Expire password in OID through OIM.

Similar Messages

• Problem with provisioning to particular OU in OID through OIM

  Hi,
  Please go through the following issue and suggest.
  I have integrated OIM with OID for provisioning purpose through OID connector.Iam prepopulating OU structure in the "Container DN" field in the process form of OID through an adapter.
  For example : "ou=BG,o=shipper,dc=xoserve,dc=com" is the Container DN iam prepopulating in OID process form and the user is getting provisioned to OID within the same structure(That structure already exists in OID).
  But when I dont have an "ou" in OID, suppose if i want to provision the user to something like "o=Network,dc=xoserve,dc=com"(note this one dont have ou),iam prepopulating "o=Network,dc=xoserve,dc=com" in the process form but iam not able to provision the user.In the console iam seeing the error like
  *"ERROR,18 Feb 2010 10:58:15,343,[XL_INTG.OID],com.thortech.xl.integration.OID.tcU*
  *tilOIDUserOperationscom.thortech.xl.integration.OID.util.tcUtilLDAPOperations: N*
  *amingException :Unable to search LDAP. Check the following values and try again:*
  *Base Search detail: ou=Network,dc=xoserve,dc=com, filter expression is cn=H*
  *ELLO567"*
  My "o=Network" is being sent as "ou=Network"(overwtitten) from process form to OID and as a result it is not able to find that structure in OID.
  Plzzzz help....

  Hi Chavi / OIMLearner,
  I have tried that and it works fine. But all my DNs are not of same structure. Some are like "cn=userid,ou=abc,o=cde,dc=fgh,dc=com" and some are like "cn=userid,o=cde,dc=fgh,dc=com" and there comes the problem.The value of ldapOrgDNprefix is overwriting my DN which is generated perfectly through my adapter.
  I dont want that Lookup.OID.Configuration to overwrite my DN.Pls suggest...

• Not able to create users in OID through OIM

  HI,
  I am creating users in OIM and provisioning them to OID. The create user is working fine but provisioning is not working.
  The create user task is getting rejected with error message as :
  Response: Target Unavailable Error
  Response Description: Target server not available
  In the weblogic console its showing error as:
  INFO,24 Feb 2010 18:42:13,140,[XL_INTG.OID], Parameter Variables passed into co
  m.thortech.xl.integration.OID.tcUtilOIDUserOperations:createUser(S,S,S,S,S): are
  sContainerDN = ou=AGI(ENI UK Ltd),o=Shippers,dc=xoserve-apps,dc=com, sFirstName
  = testuser17, sLastName = testuser17, sUserDNParam = TESTUSER17,
  INFO,24 Feb 2010 18:42:13,156,[XL_INTG.OID],com.thortech.xl.integration.OID.uti
  l.tcUtilLDAPOperations : connectToAvailableOID() : SSL option is not selected in
  ITResource
  ERROR,24 Feb 2010 18:42:16,156,[XL_INTG.OID],===================================
  =================
  ERROR,24 Feb 2010 18:42:16,156,[XL_INTG.OID], ERROR in OID:connectToAvailableOID
  () CommunicationExceptionUnable to create Initial LDAP Context
  ERROR,24 Feb 2010 18:42:16,156,[XL_INTG.OID],===================================
  =================
  ERROR,24 Feb 2010 18:42:16,156,[XL_INTG.OID],===================================
  =================
  ERROR,24 Feb 2010 18:42:16,156,[XL_INTG.OID],10.224.29.51:389
  ERROR,24 Feb 2010 18:42:16,156,[XL_INTG.OID],===================================
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID],com.thortech.xl.integration.OID.uti
  l.tcUtilLDAPOperations : disconnectFromLDAP() : : Unable to close LDAP Context.
  The context was probably not created, since it is null
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID],===================================
  =================
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID],===================================
  =================
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID], ERROR in com.thortech.xl.integrati
  on.OID.tcUtilOIDUserOperations:createUser(S,S,S,S,S) NoInitialContextExceptionEr
  ror while connecting to target
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID],===================================
  =================
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID],===================================
  =================
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID],com.thortech.xl.integration.OID.uti
  l.tcUtilLDAPOperations: Unable to close LDAP Context. The context was probably n
  ot created, since it is null
  ERROR,24 Feb 2010 18:42:16,171,[XL_INTG.OID],===================================
  =================
  Please help.
  Thanks in advance.

  Thank a zillion to both of you...
  It was connection problem. Somebody changed my OID's IP address.
  Now my users are getting provisioned.
  One more doubt how to give points to both of you. I dont know how to give points in this forum.

• Not able to create Organizations & Groups through OIM in OID.

  Hi,
  I am trying to create organizations and groups in OID through OIM. The steps are:
  1. Organizations-->create-->name=test, parentorg=null,type=company-->create organization.
  2. Drop down-->resource profile-->provision new resource-->OID organisation unit-->continue-->IT Serve=OID IT Resource-->continue
  3. The create ou task is getting rejected with error as "Response: Invalid Naming Error
  Response Description: Naming exception encountered "
  Please help.

  See the process form what it displayed. I think values are not getting populated properly in process form.

• Resetting an Expired Password

  Hello All
  I am not sure if this is the right forum so please let me know if not.
  I currently have an ASP page that authenticates users against a Sun ONE LDAP server. The problem we seem to have is that when a users password expires, we cannot bind anymore. The easiest way for us to sort this would be to get the "Password has expired" return code but I cannot work out how to do this in ASP.
  Or is the problem deeper than this and once a password has expired a user cannot reset it? Do we need to change something else to allow a user to bind with their old password to reset their password. Remembering we are trying to do this all with asp.net.
  Thanks
  D

  I also am ignorant of asp.net; however, Sun DS 6 has several features that can help solve your problem if you can figure out how to access them:
  1. If you configure the "expiration warning" feature in the password policy, once a entry's password is in the warning period, an unsolicited "expiration warning" control is returned with each bind. The control data is the seconds until expiration. Password policy configuration is documented in http://docs.sun.com/app/docs/doc/820-2491/fhkrj?a=view . You can search for "OID 2.16.840.1.113730.3.4.5" on google for info about the control. You should also become familiar with the unsolicited password expired control "OID 2.16.840.1.113730.3.4.4". These controls are also implemented in DS5.
  2. If you supply the bind (or most other) operation with the IETF draft password policy request control, Sun DS 6.1 and later return a (properly encoded) password policy response control containing password policy operational state. Search for "OID 1.3.6.1.4.1.42.2.27.8.5.1"
  3. Your application can request the operational state of an entry via the user status control in Sun DS 6.1 and later. Search for "OID 1.3.6.1.4.1.42.2.27.9.5.8"
  4. If you have implemented some form of expiration warning, then presumably the majority of your users will have changed passwords before expiration, and you can force the others to go through some self-service or help-desk password reset function (i.e., enable must-change-on-reset, then administratively change the user's password, forcing him/her to change it at next bind).
  5. If you want to allow users with an expired password to access the DS solely for the purpose of changing the password, see http://docs.sun.com/app/docs/doc/820-2491/6ne3dhdht?a=view#resetting-expired-passwords . If you do some more investigation on Sun DS (6.2 and later) implementation of the password modify extended operation (and ldappasswd), you should find details on enabling the extension to allow a user to change an expired password.
  6. You might also take a look at http://docs.sun.com/app/docs/doc/820-2490/6ne3cisoj?a=view#pwdpol for an overview of the new password policy implementation in DS6, compared to the DS5 password policy, and the strategy to migrate from DS5 to DS6.

• Simple Interface expired password change prompt

  We have a population of users who access GW exclusively through WebAcc. Some of this population has jumped on the mobile device bandwagon and so we've directed them to the simple interface when accessing GW from a mobile device.
  Some of these mobile device users now exclusively use the simple interface on their tablet/phone to access GW and when their password is expired, are never presented with the password change dialogue.
  Ive verified when user with an expired password navigates directly to the simple interface url , https://gwserver/gw/webacc?User.interface=simple, either on a mobile device or desktop browser, IE, FF, Chrome, the user consumes a grace login and is taken directly to the simple interface mailbox.
  Resetting grace logins and navigating to the standard webacc interface the GW password change dialogue is presented as expected.
  GroupWise 8.0.1 webacc on netware. I think wed refrained from going to newer releases in fear of some nasty bugs in the subsequent versions, but Ive not kept current on issues with the latest release.
  I understand the next GW version with native mobile device templates is around the corner, but management may want to address this sooner.
  Is this failure to recognize password expiry in the simple interface a know behavior?
  Regards,
  Fdiaz

  On 8/8/2011 8:36 AM, vodobaas wrote:
  > We have a population of users who access GW exclusively through WebAcc.
  > Some of this population has jumped on the mobile device bandwagon and so
  > we've directed them to the simple interface when accessing GW from a
  > mobile device.
  > Some of these mobile device users now exclusively use the simple
  > interface on their tablet/phone to access GW and when their password is
  > expired, are never presented with the password change dialogue.
  >
  > Ive verified when user with an expired password navigates directly to
  > the simple interface url ,
  > https://gwserver/gw/webacc?User.interface=simple, either on a mobile
  > device or desktop browser, IE, FF, Chrome, the user consumes a grace
  > login and is taken directly to the simple interface mailbox.
  > Resetting grace logins and navigating to the standard webacc interface
  > the GW password change dialogue is presented as expected.
  > GroupWise 8.0.1 webacc on netware. I think wed refrained from going to
  > newer releases in fear of some nasty bugs in the subsequent versions,
  > but Ive not kept current on issues with the latest release.
  > I understand the next GW version with native mobile device templates is
  > around the corner, but management may want to address this sooner.
  >
  > Is this failure to recognize password expiry in the simple interface a
  > know behavior?
  >
  > Regards,
  > Fdiaz
  I'll ask.

• Resetting expired password from JDBC

  Hi All,
  I would like to know if it is possible to change an expired password from a java client that uses JDBC (classes12.zip) "thin client" to connect to oracle database (8.1.7.4).
  Can we capture the "password expired" exception from the client and change the expired password from within the java client.
  The current connect string is --->
  Connection conn;
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  conn = DriverManager.getConnection("jdbc:oracle:thin:@host:port:sid",user,pass);
  Is it possible to do something like this ???
  try {
  conn = DriverManager.getConnection("jdbc:oracle:thin:@host:port:sid",user,pass);
  catch ( SQLException sqle ) {
  if ( sqle.getErrorCode() == 28001 ) // i.e. passwd expired
  //1. ask user to enter the new passwd &
  //2. change it in the database.
  Is there any other way of doing this ??
  Thanks in advance
  Arun

  I haven't tried this, but there some things to think about.
  1) Have you tried to capture the Exception? Is it a problem?
  2) Have you tried to alter a password through JDBC? Is it a problem? To execute other DDL you have to use executeUpdate() I would assum that if you can do this it will also require an executeUpdate().
  Now assuming #1 and #2 are OK
  3) How are you going to change a password when the you cannot connect because the password has expired? Are you going to hard code another non-expired userid/password in the code (bad idea). Are you going to ask the user to enter some type of administrative userid/password that will allow them to change their password?
  Just some thoughts, sorry I cannot help more...

• JSSO change expired password

  Hi,
  Does JSSO has support to enable users to change their password when it expires (we use OID with passwd policies)?
  If not, is there an alternative method of authenticating users agains ldap(OID) with functionality to change passwords and notify when a user is in his grace period.
  We want to use/create one authentication/authorisation instance which we can use for multiple applications.
  Kind regards,
  Albert

  JSSO usually uses a xml file to store the passwords. When you use OID it implies that you already have an AS Infrastructure.
  Why don't you use the Oracle SSO server?
  It does solve a part of your problem.
  Unfortunately the issue with the grace periods (or better to receive a notification before your password expires) is not yet solved. You need to build your own (nifty script scanning the last pwd change time and the expiration time).
  cu
  Andreas

• Expire Password in BCC

  Hi All,
  I tried for expiring the password of BCC. I used the component
  /atg/userprofiling/ExpiredPasswordService/
  But it does not work for me. Can someone help me on this?
  Thanks,
  DKAP

  Ensure that components ExpiredPasswordService and ExpiredPasswordServlet got enabled. Also both of these should have same value of passwordValidForNumDays property. You would also have to tell InternalProfileFormHandler to use ExpiredPasswordService. It has a redirectPath property which is configured to "/user/changepassword.jsp" through BIZUI module for BCC. On BCC login, in case ProfileFormHandler detects an expired password through ExpiredPasswordService, it adds a session attribute"passwordexpired". ExpiredPasswordServlet check for this session attribute and on detecting it, ExpiredPasswordServlet redirects to the value of ExpiredPasswordService.redirectPath property.
  You can try following configuration changes on your BCC server instance. (Don't override from dyn/admin on the running server instead use properties file under localconfig of BCC server and then restart.)
  /atg/userprofiling/InternalProfileFormHandler.properties
  expiredPasswordService=/atg/userprofiling/ExpiredPasswordService
  # loggingDebug=true
  /atg/userprofiling/ExpiredPasswordService.properties
  enabled=true
  passwordValidForNumDays=7  # default is 120, changed for testing
  # loggingDebug=true
  For ExpiredPasswordServlet you need not do anything additionally since it would pick most of its values from ExpiredPasswordService as per its configuration. Just verify these values from dyn/admin.
  /atg/dynamo/servlet/pipeline/ExpiredPasswordServlet
  enabled^=/atg/userprofiling/ExpiredPasswordService.enabled
  redirectPath^=/atg/userprofiling/ExpiredPasswordService.redirectPath
  passwordValidForNumDays^=/atg/userprofiling/ExpiredPasswordService.passwordValidForNumDays

• Windows Server 2012 R2 - RD Gateway and expired passwords

  We got tired of script kiddies trying to brute force our old RDP servers, so we thought RD Gateway was a good idea and implemented this on our newest RDS servers.
  That worked fine until the first password change. The support phone got hot for some days.
  I understand after investigating the issue that expired has been a problem in the 2008/2008R2 version of RD Gateway.
  Are expired/change on first logon still a problem in 2012 R2? I fint this strange after seeing all the old complains.
  Are there any solution to this problem (other than running Citrix wich manage password change with no problems)?
  Jens Tore Fremmegaard ::.::.:: ServerParkering AS

  NLA is disabled. This was never a problem when we used 2008 servers.
  On our old 2008 (and 2003 before that) terminal servers the users have always had the opportunity to both change expired passwords and "change password on first logon".
  After migrating to 2012 none of them work.
  We have a script that warns the users prior to password expiry date, but ther's always someone that waits to long. And then they have to call our support techs to get their passwords changed since password change not working on the rds servers.
  Off course they could change it through Exchange OWA, but try to tell that to the CEO that's used to only click their RDS shortcut.
  Jens Tore Fremmegaard ::.::.:: ServerParkering AS

• Managing 100s UNIX servers through OIM using LDAP,

  Hi Experts,
  I have requirement where as 100s UNIX servers need to manage through OIM using LDAP,
  Pls guide me how to implementing this through LDAP is best solution,
  Thanks.

  Take a look at:
  http://www.oracle.com/technology/products/oid/oracleauthenticationservices.html
  Oracle Authentication Services for Operating Systems

• Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?

  What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
  We already send automated email notifications to users reminding them to change their soon-to-expire passwords.  However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
  and lack of attention to email messages) or they see the warning messages and forget to act on it.
  When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired.  So, they end up confused and call the help desk to get their
  password reset.
  Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
  their login failed for unknown reasons or password is "incorrect?"

  It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
  A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
  For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
  There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
  http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

• Which attribute shows if a user has an expired password?

  DSEE 6.3
  I created my own password policy, and applied it to a single user.
  I would like to know which attribute shows if a user has an expired password, and how do I query that attribute for the user. How would I query the time till expiration as well?
  I am basically looking for example queries to such information.
  thanks,

  My limited experience with this sort of thing is to run a query like the following:
  ldapsearch -1TL -h `hostname` -D 'cn=Directory Manager' -b "dc=<your dc>,dc=com" uid=<uid your choice> pwdAccountLockedTime pwdFailureTime pwdLastAuthTim
  e pwdChangedTime passwordRetryCount nscpentrywsi
  This dumps some helpful stuff. I've noticed ... in our ldap instance that a locked account has the following output:
  pwdAccountLockedTime: 000001010000Z
  I don't know why it shows up that way ... but it's something I can key on and search for to find locked accounts. Not necessarily an indication that a password has expired, of course, but sort of interesting to me. An account can be locked for other reasons obviously.
  I think pwdChangedTime might be what you want assuming you know what the password expiration time is set to ...

• Enabling a User through OIM API

  Hi I am trying to enable a user through OIM API, However the end date is already passed for that user, I am setting up a new end date through the Program (showm below). However the update user is not working (i am not sure).
  Map usermap = new HashMap();
  usermap.put("Users.User ID", User_id );
  Map grpmap = new HashMap();
  grpmap.put("Groups.Group Name", Group_Name);
  tcResultSet ts = userClient.findUsers(usermap); //find all users
  String existing_end_date = ts.getStringValue("Users.End Date");
  tcResultSet tg = groupClient.findGroups(grpmap); //find requireq group
  long ukey = ts.getLongValue("Users.Key");
  long gkey = tg.getLongValue("Groups.Key"); //find group key
  // ENABLE THE USER
  java.util.Date new_end_date = new java.util.Date(111,1,1);
  Calendar cal = Calendar.getInstance();
  cal.setTime(new_end_date);
  DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd hh:mm:ss");
  String Str1 = dateFormat.format(cal.getTime());
  String Str2 = existing_end_date + " 12:00:00";
  System.out.println(User_id+" OLD End Date:" + Str2 + " New End Date: " + Str1);
  Map usermap2 = new HashMap();
  usermap2.put("Users.User ID", User_id );
  usermap2.put("Users.End Date", Str1);
  userClient.updateUser(ts,usermap2);
  userClient.enableUser(ukey);
  I am getting the following error:
  U0000018 OLD End Date:2009-09-30 12:00:00 New End Date: 2011-02-01 12:00:00
  2/12/2010 15:02:53 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  Thor.API.Exceptions.tcAPIException: The user cannot be enabled because the end date is passed.
  Not sure why it is happening. It looks like the Updateuser is not working, or something else?
  Please advise. Thanks in advance.

  Hi Suren,
  thanks for the note.
  I found that as soon as I enable the user, I am getting the followimg messages in the opmn logs:
  INFO,06 Dec 2010 10:55:41,841,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
  INFO,06 Dec 2010 10:55:41,944,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
  INFO,06 Dec 2010 10:55:42,402,[XELLERATE.JAVACLIENT],System Event Handler: Enabling the User
  INFO,06 Dec 2010 10:55:42,421,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
  INFO,06 Dec 2010 10:55:42,427,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
  INFO,06 Dec 2010 10:55:42,439,[XELLERATE.JAVACLIENT],System Event Handler: Changing application data based on Organization change.
  INFO,06 Dec 2010 10:55:42,442,[XELLERATE.JAVACLIENT],System Event Handler: Auto-Group Membership Event.
  INFO,06 Dec 2010 10:55:43,715,[XELLERATE.JAVACLIENT],System Event Handler: Evaluating User Policies
  So, the access policies are getting evaluated, triggering provisioning processes.
  What I am planning to do is, to disable the access policies and try to run the Program.
  Because of this issue, my Program is throwing an error (until I looked into the opmn logs, it doesn't make sense).
  6/12/2010 10:55:50 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  Thor.API.Exceptions.tcAPIException: Error occurred enabling Xellerate User instance.
  Regards
  Vijay Chinnasamy

• SSH / Expired Passwords

  I've recently installed a batch of servers with Solaris 10 10/08 and have noticed that the way the Solaris sshd implementation deals with password change on login is different to previous versions of Solaris SSH and/or OpenSSH installed in out environment.
  When the user with expired password logs in, he is prompted for a new password. If this password does not meet the complexity standards set for user passwords, the user is then prompted for their original password again instead of being asked to add a valid new password. This has led to a lot of users locking out their accounts because they keep trying to put in the new password
  The session output looks like this
  ssh -l user serverPassword: <-Enter Existing Password Here
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new password that does not meet password standards
  sshd-kbdint: The password must contain at least 1 uppercase alpha character(s).
  Password: <- System requests exising password again
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new valid password
  Re-enter new Password: <-Re-enter new valid password
  sshd-kbdint: password successfully changed for user
  Any idea why this may be happening?
  Thanks.
  K

  Can you use ssh keys instead? This would allow using your own pass phrase associated with the key you create.
  ssh-keygen -t rsa
  Now copy the *$HOME/.ssh/id_rsa.pub* file to each site and append the *id_rsa.pub* file to the remote account's *.ssh/authorized_keys* file (repeat the copy and append 29 more times).
  Now you should be able to connect based on your ssh key and no longer need to enter the long convoluted password. Instead you just need to enter your own selected ssh key pass phrase.
  And you can use *ssh-add* after starting your Mac to add your pass phrase to the ssh-agent already running in the background. Once you do this, ssh will ask the ssh-agent before prompting you for a pass phrase it already knows.
  This should totally streamline your ssh and scp access to the 30 remote sites.