Disabling User in Solaris

Is there anyway to change the way the resource adapter for Solaris and Linux disables users so that it uses the native lock provided through passwd rather than setting a random password?
Scott

Is there anyway to change the way the resource
adapter for Solaris and Linux disables users so that
it uses the native lock provided through passwd
rather than setting a random password?No there is no way to do that.
The usage of passwd -d and or -l is limited to certain installations. If you read the man page for passwd you will see that it only works for files as the repository not for any of the other possibilities (NIS or NIS+ or ldap). It also depends on PAM modules to implement this and they do not have to be configured on the system.
WilfredS

Similar Messages

  • HI I am facing problem to disable user in LDAP thru SIM

    Hi,I have configured LDAP directory server in sun IDM.
    after creating the user in IDM & LDAP I am trying to disable the user both in SIM as well as LDAP,in the IDM repository it is showing as the user in LDAP got disabled but actually in LDAP the user account is in active state.
    I am not understanding why this problem is coming.Earlier when I tried to diable the user in LDAP thru IDM it was working fine but it is not working now.It is very urgent for me.Can anyone tell the reason.?Any advices will be helpfule.

    There are two ways of disabling ANY account on ANY resource through resourc adapter.
    1) use native method, if it exists.
    2) change password to some value which matches password policy AND completely forget this password.
    The first method is used for some adapters, Oracle for example.
    The second method is used more widely, for Solaris, Redhat Linux, LDAP... and many other resource.
    I believe that they made LDAPResourceAdapter using DisableUser this way so that it can be used for comunicating with non-sun directory servers as well.
    So, disabling user from Identity Manager does not disable the user through setting any native flag on JES Directory Server, but by changing and forgetting password AND marking that account as "disabled" in the Identity Manager instead.
    The user cannot log on anymore, so the "disable" is ok. Although you cannot see that the user is disabled using common ldaptools.

  • Error in creating user for solaris

    Hi.....
    I am using IDM 6.0 version and configured resource solaris in IDM...but when tried to assign a user to solaris....the user is getting created in solaris box and resource exit for that user...but when tried to click on user for display or to update getting the Error
    ERROR:Unresolved rule: getDefaultShell.
    I dont know what to do...can any one help me please.....

    I got solution to my question i had to import shellrule file from /sample directory to IDM.

  • Getting error "1013009 Administrator Has Temporarily Disabled User Commands

    Hi All,
    I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
    Appreciate any help..
    Thanks
    Mahesh

    Mahesh wrote:
    Hi All,
    I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
    Appreciate any help..
    Thanks
    Mahesh
    Possible Cause
    When a database is being restructured or any application/database on the server is being copied, you can get this message.
    or
    When a cube is being restructured, commands are restricted because the integrity of the cube has to be stable and no one is allowed to access it.
    or
    Copying an application requires that the Essbase security file be in read/write mode and therefore other applications are not accessible until the process is completed.
    Possible Solution
    In Application Settings, verify that the Allow Commands or Allow Updates options are not selected.
    If not selected select those..and try
    Regards,
    Prabhas
    Edited by: P on Apr 7, 2011 3:36 PM
    Edited by: P on Apr 7, 2011 3:38 PM

  • Outlook Contact Card - Organization Tab disabled users

    In Outlook there is a Contact Card showing detailed information about that person. the Organization tab shows the contact's "Manager", "Shares Same Manager" (other contacts with the same manager), and "Direct Reports" (people
    that report to that contact).
    The problem i am seeing is that Users disabled in Active Directory (people that have left the company) are showing up in the Organization Tab.
    How can i filter out disabled users from this list for anyone using Outlook?
    I cannot permanently delete users from Active Directory until after a disabled account reaches a certain age. Also i would prefer not modifying the disabled Active Directory user accounts.
    We mostly run Outlook 2010 with a few people running Outlook 2013

    Hi,
    Outlook has no control over this, it just displays what it got from the server end. And to my knowledge, there is no such a feature to filter out those users from that list, at least on Outlook client.
    Regards,
    Ethan Hua
    TechNet Community Support
    It's recommended to download and install
    Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
    programs.

  • Disable IPv6 in Solaris 11

    I work for a regulated bank in the UK and we do not use IPv6. IPv6 is disabled on all our switches.
    Despite this control we have previously been told by external auditors that we must also disable IPv6 on our servers. No problem in Solaris 10 and lower.
    Can anyone tell me a simple way to do this in Solaris 11? there doesn't seem to be a way to only plumb IPv4 interfaces.
    I found an unreliable source on the internet telling me to hack the file /etc/ipadm/ipadm.conf but this means I need to reboot after plumbing interfaces, something that we haven't had to do for how many years? There must be a sensible way to do this...???

    Do not under any circumstances unless directed by Oracle Support as part of fixing a bug modify the ipadm.conf file directly.
    You can't disable IPv6 in Solaris 10 either, what you can do is not have any IPv6 addresses active on plumbed interfaces.
    You can do the same in Solaris 11. However you can't disable the IPv6 loopback address on Solaris 11 if you have zones
    and want to be able to do 'pkg update' using system repostitory from inside the zone.
    To remove the IPv6 address on net0 do something like this:
    # ipadm delete-addr net0/v6addr

  • How to do Archiving of deleted & disabled users in OIM11g

    Hi All,
    As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
    Regards,
    user7609

    Just to recap:
    Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
    As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
    All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users.

  • Disabled User Password should not be changed

    Hi,
    We have a requirement that only if the user's status is active, then only administartor must be able to change the user password. Admin should not be able to change the password if the user is in disabled state/locked state.How can we achieve this?please sugest...
    Regards
    Vinoth

    Hi,
    We have made an entity adapter which is taking usr login value from User[in Data object manager] and calling our java method which is making connection to OIM database and getting us the status of user.
    Now if the status of user is disabled method is returning true and on true we have associated our error code to it.
    We are executing our entity adapter in pre-update execution.
    Now when we are changing password of any disabled user we are able to see our error code. But what ever update [either first name update, enable] we are running on that user same error code is appearing.
    Plesae suggest/reply.
    thanks

  • Disable User on updating an User attribute in OIM

    Hi,
    I have OIM 11g R2 with LDAP SYNC enabled with OID through OVD.
    I want to trigger Disable user on modifying an UDF attribute of user.
    Like if attribute1 of user is set to true then disabke user operation should be triggered for the user.
    So first in my adapter i will check whether attribute is true and then trigger disable user.
    In 11g R2 as mapping adapters attached to Users form in dataobject manager is not supported i am not able to map to the userdefinition and hence not able to check if attribute1 is true or false.
    Please help and let me know if this can be achieved in any other way.
    Edited by: 988070 on Mar 20, 2013 3:55 AM

    You can write a post process event handler:
    It will update the user status to disable when UDF attrtibute is set to true.
    For this, you need to set the condition as:
    Get the value of user defined attribute and store it in a variable "flag".
    disable UserManagerResult disable(java.lang.String attributeName, java.lang.Object attributeValue) //attributeName will be user defined fieldm value will be "true"
    throws ValidationFailedException,
    oracle.iam.platform.authz.exception.AccessDeniedException,
    UserDisableException,
    NoSuchUserException,
    SearchKeyNotUniqueException
    Disables the user account matching the search criteria.
    Parameters:
    attributeName - - The attribute name for the search criteria.
    attributeValue - - The attribute value for the search criteria.
    Returns:
    UserManagerResult containing the entity id of the disabled user.
    Cheers,
    Vamsi.

  • OIM-DBAT ...ERROR during Disabling user

    Hi,
    I am using database app tables connector with OIM, wherein the user is being provisioned to a database table. When user is Disabled, the assosciated database resource does not gets Disabled, Disable User is rejected and It gives following error:
    GCPROV.ProvTransportProvider.DBProvisioningTransport.DB_STATUS_FIELD_LOOKUP_ERROR" does not correspond to a known Response Code. Using "UNKNOWN
    The table has some attributes viz. Username, user id, fname, lname, Status(can be 0 or 1), email.
    The requirement is: when user id terminated in OIM, the respective database resource should get Disabled, that is the status should be updated to 0.

    Hi Sunny,
    When I disable OIM user , Disable User process of the database account is invoked but it gets rejected giving the above stated error. And the status field in process form is not updated. In the GTC configuration, I have mentioned the table column name(ENABLED,which can take values 0 or 1) that will be acting as status ,and also provided the Lookup code name that contains the status mappings as follows:
    Code Decode
    Active 0
    Disabled 1

  • Remove GrantSendOnBehalfTo disabled user accounts - A novice at scripting

    Hello.  Can anyone help please
    In our exchange 2010 environment we have users who are granted send on behalf to access.  Obviously some users leave and I m finding that there are ghosts left behind which are causing issues with our team who add users into the grantsendonbehalfto
    option using the EMC.  Using the log view we coy out the command and then remove the disabled user from the command and then paste this into an Exchange Powershell command line.  This wrks because it is doing what Exchange EMC does which is rewrites
    the -GrantSendOnBehalfTo option in it new entirety.  
    The problem occurs because I need to remove these en-mass from approx 700 plus accounts.  
    I have tried to modify one user in order to get the script to work but it doesn't.
    This is the error message that happens when I run the script below against a known account with at least 2 disabled users in:-
    Couldn't find object "xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2013-08/Gaynor Collins-Punter". Please make sure that i
     was spelled correctly or specify a different object. Reason: The recipient xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2
    13-08/Gaynor Collins-Punter isn't the expected type.
        + CategoryInfo          : NotSpecified: (:) [], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : F6498844
        + PSComputerName        : ex02-0029.xx.xxxxxxx.xxx.xx
    Am running the script from my local PC
    This is the script I have used.
    # Gather info use get-mailbox -resultsize unlimited$mailboxes = Get-Mailbox zplew1
    Foreach($mailbox in $mailboxes)
    for($i = ($mailbox.GrantSendOnBehalfTo.count)-1; $i -ge 0; $i--)
    $address=$mailbox.GrantSendOnBehalfTo[$i]
    $addressString=$address.addressString
    If($addressString -like "*disabled*")
    $mailbox.GrantSendOnBehalfTo.removeat($i)
    $info >> "C:\Scripts\grantsendonbehalfto.csv"
    $mailbox |set-mailbox -GrantSendOnBehalfTo $mailbox.grantsendonbehalfto
    }If you requiere any more info please let me know.

    #1 - I recommend posting in xchange forum fo rhow to do this
    #2 - Wen an account is disabled most on the information in the object is hidden.  YOu would need to undelete to use the object.
    #3 - Get list as text and validaye al values are not deleted accounts.  Remove deleted and save back.
    ¯\_(ツ)_/¯

  • How to catch rollback in Disable user process task in Xellerat User Process

    hi ...
    I want to send an email to manager group of the user, once the user is disabled from the OIM (when end date is reached). I created an adapter and attached it to the ‘Changed User Disabled’ process task in the ‘xellerate user provisioning’ process and add a new row in the “Lookup.USR_PROCESS_TRIGGERS” Lookup definition. (code key: USR_DISABLED and Decode: Change User Disabled ). This adapter executes only when the user status is equal to “disabled”.
    This works correctly when the OIM user disabling process execute without any errors. But sometimes while disabling the user it gives an error (“resource is not configured properly”) and rolls back everything and make the user active. But at the same time my adapter runs and sends the mail informing user is disabled but yet user is active.
    My problem is how can I find or catch rolls back transaction in the “Disable User” process task (which is in “Xellerate User” process”) ??? If I can get to know that a roll back is occurred then I can send a mail to OIM administrator, informing that user disable process is failed.
    Can someone please help me to find this..
    Thanks in advance :)
    Regards,
    i.k.

    Hi Rajiv,
    Error occurs while disabling the user due to resource configuration problems. ( error message is : DOBJ.RESOURCE_NOTCONFIGURED_PROPERLY -- One or more provisioned resource is not configured properly) In this case i know the problem and how to solve it. But what I want to know is in any case if disable process get fail and if things get roll back again, then how can I track that situation and send a mail to OIM Admin(informing the failure) instead of sending a mail to user managers saying that user account has been disabled.
    I think now my problem is clear…. Can u please help me to find this.
    Regards,
    i.k.

  • Oracle User in Solaris

    Hi,
    I created oracle user in solaris . If I switch from root to oracle it's not asking the oracle user password and direcly going to $ prompt
    when I type the command who in $ promot its showing root , Why?
    $ who am i
    root ->here its should be show the oracle username
    If i switch the user again i.e su - oracle now its asking password and still shoing root for who am i command
    $su - oracle
    password:
    $ who am i
    root
    Can any one tell why its behaving like this?
    Thanks.

    Hi This is my .profile for oracle user
    export ORACLE_BASE=/u01/app/oracle
    export ORACLE_HOME=$ORACLE_BASE/product/9.2.0
    ORACLE_SID=TYP2
    ORACLE_TERM=xterm
    NLS_LANG=AMERICAN_AMERICA.WE8ISO8859P1
    LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib:/usr/openwin/lib
    LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/dt/lib:/usr/ucblib:/usr/local/lib
    export LD_LIBRARY_PATH
    # Set up the search paths:
    PATH=/bin:/usr/bin:/usr/sbin:/opt/bin:/usr/ccs/bin:/opt/local/GNU/bin
    PATH=$PATH:/opt/local/bin:/opt/NSCPnav/bin:$ORACLE_HOME/bin
    PATH=$PATH:/usr/local/samba/bin:/usr/ucb:.
    export PATH

  • Authorisation Active Directory Win2003 users in Solaris 10

    Now I am having the task to configure kereberos authentication and ldap authorisation users of Win2003 Active Directory in Solaris 10.
    Kerberos authentication configured by native pam_krb5 according paper http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx and works fine.
    But I can't configure authorisation by native ldapclient library.
    Can you give steb-by-step guide about configuring native ldapclient and pam.conf for authorisation AD users on Solaris 10.
    ldaplist command return error
    bash-3.00# ldaplist
    ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)
    And snoop ldap return (10.25.66.222 - Solaris 10, 10.25.67.251 -AD-controller)
    bash-3.00# snoop ldap
    Using device /dev/pcn0 (promiscuous mode)
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Bind Request
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926 Bind Response Success
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926 Search ResDone Unavailable Critic
    al Extension
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Unbind Request
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Bind Request
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Bind Response Success
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    My current 'ldapclient list' is following:
    bash-3.00# ldapclient list
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=ldap_test,ou=Users,ou=Office,dc=corp,dc=com
    NS_LDAP_BINDPASSWD= {NS1}5e10c247a91661a5b4
    NS_LDAP_SERVERS= 10.25.67.251
    NS_LDAP_SEARCH_BASEDN= dc=corp,dc=com
    NS_LDAP_AUTH= simple
    NS_LDAP_SEARCH_REF= TRUE
    NS_LDAP_SEARCH_SCOPE= sub
    NS_LDAP_CACHETTL= 0
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
    NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:simple
    And pam.conf:
    # Authentication management
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth sufficient pam_krb5.so.1 debug
    login auth required pam_unix_cred.so.1
    login auth required pam_unix_auth.so.1
    login auth required pam_dial_auth.so.1
    # rlogin service (explicit because of pam_rhost_auth)
    dtlogin auth requisite pam_authtok_get.so.1
    dtlogin auth required pam_dhkeys.so.1
    dtlogin auth sufficient pam_krb5.so.1 debug
    dtlogin auth required pam_unix_cred.so.1
    dtlogin auth required pam_unix_auth.so.1
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth sufficient pam_krb5.so.1 debug
    other auth required pam_unix_cred.so.1
    other auth required pam_unix_auth.so.1
    passwd auth required pam_passwd_auth.so.1
    cron account required pam_unix_account.so.1
    other account requisite pam_roles.so.1
    other account required pam_unix_account.so.1
    other account required pam_krb5.so.1 debug
    other session required pam_unix_session.so.1
    other session sufficient pam_krb5.so.1 debug
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password sufficient pam_krb5.so.1 debug
    other password required pam_authtok_store.so.1

    I tried this, but i found the Solaris implementation to unstable and scarry, so i decided to go with VAS or Vintela from Quest:
    http://www.vintela.com
    it really works, unlike Suns LDAP implementations, and its easy too..
    7/M.

  • Disabling User Account Control - CUBAC

    Installing Cisco Unified Business Attendant Console.  Documentation says that on server 2003 / sever 2008 installations, disabling of the user account control is required.  It gives a procedure to do this on Server 2008.
    The install I'm working on is on Server 2003.  I cannot find anything like this.  Googling on the subject has led me to believe that this is likely a documentation bug, as I can find no reference to Server 2003 having this feature.
    Has anyone else run into this?  The documentation appears to have been written by someone who speaks english as a second language, and not thoroughly vetted for correctness.

    Hi Clifford,
    This would just be for Windows server 2008
    CSCtc77367            Bug Details
    CUBAC 3.1.1.5 docs need to say "disable User Account  Contol" in win2008w.
    It appears UAC (user account Control) a new feature found in   Windows Server 2008 will block license files from being properly applied  in CUBAC 3.1.1.5.
    The installation and requirement docs should  reflect that UAC needs to be disabled before installing CUBAC on Windows  Server 2008.
    Observations:
    Go to webadmin, licensing
    When  you look at that page, you will not see any licensing info; no eval.
    It  says, no licensing info.
    When we turned off UAC, the licensing  page showed the eval info for 5 days.
    At which point we were able  to add the license
    Status
    Fixed             
    Severity
    2 - severe
    Last Modified
    In Last Year        
    Product
    Cisco Unified Attendant Consoles         
    Technology
    1st Found-In
    3.1(1.5)       
    Fixed-In
    Release-Pending
    Cheers!
    Rob

Maybe you are looking for