Expired passwords with LEAP

Similar Messages

• Changing expired password with OCIPasswordChange

  I know that ODP.NET has a option to open a connection with a new password when the old one has expired. I'm using System.Data.OracleClient from .Net instead of ODP because I'm using the Instant Client, which does not seem to work with ODP. Can somebody tell me how to call OCIPasswordChange?

  Hi,
  OCIPasswordChange is an OCI call. You'd have to write a complete OCI application in C to be able to use that, and OCI coding isnt for the faint of heart.
  I do have a complete OCI sample that does it though.. here you go.
  Cheers,
  Greg
  This sample demonstrates the use of OCIPasswordChange once the
  password has expired, which requires setting the session into
  the service context. Tested with oci 8.1.5, vc++ 6.0 sp3.
  first create the user with expired password:
  SQL> create user testuser identified by oldpass password expire;
  SQL> grant create session to testuser;
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <oci.h>
  static OCIEnv          *p_env;
  static OCIError          *p_err;
  static OCIServer *p_srv;
  static OCISession *p_ses;
  static OCISvcCtx     *p_svc;
  void main()
       int          rc;
       char     errbuf[100];
       int          errcode;
       // Step 1: Initialize OCI
       rc = OCIInitialize((ub4) OCI_DEFAULT, (dvoid *)0,
            (dvoid * (*)(dvoid *, size_t)) 0,
            (dvoid * (*)(dvoid *, dvoid *, size_t))0,
            (void (*)(dvoid *, dvoid *)) 0 );
       // Step 2: Initialize the OCI evironment
       rc = OCIEnvInit( (OCIEnv **) &p_env, OCI_DEFAULT, (size_t) 0, (dvoid **) 0 );
       // Step 3: Initialize the OCI handles
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_err, OCI_HTYPE_ERROR,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_svc, OCI_HTYPE_SVCCTX,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_srv, OCI_HTYPE_SERVER,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc((dvoid *) p_env, (dvoid **)&p_ses, (ub4) OCI_HTYPE_SESSION,
            (size_t) 0, (dvoid **) 0);
       // Step 4: Connect using a mutli-session connect
       rc = OCIServerAttach( p_srv, p_err,
            (text *)"local", 5, 0);
       // Create a server context
       rc = OCIAttrSet( (dvoid *) p_svc, OCI_HTYPE_SVCCTX,
            (dvoid *)p_srv, (ub4) 0,
            (ub4) OCI_ATTR_SERVER, (OCIError *) p_err);
       // Create a session context
       rc = OCIAttrSet((dvoid *) p_ses, (ub4) OCI_HTYPE_SESSION,
            (dvoid *) "testuser", (ub4) 8,
            (ub4) OCI_ATTR_USERNAME, p_err);
       rc = OCIAttrSet((dvoid *) p_ses, (ub4) OCI_HTYPE_SESSION,
            (dvoid *) "oldpass", (ub4) 7,
            (ub4) OCI_ATTR_PASSWORD, p_err);
       rc = OCIAttrSet((dvoid *) p_svc, (ub4) OCI_HTYPE_SVCCTX,
            (dvoid *) p_ses, (ub4) 0,
            (ub4) OCI_ATTR_SESSION, p_err);
       // Open the session on the server
       rc = OCISessionBegin ( p_svc, p_err, p_ses, OCI_CRED_RDBMS,
            (ub4) OCI_DEFAULT);
       // This is a generic error checking routine
       if (rc != 0)
            OCIErrorGet((dvoid *)p_err, (ub4) 1, (text *) NULL, &errcode,
                 (text*)errbuf, (ub4) sizeof(errbuf), OCI_HTYPE_ERROR);
            printf("Error - %.*s\n", 512, errbuf);
            // If the error is a 28001, change the password.
            if(errcode==28001)
                 // You need to set the Session into the service context
                 // before you can call OCIPasswordChange(), and you also need
                 // to allocate both the session and service context handles
                 // before hand. Then you can call OCIPasswordChange.
                 rc = OCIAttrSet((dvoid *)p_svc, OCI_HTYPE_SVCCTX,
                      (dvoid *)p_ses,0,OCI_ATTR_SESSION, p_err);
                 rc = OCIPasswordChange(p_svc, p_err, "testuser",8,
                      "oldpass",7, "newpass",8, OCI_DEFAULT);
                 if(rc != 0) printf("Password change failed.\n");
                 else printf("Password successfully changed.\n");
       // Step 10: Disconnect from the server and free the
       rc = OCIServerDetach( p_srv, p_err, OCI_DEFAULT );
       rc = OCIHandleFree((dvoid *) p_srv, OCI_HTYPE_SERVER);
       rc = OCIHandleFree((dvoid *) p_svc, OCI_HTYPE_SVCCTX);
       rc = OCIHandleFree((dvoid *) p_err, OCI_HTYPE_ERROR);
       printf("Disconnected.\n\n");
       return;
  }

• Expired passwords with oledb 9i

  Using ADO with Oracle OleDB provider in 9i:
  If the password of the user is expired and I set the PwdChgDlg property to 1 in the connect string the password change dialog is presented however it always fails with an invalid userid/password error.
  This seems to work with the 8i provider, I searched and didn't find any help.

  Thanks, I'm using 9.2.0.1.0, I'll look for the newer version and give it a try, I hate to change versions this late in the game though.

• Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?

  What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
  We already send automated email notifications to users reminding them to change their soon-to-expire passwords.  However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
  and lack of attention to email messages) or they see the warning messages and forget to act on it.
  When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired.  So, they end up confused and call the help desk to get their
  password reset.
  Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
  their login failed for unknown reasons or password is "incorrect?"

  It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
  A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
  For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
  There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
  http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

• Cisco ISE - User with expired password is forced to logoff before they can change password.

  I came across a situation today where a user was logged into a laptop with an expired password and could not change it by simply locking the computer and logging in with the correct credentials. (They had previously changed it on their main computer) The port restricted any communication since the user was failing authentication.
  So, the I had the user logout and immediately the computer authenticated, and the user was able to login with the correct credentials.   I dont want my users to have to logout completely in this situation.  Below is the port config and the ISE error messages.
   switchport access vlan 423
   switchport mode access
   switchport block unicast
   switchport voice vlan 425
   ip arp inspection limit rate 10
   ip access-group ACL-LOW-IMPACT-MODE in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity server
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   dot1x pae authenticator
   dot1x timeout tx-period 3600
   spanning-tree portfast
   spanning-tree bpduguard enable
   ip dhcp snooping limit rate 100

  Completely forgot about odac version. I have ODT with ODAC 102.02 installed.
  I want to download new drivers from here:
  Oracle10g Release 2 ODAC and Oracle Developer Tools for Visual Studio .NET
  http://download.oracle.com/otn/other/ole-oo4o/ODTwithODAC1020221.exe
  And old drivers from here (just for testing)
  Oracle Developer Tools for Visual Studio .NET 10.1.0.4.0
  http://download.oracle.com/otn/other/ODT10104.exe
  Does anybody know something about these releases? Do they have the same behavior?
  Thanks.

• How to deal with expired passwords in authentication schemes?

  IHi,
  I am trying to build an authentication scheme that deals with expired passwords. After the user has provided their valid but expired password they should be redirected to a password reset page. After they have provided a new password they should be allowed to continue to the page they would have otherwise gone to had their password not expired.
  I have written my authentication processs as follows:
  CREATE OR REPLACE FUNCTION inventory_test.inventory_authentication (
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  RETURN BOOLEAN
  IS
  r1 apex_users%ROWTYPE;
  valid_password BOOLEAN;
  BEGIN
  IF p_password IS NULL
  THEN
  RETURN FALSE;
  END IF;
  SELECT *
  INTO r1
  FROM apex_users
  WHERE UPPER (username) = UPPER (p_username);
  valid_password :=
  DBMS_OBFUSCATION_TOOLKIT.md5 (input_string =&gt; p_password
  || TO_CHAR (r1.SEED, '99999')
  ) = r1.PASSWORD;
  IF valid_password AND (r1.password_expiration_date &lt; SYSDATE)
  THEN
  apex_util.set_session_state ('FSP_AFTER_PASSWORD_RESET_URL', v ('FSP_AFTER_LOGIN_URL')); -- My new application item
  apex_util.set_session_state ('FSP_AFTER_LOGIN_URL',
  'F?P=' || v ('APP_ID') || ':14:' || v ('APP_SESSION')
  END IF;
  RETURN valid_password;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RETURN FALSE;
  END;
  This redirects the user to the password reset page but FSP_AFTER_PASSWORD_RESET_URL is null - presumably because the login process changes the session.
  This seems the wrong approach anyway as the user, once authenticated, can change the page number in the URL and avoid the password reset. I would guess that I need to use the APEX_CUSTOM_AUTH package somehow. However, I am thoroughly confused about the relationship between the LOGIN and POST_LOGIN procedures. Also, I gather from other posts in this forum that there is some asynchronous processing that goes on as new sessions are created. Can someone point me in the right direction please?
  --Tony
  [http://tonyhasler.wordpress.com/][http://tonyhasler.wordpress.com/]

  Sorry for taking so long to acknowledge your helpful suggestions.
  Scott's proposal is a tiny tiny bit awkward as,if i understand it correctly, the user would have to reauthenticate after resetting the password.
  /dev/null's suggestion is actually not too bad for me. I already have each page being authorised and I use only a limited mumber of (once per session) authorization schemes. I think all I have to do is to place an extra line or two in each scheme to check the expiration date of the user's password and remember to call APEX_UTIL.RESET_AUTHORIZATIONS when the password is reset.
  I successfully redirected to the password reset page using owa_util.redirect_url from the post-authentication procedure but what I am still having trouble with is the deep-linking bit. It seems I have to obtain the target URL by 'editing' FSP_AFTER_LOGIN_URL to replace '|' characters by ':' characters and inserting the session id in the right place. Given the fact that FSP_AFTER_LOGIN_URL may not be set and that there may not be sufficient ':' characters in the URL this is very clunky.
  Is there an easier way to do this?
  --- Never mind. I worked out how to use regular expressions with SQL to do this. A full explanation is in my blog.
  --Tony
  http://tonyhasler.wordpress.com
  Edited by: TonyHasler on Sep 6, 2008 3:17 PM

• Expired or initial passwords with SPNego

  Hi,
  we're implementing a SAP Enterprise Portal right now using SPNego as the method of authentification. The UME of our Portal is connected to our HCM-ABAP-System. In HCM we set the parameter login/password_change_for_SSO to 0 so the status of a PW (e.g. initial or expired) is not relevant when using SSO. This works fine for our HCM, but of course not for the Portal which is only connected to HCM via the UME.
  Anybody got an idea how to have our portal react the same way to initial and expired passwords? I couldn't find anything so far...

  Hi Mario,
  Though I can't provide you the solution, I have a query...
  If my guess that you have implemented SPNego authentication, you are trying to implement Kerbero's Authentication.
  Please let me know if you are able to configure Portal for Kerbero's authentication. We tried to implement the same with CRM+Portal, we were able to configure SAP GUI for Kerbero's authentication, but with portal, we were not able to implement.
  When we changed the UME configuration file, portal went down. We raised an OSS note, and got reply stating that "Kerberos authentication can not be implemented for ABAP+Java stack. For portal to support Kerbero's authentication, it should be a separate installation.
  If you are able to configure portal for SPNego, and able to run the SPNego wizard successfully, please let me know.
  Regards,
  Nrisimhanadh

• Firefox keeps prompting me for password with the popup

  Firefox at my work computer keeps prompting for password with the popup message "The proxy moz-proxy://proxy:9119 is requesting a username and password. The site says: "moz-proxy://proxy:9119"" This happens too often,even If i provide the username and password I get the next popup with same message.
  Its very annoying, I am not finding web better because of this, I goggled and figured about the config settings of - network.automatic-ntlm-auth.allow-proxies and the other one not working.
  I guess I am missing the PAC URL or something which I remember like solved the problem sometime back but not in same domain though.
  Can someone help ?
  Can the good community help ?

  Quitting Calendar Agent is not working for me. I still get the following errors.
  About 50 of these: 8/13/12 10:19:28.210 AM CalendarAgent[12480]: Unexpected EOF, returning last token as fallback
  Then about 10 of these:
  8/13/12 10:19:31.193 AM CalendarAgent[12480]: [com.apple.calendar.store.log.caldav.queue] [Account refresh failed with error: Error Domain=CoreDAVHTTPStatusErrorDomain Code=401 "The operation couldn’t be completed. (CoreDAVHTTPStatusErrorDomain error 401.)" UserInfo=0x7fb603b9d990 {AccountName=, CalDAVErrFromRefresh=YES, CoreDAVHTTPHeaders=<CFBasicHash 0x7fb603f5a4b0 [0x7fff79a05190]>{type = immutable dict, count = 10,
  entries =>
      0 : Case Insensitive Key: X-Content-Type-Options = <CFString 0x7fb6038d0650 [0x7fff79a05190]>{contents = "nosniff"}
      1 : Case Insensitive Key: Content-Type = <CFString 0x7fb603bd3930 [0x7fff79a05190]>{contents = "text/html; charset=UTF-8"}
      2 : Case Insensitive Key: Server = <CFString 0x7fb603b1c400 [0x7fff79a05190]>{contents = "GSE"}
      3 : Case Insensitive Key: Transfer-Encoding = <CFString 0x7fff792226b8 [0x7fff79a05190]>{contents = "Identity"}
      6 : Case Insensitive Key: Date = <CFString 0x7fb603bf6300 [0x7fff79a05190]>{contents = "Mon, 13 Aug 2012 14:19:31 GMT"}
      7 : Case Insensitive Key: X-Frame-Options = <CFString 0x7fb603869680 [0x7fff79a05190]>{contents = "SAMEORIGIN"}
      8 : Case Insensitive Key: X-XSS-Protection = <CFString 0x7fb603b01740 [0x7fff79a05190]>{contents = "1; mode=block"}
      9 : Case Insensitive Key: Www-Authenticate = <CFString 0x7fb603bcf200 [0x7fff79a05190]>{contents = "BASIC realm="Google CalDAV""}
      11 : Case Insensitive Key: Cache-Control = <CFString 0x7fb603b08d50 [0x7fff79a05190]>{contents = "private, max-age=0"}
      12 : Case Insensitive Key: Expires = <CFString 0x7fb603bf8a20 [0x7fff79a05190]>{contents = "Mon, 13 Aug 2012 14:19:31 GMT"}

• Which attribute shows if a user has an expired password?

  DSEE 6.3
  I created my own password policy, and applied it to a single user.
  I would like to know which attribute shows if a user has an expired password, and how do I query that attribute for the user. How would I query the time till expiration as well?
  I am basically looking for example queries to such information.
  thanks,

  My limited experience with this sort of thing is to run a query like the following:
  ldapsearch -1TL -h `hostname` -D 'cn=Directory Manager' -b "dc=<your dc>,dc=com" uid=<uid your choice> pwdAccountLockedTime pwdFailureTime pwdLastAuthTim
  e pwdChangedTime passwordRetryCount nscpentrywsi
  This dumps some helpful stuff. I've noticed ... in our ldap instance that a locked account has the following output:
  pwdAccountLockedTime: 000001010000Z
  I don't know why it shows up that way ... but it's something I can key on and search for to find locked accounts. Not necessarily an indication that a password has expired, of course, but sort of interesting to me. An account can be locked for other reasons obviously.
  I think pwdChangedTime might be what you want assuming you know what the password expiration time is set to ...

• SSH / Expired Passwords

  I've recently installed a batch of servers with Solaris 10 10/08 and have noticed that the way the Solaris sshd implementation deals with password change on login is different to previous versions of Solaris SSH and/or OpenSSH installed in out environment.
  When the user with expired password logs in, he is prompted for a new password. If this password does not meet the complexity standards set for user passwords, the user is then prompted for their original password again instead of being asked to add a valid new password. This has led to a lot of users locking out their accounts because they keep trying to put in the new password
  The session output looks like this
  ssh -l user serverPassword: <-Enter Existing Password Here
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new password that does not meet password standards
  sshd-kbdint: The password must contain at least 1 uppercase alpha character(s).
  Password: <- System requests exising password again
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new valid password
  Re-enter new Password: <-Re-enter new valid password
  sshd-kbdint: password successfully changed for user
  Any idea why this may be happening?
  Thanks.
  K

  Can you use ssh keys instead? This would allow using your own pass phrase associated with the key you create.
  ssh-keygen -t rsa
  Now copy the *$HOME/.ssh/id_rsa.pub* file to each site and append the *id_rsa.pub* file to the remote account's *.ssh/authorized_keys* file (repeat the copy and append 29 more times).
  Now you should be able to connect based on your ssh key and no longer need to enter the long convoluted password. Instead you just need to enter your own selected ssh key pass phrase.
  And you can use *ssh-add* after starting your Mac to add your pass phrase to the ssh-agent already running in the background. Once you do this, ssh will ask the ssh-agent before prompting you for a pass phrase it already knows.
  This should totally streamline your ssh and scp access to the 30 remote sites.

• 802.1X cannot change expired password at login

  Hi all,
  I'm trying to roll out 802.1X authentication for wifi access at my company, however there's one major problem I can't for the life of me figure out. I'm not able to get the Macs to prompt for a password change when the password has expired at login.
  On Windows when you log in it will prompt you to change your password when it's expired. However on OSX when you're on the workstation login screen, you can see the wireless icon briefly connect, then it will think for a bit and the user cannot log in at all.
  OSX can definitely can change expired passwords via 802.1X, as if I log into a local account and connect to the wifi with the user whose password has expired, it will prompt to change it, and changes it successfully.
  I'm using NPS for RADIUS authentication against AD, and using Profile Manager in OSX Server to create the 802.1X profile.
  Does anyone have any experience with OSX and using WPA Enterprise/802.1X Profiles?
  Thanks!

  Hi,
  Can you post a screenshot for this situation?
  Sometimes, the third party credential provider would lead to some issue like this, I suggest you check the
   current credential provider via the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\x\LastLoggedOnProvider
  You should compare the result with the values in the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\credential providers
  If the current value is third party credential provider, try to disable it:
  To disable the provider add a REG_DWORD value "Disabled"=1 to that provider’s CLSID subkey.
  The provider will be disabled on the next session creation (sessions are created when you log off, switch users, or reboot.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Changing expired password on a cbckend database from a frontend database

  I have a split database with an Oracle backend (BE) and MS Access frontend (FE). My question is how to reset an expired password on the BE from the FE.
  If I log on to the backend via sqlplus an error ORA-28001 (Password expired) occurs and the system immediately prompts for a new password before completing the login process.
  If I log on from the frontend I get the same ORA error from the BE, but as far as I can tell, I can't reset the password from the FE.
  I can capture the error fine at the FE and I am thinking that I could use this to open a dialog to reset the password and change it over the ODBC connection. The problem is that I need to get a connection to the BE database before sending a command to change the password from the FE, but since login cannot be completed from the FE, because of the expired password, I can't get an ALTER USER statement to execute on the BE to reset the password.
  Is there a way to change a pre-expired password on an Oracle backend database from a frontend database? I don't see this as an Oracle/Access problem but as a problem that exists for any split database.

  I have thought about this a little and I am thinking about keeping a table of password update information. I can use this to create a "soft" expired password, using an expiration date in the table for each account. If the password is expired by the database then we can just update it with sqlplus or one of the other options.
  As far as getting the organization to change it is waaaay to big and stupid to change their policy.

• Simple Interface expired password change prompt

  We have a population of users who access GW exclusively through WebAcc. Some of this population has jumped on the mobile device bandwagon and so we've directed them to the simple interface when accessing GW from a mobile device.
  Some of these mobile device users now exclusively use the simple interface on their tablet/phone to access GW and when their password is expired, are never presented with the password change dialogue.
  Ive verified when user with an expired password navigates directly to the simple interface url , https://gwserver/gw/webacc?User.interface=simple, either on a mobile device or desktop browser, IE, FF, Chrome, the user consumes a grace login and is taken directly to the simple interface mailbox.
  Resetting grace logins and navigating to the standard webacc interface the GW password change dialogue is presented as expected.
  GroupWise 8.0.1 webacc on netware. I think wed refrained from going to newer releases in fear of some nasty bugs in the subsequent versions, but Ive not kept current on issues with the latest release.
  I understand the next GW version with native mobile device templates is around the corner, but management may want to address this sooner.
  Is this failure to recognize password expiry in the simple interface a know behavior?
  Regards,
  Fdiaz

  On 8/8/2011 8:36 AM, vodobaas wrote:
  > We have a population of users who access GW exclusively through WebAcc.
  > Some of this population has jumped on the mobile device bandwagon and so
  > we've directed them to the simple interface when accessing GW from a
  > mobile device.
  > Some of these mobile device users now exclusively use the simple
  > interface on their tablet/phone to access GW and when their password is
  > expired, are never presented with the password change dialogue.
  >
  > Ive verified when user with an expired password navigates directly to
  > the simple interface url ,
  > https://gwserver/gw/webacc?User.interface=simple, either on a mobile
  > device or desktop browser, IE, FF, Chrome, the user consumes a grace
  > login and is taken directly to the simple interface mailbox.
  > Resetting grace logins and navigating to the standard webacc interface
  > the GW password change dialogue is presented as expected.
  > GroupWise 8.0.1 webacc on netware. I think wed refrained from going to
  > newer releases in fear of some nasty bugs in the subsequent versions,
  > but Ive not kept current on issues with the latest release.
  > I understand the next GW version with native mobile device templates is
  > around the corner, but management may want to address this sooner.
  >
  > Is this failure to recognize password expiry in the simple interface a
  > know behavior?
  >
  > Regards,
  > Fdiaz
  I'll ask.

• Resetting an Expired Password

  Hello All
  I am not sure if this is the right forum so please let me know if not.
  I currently have an ASP page that authenticates users against a Sun ONE LDAP server. The problem we seem to have is that when a users password expires, we cannot bind anymore. The easiest way for us to sort this would be to get the "Password has expired" return code but I cannot work out how to do this in ASP.
  Or is the problem deeper than this and once a password has expired a user cannot reset it? Do we need to change something else to allow a user to bind with their old password to reset their password. Remembering we are trying to do this all with asp.net.
  Thanks
  D

  I also am ignorant of asp.net; however, Sun DS 6 has several features that can help solve your problem if you can figure out how to access them:
  1. If you configure the "expiration warning" feature in the password policy, once a entry's password is in the warning period, an unsolicited "expiration warning" control is returned with each bind. The control data is the seconds until expiration. Password policy configuration is documented in http://docs.sun.com/app/docs/doc/820-2491/fhkrj?a=view . You can search for "OID 2.16.840.1.113730.3.4.5" on google for info about the control. You should also become familiar with the unsolicited password expired control "OID 2.16.840.1.113730.3.4.4". These controls are also implemented in DS5.
  2. If you supply the bind (or most other) operation with the IETF draft password policy request control, Sun DS 6.1 and later return a (properly encoded) password policy response control containing password policy operational state. Search for "OID 1.3.6.1.4.1.42.2.27.8.5.1"
  3. Your application can request the operational state of an entry via the user status control in Sun DS 6.1 and later. Search for "OID 1.3.6.1.4.1.42.2.27.9.5.8"
  4. If you have implemented some form of expiration warning, then presumably the majority of your users will have changed passwords before expiration, and you can force the others to go through some self-service or help-desk password reset function (i.e., enable must-change-on-reset, then administratively change the user's password, forcing him/her to change it at next bind).
  5. If you want to allow users with an expired password to access the DS solely for the purpose of changing the password, see http://docs.sun.com/app/docs/doc/820-2491/6ne3dhdht?a=view#resetting-expired-passwords . If you do some more investigation on Sun DS (6.2 and later) implementation of the password modify extended operation (and ldappasswd), you should find details on enabling the extension to allow a user to change an expired password.
  6. You might also take a look at http://docs.sun.com/app/docs/doc/820-2490/6ne3cisoj?a=view#pwdpol for an overview of the new password policy implementation in DS6, compared to the DS5 password policy, and the strategy to migrate from DS5 to DS6.

• Password reset is disabled.  Expired password does not cause reset prompt o

  Server: Oracle 11.2 on Linux Redhat 64-bit. Installed 32-bit 11.2 Oracle full client on Windows 7 64-bit workstation. Setting up user to test expired password promp capability of SQLDeveloper 3.0.0.4. So far, failing every time. Password Reset on menu is disabled. Loging in or testing in properties (Connection) simply fails with ORA-28001: the password has expired. Not sure how to proceed or enable password reset. FYI, connections only work for connection type of Basic and TNS if I disable OCI/thick driver. When enabled, I get "<oracle_home>\bin\ocijdbc11.dll Can't find dependent libraries"
  Not sure how to proceed. Need guidance and instruction or at least point me to documentation please. I'm not finding much on this issue.

  Thanks -K- for the response. I'll try that but it shouldn't be the cause of my issue. You see, a few weeks ago, I had SQLDeveloper installed on all our team's 32-bit Windows XP SP3 workstations. The reported issue was occurring then as well. Since then, the 64-bit Windows 7 workstations arrived and the saga continues:-)
  Any other thoughts on my issue is appreciated.