DS 6.2 and password expiration

Similar Messages

• WLC 4402 username and password expires automatically

  Hi,
  We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
  Whether it is the hardware issue or software bug.
  Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
  Kindly suggest on this issue.
  Regards
  S.Manikandan

  Hmmm.. Strange!! are we using any TACACS to manage?? or just the management username and password??
  I guess after 5.2 WLC code or so we have the option of resetting the password without losing the config!!
  Regards
  Surendra

• DS 6.3 ssh key and password expiration warnings

  I suspect this may be more of an ssh issue than a DS issue, but has anyone managed a configuration that will give users logging in with ssh keys, password expiration or reset warnings?
  In my setup, using compat mode in nsswitch.conf, native ldap logins work as expected for users entering their password. - That is, they are forced to change the password after an admin reset, receive "your password will expire" warnings, based on the expiration period set in DS (password policies in DS 6 mode, migrated from DS 5.2), etc.
  If a user has an ssh authorized_key entry, they can login without a password, as long as their password is not expired, or been reset by an admin. They are never shown the warning messages, but are allowed to connect, and then immediately logged off, if their password has expired, passed the number of grace logins, or been reset.
  The user can only login if they start from a different username and bypass the ssh key check.
  Hope this makes sense.

  After running various debug modes, I'm beginning to believe that the Directory Server may only issue the warning messages if a password has been typed, and validated in the directory. Since no password is enered when using an ssh key, the warnings aren't triggered.

• Hyperion, Oracle, and password expirations ???

  We're currently in the process of trying to change our password policy for some reporting databases we have that are only accessed by users (non-developers) for developing hyperion reports using the desktop client software. We've set up an Oracle warning message to be generated when the user's password is going to expire in 5 days. When logging in through the OCE, the user sees this message, but it never actually logs the user in... it shows the message, and then redisplays the login popup. I'd like for them to be able to login and then use their Connections Manager to change the database password, but it won't let them log in.
  Has anyone encountered this problem before and possibly know of a solution or workaround? I'm assuming the Hyperion client software is taking any return code other than 0 for login as a failure...

  If you need an encrypted connection to Essbase then you should use Smartview over https.
  1) The Excel-Addin connection is not encrypted -- you can definitely see member information with a packet trace and with some time could probably figure out how to decipher the numeric data. The password to connect with did seem to have some level of encryption -- Hyperion would need to answer anything further as this is not documented.
  2) The lockout mechanism depends on the user directory provider you chose. To my knowledge the native directory has not capabilities for user lockout. If you chose to use say Active Directory or another system then the those items are configured in that user directory and you would need to speak with the specific directory administration team regarding the lockout mechanisms.
  Regards,
  -John

• Password expire date back to 2011 from 2012  after assigned  a user profile

  Friends,
  I created a profile test as
  COMPOSITE_LIMIT UNLIMITED
  SESSIONS_PER_USER UNLIMITED
  CPU_PER_SESSION UNLIMITED
  CPU_PER_CALL UNLIMITED
  LOGICAL_READS_PER_SESSION UNLIMITED
  LOGICAL_READS_PER_CALL UNLIMITED
  IDLE_TIME 60
  CONNECT_TIME UNLIMITED
  PRIVATE_SGA UNLIMITED
  FAILED_LOGIN_ATTEMPTS 5
  PASSWORD_LIFE_TIME 120
  PASSWORD_REUSE_TIME           60
  PASSWORD_REUSE_MAX           30
  PASSWORD_VERIFY_FUNCTION NULL
  PASSWORD_LOCK_TIME 1
  PASSWORD_GRACE_TIME 7;
  the user default profile default PASSWORD_LIFE_TIME is 180 and password expired date is 1/7/2012. the test account was created in 7/11/2011.
  Now I assign test user to test profile successfully.
  However. expire date becomes 11/8/2011 1 from 1/7/2012 by select dba_users
  which wrong is in my profile or somewhere?
  As I think, the account password expired should be start after assigned new profile with PASSWORD_LIFE_TIME. but is seems expire date is start from original account created date.
  Thanks
  newdba
  Edited by: Oradb on May 24, 2012 1:56 PM

  I would think the expire time would be based on the last password change time which Oracle stores in the rdbms base table for user information (user$). Find a second user, alter the password, check the expire date, then assign the user to the new profile, re-check the expiration date. Post back. Behavior may vary between releases so include full Oracle version of test.
  HTH -- Mark D Powell --

• Oracle Xellerate - Account and Password Expiry

  Hi All,
  I needed a quick help on how would Oracle Xellerate Identity Provisioning enforce account and password expiration policies. Please suggest me some good supporting links.
  Thanks and Regards
  Aditi

  You should be able to get this information from the Xellerate product documentation which gets created when you install the product.
  Thanks,
  Prashant

• DS 6.3 password expiration oddities

  I have been exploring an upgrade from DS5.2 to DS 6.3 to take advantage of the enhanced password policies and password expiration that have never worked quite right in DS5.2.
  The previous 5.2 and migrated 6.3 environments both use netgroups to restrict logins to specific systems.
  This generally works very well, although I'm seeing weirdness for local system accounts.
  I've explored the forums, tweaked pam.conf and nsswitch.conf in pretty much every way that's been suggested.
  DS 6.3 is setup on Solaris 10, and my client systems are Solaris 8, with all of the latest necessary patches applied.
  nsswitch has:
  passwd: compat
  group: compat
  passwd_compat: ldap
  group_compat: ldap
  netgroup: ldap
  All local and LDAP accounts can login fine if pam.conf has:
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1
  But no warning messages are received from the directory server for password expiration or administrative password resets.
  If I change pam.conf to have:
  other account requisite pam_roles.so.1
  other account optional pam_ldap.so.1
  other account binding pam_unix_account.so.1 server_policy
  All users can login, password expiration warnings are received, and users are notified if the admin user resets their password, but (as expected) users aren't forced to reset their password on first login or resets.
  Using "required" or "requisite" for pam_ldap in the above stack order, disables local account logins, as they are
  prompted for LDAP passwords that they don't have.
  Any combination of settings that I've tried that successfully force resets, etc. appear to disable the ability of local accounts to login - they are prompted for LDAP password, which of course fails.
  If anyone can demonstrate a combination of nsswitch.conf and pam.conf settings that will actually allow local user login, but still enforce password policies and expiration warnings, for Solaris 8 clients, it would be greatly appreciated.

  I'm still struggling to get password expiration and inactivation to work with DS 6.3.1 and Solaris 10 5/08. When accounts are expired or inactivated (nsAccountLock) users can still login via ssh. But when accounts are temporarily locked (pwdAccountLockedTime) ssh does the right thing and won't let them log in.
  Things work properly when I have
  passwd: files ldap
  in nsswitch.conf, but when I go to compatibility mode:
  passwd: compat
  passwd_compat: ldap
  ssh 'ignores' expiration and inactivation status of accounts.
  Following the advice of your last comment here (4.5 years ago!) I took away all access to the 'userPassword' attribute for the proxy account, but nothing changed (I did an 'ldapsearch' as the proxy account to ensure that the aci was working as expected and denying all access to the attribute).
  Would you, akillenb, or anyone, be so kind as to give any information that will let a Solaris 10 client work properly with the enhanced account management facilities of the Sun DSEE 6.3.1 LDAP server? Copies of pam.conf and nsswitch.conf and details on LDAP aci's would be most gratefully received!!!

• I am trying to set up a genius bar appointment on my computer and it tells me "Sorry your session has expired. Please sign in again using your Apple ID account name and password" I know they are correct and use them to sign in on my phone.

  Hi I am trying to set a appointment for the Genus bar on my computer.  I know for a fact that my login is correct.  I have used it to sign in here and make a apointment (had to do it on my phone).  When I get to the appointment area it tells me to resign, and tells me "SORRY" Your lass session has expired.  Pleae sign in using your apple id account name and password.  I have tried resetting my password and all.  I am running Internet Explorer version 11 and my windows is 7.  Any help would be nice...

  ok.. I tried this three times and kept getting that access denied thing when I clicked post my questions. So now maybe I wont have to typ this a fifth time....
  I have a MAC computer with Sync. Was set up under sync Beta. I have an Android phone synced to it that was synced using the pair this device function. It works perfectly. I just got a new Android Tablet and am trying to add it to my sync and it does not seem to have the pair my device function. It insists I log into my sync account. So I try it and it tells me invalid userid/password. I verify and it is the exact email address userid that shows as being my sync account on the MAC. I verify the password on the MAC and it tests out fine. Try the tablet again and invalid.. So I try to reset my password on the tablet and am told my email address/account name does not exist. I just verified it AND Synced my MAC using it!! I have my recovery Key but there is no place to input it into the tablet. There is no place on tablet to enter the link device codes. How can my account be valid and in use on two devices but invalid and nonexistant on the new one? And How do I get the New one to sync with other two?

• Hi, I have a Power Book G4 Tiger 10.4.11 and my problem concerns iTunes 9.2.1(5). I have changed my Apple ID and password recently. Since that, I am told when I try to buy something in iTunes Store that my "session has expired". Where does this come from?

  Hi, I have a Power Book G4 Tiger 10.4.11 and my problem concerns iTunes 9.2.1(5). I have changed my Apple ID and password recently. Since that, I am told, only when I try to buy something in iTunes Store, that my "session has expired". Where does this come from? What should I do to solve this problem ? I would greatly appreciate your help. Thank you in advance.

  Hi, I am khonthaï. I solved the problem thanks to JHdeVilliers's post on 4 Dec. 2011: I removed all cookies in Safari and it worked immediately !!!

• I had an old account for my apple I.D and the email that i had expired, so I switched my apple I.D as my recent gmail, but it still asks me for my old apple I.D and password, what do I do

  I had an old account for my apple I.D and the email that i had expired, so I switched my apple I.D as my recent gmail, but it still asks me for my old apple I.D and password, what do I do?

  Go to https://appleid.apple.com, click Manage my Apple ID and sign in with your current iCloud ID.  Click edit next to the primary email account, change it back to your old email address and save the change.  Then edit the name of the account to change it back to your old email address.  You can now use your current password to turn off Find My iPhone on your device, even though it prompts you for the password for your old account ID. Then go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud).  Next, go back to https://appleid.apple.com and change your primary email address and iCloud ID name back to the way it was.  Now you can go to Settings>iCloud and sign in with your current iCloud ID and password.

• ISE and AD Password Expiration Notification and allow user to change

  We are almost ready to go live with ISE for our VPN users.
  One last thing that has been asked is, how can we make ISE prompt a user when their AD password is about to expire, and allow them the opportunity to change it at that time?
  I know the ASA has the ability if it is authenticating directly against AD, but that functionality goes away with IPN. So what settings are there to prompt users connecting via Anyconnect to the ASA VPN through ISE?
  We do not have ISE setup for internal users/systems yet, this is strictly a VPN only setup for now.
  Thanks,
  Dirk

  Since we are using radius protocol so password expiration notification will not occur. The user will be prompted when password would expire. With ldap over ssl, user will be notified that "your password will be expired in x number of days" but we can't pick that method as it shoud be ASA integrated directly with AD/LDAP.
  Since we have ISE in between acting as a radius server so we have to live with the option where user will not be notified but password can be changed by end-user.
  Procedure for Configuring RADIUS Password Management
  Requires tha tthe Radius server/ISE  be integrated with an Active Directory MS-AD server.
  1. Enable "password-management" in tunnel-group/Connection Profile.
  Note: "password-management password-expire-in-days X" will not work, use just "password-management"
  2. Ensure that MSCHAPv1/MSCHAPv2 is enabled on the RADIUS/ISE server.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE CLI and GUI password expire

  I had Cisco ISE version 1.1  i face a problem with the CLI and GUI password, as it expire and i can't login, i do the password reset using the ISE DVD,
  i navigate to the ISE CLI, and do the following commands:
  conf t
       password-policy
            no password-expiration-enable
  and reset the GUI admin password, using the command:
       # application reset-passwd ise admin
  from the ISE GUI i had remove the option for diable admin account after 45 days.
  but after 60 days the password expire again.
  so kindly advise what to check for this expire issue.

  Hi Mostafa,
  Yes, the last reply was more towards GUI password-mgmt because in maority of cases it happens with UI admin account. I need to know if you've restarted the ISE after disabling the expiration from the CLI because what I read few weeks ago in an internal defect that password policy configurations are not preserved on cli after restart so just to check could you please check the current settings on CLI w/ the help of show run | in password-policy.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• SYS and SYSTEM user password expired

  My 11g2 database on Redhat 5 has sys and system user password expiredSQL> select username,account_status,EXPIRY_DATE
  from dba_users where username like 'SYS%';
    2
  USERNAME                       ACCOUNT_STATUS                   EXPIRY_DA
  SYSMAN                         OPEN
  SYSTEM                         OPEN                             15-FEB-11
  SYS                            OPEN                             15-FEB-11But I can still connect the databsae with t expired password.
  Do I need worry about the expiration of these user's password? For a normal user, I connot login with expired password

  Dear user13148231,
  Here is an illustration;
  SQL> alter user sys account lock;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where USERNAME='SYS';
  USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                                      LOCKED                           20-AUG-10      23-FEB-09
  SQL> host sqlplus sys/password@opttest as sysdba
  SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:25:43 2010
  Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> exit
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> alter user sys identified by password password expire;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
  USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                                EXPIRED & LOCKED                 20-AUG-10   20-AUG-10
  SQL> host sqlplus sys/password@opttest as sysdba
  SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:27:02 2010
  Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> exit
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> alter user sys identified by password account unlock;
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
  USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                            OPENEven if it shows expired and locked it is OK to connect to the database for the SYS user.
  SQL> alter user ogan identified by password account lock password expire;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='OGAN';
  USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  OGAN                           EXPIRED & LOCKED                 20-AUG-10 20-AUG-10
  SQL> conn ogan/password
  ERROR:
  ORA-28000: the account is locked
  Warning: You are no longer connected to ORACLE.
  SQL> conn / as sysdba
  Connected.
  SQL> alter user ogan account unlock;
  User altered.
  SQL> conn ogan/password@opttest
  ERROR:
  ORA-28001: the password has expired
  Changing password for ogan
  New password:
  Retype new password:
  Password changed
  Connected.
  SQL>Ogan

• APEX_PUBLIC_USER password expired and now APEX denies access to /pls/apex/f

  Hi. I have a problem with expired passwords. We are using APEX 2.2.0 with Oracle 10g. This morning the APEX_PUBLIC_USER and HTMLDB_PUBLIC_USER accounts passwords expired. We have a really weird setup. Our DBA team owns these accounts and our web server team manages the APEX application itself. When the passwords expired, our DBA changed them from Oracle, not from within APEX. Now we are unable to access our application. We get the following error message:
  Forbidden
  You don't have permission to access /pls/apex/f on this server.
  The DBA won't reset the passwords to their prior value because it's against corporate policy to resuse them. The web server team does not know how to go in to APEX and enter the new values. Can someone point me to documentation that explains what we need to do? I just want to get these two teams working together so that my users can get back to work!
  Thanks,
  Mike

  Mike - All you have to do is change the database account password to a new value and enter that same password into the DAD definition, obfuscating it in that file if your policy so dictates.
  Application Express, per se, doesn't know anything about that account's attributes such as its password so there is no interface provided for its maintenance.
  Scott

• Proxy Servers, Password Resets/Expirations and Password Policies

  Our current configuration has two directory proxy servers and two directory servers, all running DSEE 6.3.1. The LDAP clients point to the proxy servers and the proxy servers point to the directory servers.
  When the LDAP clients user the proxy servers, users aren't notified on password resets or expirations. When I point one of the LDAP clients directly at on the directory servers, bypassing the proxy servers, the expected behavior of being required to change a password on reset or notification of password expiration works fine.
  We would like this to work via the proxy servers as well. Can anyone point me in a direction or two to determine why this isn't working as expected ?
  TIA!

  I opened a service call on this and in speaking with the rep, who was reading the CR mentioned in the first reply, he said it contained a note about the fix being scheduled for release in DSEE 7.x. I'm not sure if it made it into the recently released 7.0 or not.
  A patch released for the 6.3.1 proxy servers on the 21st of December didn't include mention of the CR in the notes, although there was mention of another CR that sounded like it might be related.
  Since it appears the CR was created in late November, I'd be surprised if either the DPS 6.3.1 patch or the 7.0 full release address the CR. In either case, I'm assuming you'll have to wait if you don't have a support contract with Sun that covers DSEE.