
dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
�cn=PolTempl,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: LDAPsubentry
objectclass: costemplate
cosPriority: 1
passwordPolicySubentry: cn=TempPolicy,dc=example,dc=com
(started with a new costemplate and the added all the above attributes, also involved things like changing the naming attribute - the dn - from cosPriority to the one cn as shown above)
4) Creatiing a COS with ...
4.1) passwordpolicysubenty as a generated attribute that is overriding and operation (this is picked from the matched CoS template)
4.2) Use the template container's dn from 2) above for the TemplateDN value.
4.3) Use nsrole of the target enty to narrow down to the COS template as in 3) above. I.E. "template"->"attribute name" value is set to "nsRole"
(So when a user's nsrole maps to a cn value of an entry under the TemplateDN subtree. That template applies.)

Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

Hello,
I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
*javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
*If anyone can help me figure out why it doesn't work, that would be great!*
P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
Here's my java code:
{code}import javax.naming.*;
import javax.security.auth.*;
import java.security.PrivilegedAction;
import java.io.UnsupportedEncodingException;
public void changeSecret((String uid, String oldPassword, String newPassword)
 throws NamingException, ACException{
try {
 K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
 LoginContext lc = new LoginContext("marker", cb);
 lc.login();
 Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
 catch(LoginException e) {
 try {
 lc.logout();
 catch(LoginException e) {
}ChangePasswordAction.java is:import javax.naming.*;
import javax.naming.naming.directory.*;
import java.io.UnsupportedEncodingException;
private class ChangePasswordAction implements PrivilegedAction {
 private String uid;
 private String quotedOldPassword;
 private String quotedNewPassword;
 public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
 this.uid = uid;
 quotedOldPassword = "\"" + oldPassword + "\"";
 quotedNewPassword = "\"" + newPassword + "\"";
 public Object run() {
 Hashtable env = new Hashtable(11);
 env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
 env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
 env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
 try {
 DirContext ctx = new InitialDirContext(env);
 ModificationItem[] mods = new ModificationItem[2];
 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
 ctx.modifyAttributes(uid, mods);
 ctx.close();
 } catch (NamingException e) {
 } catch (UnsupportedEncodingException e) {
 return null;
}K5CallbackHandler is:import javax.security.auth.callback.*;
final class K5CallbackHandler
implements CallbackHandler {
 private final String name;
 private final char[] passwd;
 public K5CallbackHandler(String nm, String pw) {
 name = nm;
 if(pw == null) {
 passwd = new char[0];
 else {
 passwd = pw.toCharArray();
 public void handle(Callback[] callbacks)
 throws java.io.IOException, UnsupportedCallbackException {
 for(int i = 0; i < callbacks.length; i++) {
 if(callbacks[i] instanceof NameCallback) {
 NameCallback cb = (NameCallback) callbacks;
 cb.setName(name);
 else {
 if(callbacks[i] instanceof PasswordCallback) {
 PasswordCallback cb = (PasswordCallback) callbacks[i];
 cb.setPassword(passwd);
 else {
 throw new UnsupportedCallbackException(callbacks[i]);
}The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
marker {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
//Eg. auth-conf; confidentiality, auth-int; integrity
//confidentiality is required to set a password
env.put("javax.security.sasl.qop","auth-conf");
//require high strength 128 bit crypto
env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
Good luck.

WLC 4400 issue on "user login policies" parameter.

Hi,
I'm using a Cisco Wireless controller in my company.
(the model is a AIR-WLC4402-50-K9 in 4.2.207.0 version).
The WLAN is configured with WPAv2 AES and 802.1X (PEAP MS-CHAPv2) authentication on an external Microsoft IAS server (2003 R2).
the authentication rely on Active Directory login and password.
The user authentication works fine and the WLAN too.
But it's possible for a single user to log on different laptops with the same AD login and password and use the wireless network.
And it has to be forbiden by "user login policies" parameter set to 1 on the WLC (in security parameters).
Does anybody says if it's a known issue and how to solve this problem?
thanks,
raphael Paviot.

Dancampb,
Many thanks , you're right, I have to find the solution on IAS server side.
In fact, I have also applied these commands on the controller and the max-user login works (in the case of an externan radius server).
I have seen it in the "message logs".
(Cisco Controller) config>advanced eap max-login-ignore-identity-response disable
(Cisco Controller) config> netuser maxuserLogin 1
But the problem still remain , because the IAS server is not case sensitive for user logins instead of the Wireless Controller.
For exemple:
raphaelpaviot login and RaphaelPAVIOT login are:
-one user for the IAS server.
-two different users on the WLC.
cordially.

Active directory Schema - Multiple password policies

Hi All,
I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
dealer2loc3 and so on)
I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
be creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
Also, I have budet constraints to add new servers for each domain and separate password policies.
What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
Thanks.

Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
and I can set separate password policies for sales.example.com and admin.example.com.
By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

Help with Password Policies.

Hi,
I created two diffrent Password Policies, and applied it to xellerate user Resource Object.
Now when i creating a new user of xellerate User type, the password policy doesnt applies, whatever password i gave it takes.
But when i am changing the password, he policies are applied.
Y so??
Thanks
SjiT

Administration->Password Poicies
Policy name_ PolicyTrial_sjit
minimum Length=5
Custom Policy Selected.
Max Length=20
Min Numeric=2
Min UpperCase=2
Resource managemnt-> Rule designer
name = LastName_sjit
Operator= AND(By Default it was selected, please explain what is the diffrence between AND/OR in this)
Type =general
Description-last Name =jain pass rule
Rule Element:
Last name==jain
Resource Object:
xellerate User
(Here Order for organisation is pre-selected. What is the diff bw Order For User and Order fro oragnisation)
Added a Password policy Rule
Rule-LastName_sjit
Policy-PolicyTrial_sjit
ADmin and user COnsole GUide:
logged as xelsysadm
Create User::
PAssword =2
Oraganisation= xellerate User
last Name =jain
User Created :( :(
user Details page..
Clicked Change password.
Password- abc
Confirm- abc
Password Policy Error
Password must contain at least 1 numeric characters.
Password must contain at least 2 alphabetic characters.
Password must not be longer than 10 characters.
Password must be at least 5 characters long.
what wil be the possible cause of such and error.??
Edited by: sjit on Apr 1, 2010 12:17 AM

Password policies in ODSEE 11.1.1.7.2

Hi,
we're running ODSEE 11.1.1.7.1 on our masters and most of our replicas, all in DS5-compatible-mode.
I've a job running on the masters to export LDIF data to be able to setup easily new environments for test purposes.
Inside our DIT we've setup special password policies for all users, ignoring the default policies completely.
I now setup a new instance on another host and try to import complete DIT via dsconf import and got for every entry with passwordPolicySubentry-Attribute an error
[11/Mar/2015:11:40:56 +0100] - INFORMATION - Config - conn=-1 op=-1 msgId=-1 - (Password Policy: get policy object from entry) Entry "<dn of policy>" not found (51). Reverting to default policy entry "cn=password policy,cn=config".
I figured out, that our internal policies are not imported due to attributes from both objectclasses (sunPwdPolicy & pwdPolicy). I deleted manually the password*-Attributers and got them imported in the correct place in the DIT.
Afterwards I tried to do dsconf import -K with all user entries with the relevant passwordPolicySubentry-Attribute and I got the same errors as written above again.
I managed to import the data with ldapadd successful with the correct passwordPolicySubentry, but why not with the dsconf import???
Thanks for your hints to find the problem!
Regards,
Roland

Hello,
You mean the password policy entries are not returned by a search ?
Password policies stored in the data are stored as ldap sub entry. To get ldap sub entries, you must explicitely ask for it in the search filter, eg. (objectclass=LDAPsubentry)
-Sylvain
Please mark this response as correct or helpful when appropriate to make it easier for others to find it

I want to know any of the two-Claude Yvon because I lost any Cloud and password?

I want to know any of the two-Claude Yvon because I lost any Cloud and password

Welcome to the user to User Technical Support Forum provided by Apple.
ramadanawajnh wrote:
I want to know any of the two-Claude Yvon because I lost any Cloud and password
Clearly state your Issue and the Troubleshooting Steps you have tried to Resolve it

Cloud User Password Policies

Similar Messages

Maybe you are looking for