Extend Password Change Functionality

Is there a way to extend the Password Change functionality in Access Manager to envorce a more complicated password scheme - upper case, lower case, special characters, etc? The password policy appears to not allow specifying more complicated password enforcement schemes.
Thanks,

This needs a small modification to the JSP and/or the action class.
The usual effort estimate is 2-4 days for a resource with experience on how to do this. 2-4 weeks for a resource that hasn't done it before.
Best regards
/Martin

Similar Messages

Password change fails in SQL Developer with verify function...

A couple of months ago I enforced a password verify function on our 11.2.0.3 databases and also one legacy 10.2.0.4 database.
At the time I tested on my account (which had elevated privileges...doh!). Now some users are hitting expiry, they can't change it via SQL Developer.
If I create a user with 'create session' privilege and set their profile to one that uses the verify function (see both below), I then log in to SQL Developer (we have tried with versions 3.1 (Windows) and 3.2 (Linux) with same failure results.
BTW,.. the password verify function enforces the following:
password must be minimum of 8 characters
password must not be the same as the user name, or user name (1-100)
password must contain at least a single digit
password must contain at least a single character
1. Works = I log into the local server and run command line SQLPlus, type 'password' and update. I can successfully change my password.
2. Fails = I log into the local server and run command line SQLPlus, type 'alter user <me> identified by <newpwd>;' I get:
TEST: SUTEMP > alter user sutemp identified by carport9999;
alter user sutemp identified by carport9999
ERROR at line 1:
ORA-28221: REPLACE not specified
This error is because the account does not have the 'alter user' privilege. I'm okay with this, as I don't want our users having this privilege.
3. I start SQL Developer 3.2, type 'alter user <me> identified by <newpwd>;' I get the same ORA-28221 error as above. That is fine, and as expected.
4. Now in SQL Developer, I type 'password', set a valid password, but I get 'Failed to change password' in the Script Output tab.
I have a database 'after servererror on database' trigger set, and querying the database table it is logging into, I see a record with a date stamp matching my failure with a server_error=28221 (the same as above).
So I'm wondering if I'm doing something wrong here, or if this is a bug in SQL Developer. I don't want standard users having 'alter user' privileges, but I do want to enforce password verification.
I get the same result on three 11.2.0.3 databases (haven't tried any more but suspect same results for others) and one legacy 10.2.0.4 database, and using SQL Developer 3.1 and 3.2.
DBA_PROFILE used:
PROFILE
RESOURCE_NAME
RESOURCE LIMIT
CTRU
COMPOSITE_LIMIT
KERNEL DEFAULT
CTRU
SESSIONS_PER_USER
KERNEL 10
CTRU
CPU_PER_SESSION
KERNEL DEFAULT
CTRU
CPU_PER_CALL
KERNEL DEFAULT
CTRU
LOGICAL_READS_PER_SESSION KERNEL DEFAULT
CTRU
LOGICAL_READS_PER_CALL
KERNEL DEFAULT
CTRU
IDLE_TIME
KERNEL DEFAULT
CTRU
CONNECT_TIME
KERNEL DEFAULT
CTRU
PRIVATE_SGA
KERNEL DEFAULT
CTRU
FAILED_LOGIN_ATTEMPTS
PASSWORD 10
CTRU
PASSWORD_LIFE_TIME
PASSWORD 180
CTRU
PASSWORD_REUSE_TIME
PASSWORD DEFAULT
CTRU
PASSWORD_REUSE_MAX
PASSWORD 5
CTRU
PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION_11G
CTRU
PASSWORD_LOCK_TIME
PASSWORD .002
CTRU
PASSWORD_GRACE_TIME
PASSWORD 21
16 rows selected.
Verify Function used:
$ cat utlpwdmg.sql
Rem
Rem $Header: utlpwdmg.sql 02-aug-2006.08:18:05 asurpur Exp $
Rem
Rem utlpwdmg.sql
Rem
Rem Copyright (c) 2006, Oracle. All rights reserved.
Rem
Rem NAME
Rem utlpwdmg.sql - script for Default Password Resource Limits
Rem
Rem DESCRIPTION
Rem This is a script for enabling the password management features
Rem by setting the default password resource limits.
Rem
Rem NOTES
Rem This file contains a function for minimum checking of password
Rem complexity. This is more of a sample function that the customer
Rem can use to develop the function for actual complexity checks that the
Rem customer wants to make on the new password.
Rem
Rem MODIFIED (MM/DD/YY)
Rem suren 05/09/13 - customise for NIHI use
Rem asurpur 05/30/06 - fix - 5246666 beef up password complexity check
Rem nireland 08/31/00 - Improve check for username=password. #1390553
Rem nireland 06/28/00 - Fix null old password test. #1341892
Rem asurpur 04/17/97 - Fix for bug479763
Rem asurpur 12/12/96 - Changing the name of password_verify_function
Rem asurpur 05/30/96 - New script for default password management
Rem asurpur 05/30/96 - Created
Rem
-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/<password> as sysdba before running the script
CREATE OR REPLACE FUNCTION verify_function_11G
(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
 n boolean;
 m integer;
 differ integer;
 isdigit boolean;
 ischar boolean;
 ispunct boolean;
 db_name varchar2(40);
 digitarray varchar2(20);
 punctarray varchar2(25);
 chararray varchar2(52);
 i_char varchar2(10);
 simple_password varchar2(10);
 reverse_user varchar2(32);
BEGIN
 digitarray:= '0123456789';
 chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
 -- Check for the minimum length of the password
 IF length(password) < 8 THEN
 raise_application_error(-20001, 'Password length less than 8');
 END IF;
 -- Check if the password is same as the username or username(1-100)
 IF NLS_LOWER(password) = NLS_LOWER(username) THEN
 raise_application_error(-20002, 'Password same as or similar to user');
 END IF;
 FOR i IN 1..100 LOOP
 i_char := to_char(i);
 if NLS_LOWER(username)|| i_char = NLS_LOWER(password) THEN
 raise_application_error(-20005, 'Password same as or similar to user name ');
 END IF;
 END LOOP;
 -- Check if the password contains at least one letter, one digit
 -- 1. Check for the digit
 isdigit:=FALSE;
 m := length(password);
 FOR i IN 1..10 LOOP
 FOR j IN 1..m LOOP
 IF substr(password,j,1) = substr(digitarray,i,1) THEN
 isdigit:=TRUE;
 GOTO findchar;
 END IF;
 END LOOP;
 END LOOP;
 IF isdigit = FALSE THEN
 raise_application_error(-20008, 'Password must contain at least one digit, one character');
 END IF;
 -- 2. Check for the character
 <<findchar>>
 ischar:=FALSE;
 FOR i IN 1..length(chararray) LOOP
 FOR j IN 1..m LOOP
 IF substr(password,j,1) = substr(chararray,i,1) THEN
 ischar:=TRUE;
 GOTO endsearch;
 END IF;
 END LOOP;
 END LOOP;
 IF ischar = FALSE THEN
 raise_application_error(-20009, 'Password must contain at least one digit, and one character');
 END IF;
 <<endsearch>>
 -- Check if the password differs from the previous password by at least
 -- 3 letters
 IF old_password IS NOT NULL THEN
 differ := length(old_password) - length(password);
 differ := abs(differ);
 IF differ < 3 THEN
 IF length(password) < length(old_password) THEN
 m := length(password);
 ELSE
 m := length(old_password);
 END IF;
 FOR i IN 1..m LOOP
 IF substr(password,i,1) != substr(old_password,i,1) THEN
 differ := differ + 1;
 END IF;
 END LOOP;
 IF differ < 3 THEN
 raise_application_error(-20011, 'Password should differ from the old password by at least 3 characters');
 END IF;
 END IF;
 END IF;
 -- Everything is fine; return TRUE ;
 RETURN(TRUE);
END;
alter profile ctru limit password_verify_function verify_function_11g;
alter profile default limit password_verify_function verify_function_11g;
alter profile web_and_it limit password_verify_function verify_function_11g;

okay,... I just saw another website which shows I should put in the 'replace <oldpwd>' clause in.
This works in SQL Developer: alter user sutemp identified by carport999 replace garage999;
So why does the 'password' command fail? (Developers: it would also be helpful to have the ORA- error displayed as opposed to 'Failed to change password')

Can we lock down user admin functionality to allow password changes only?

Hi,
Is it possible to lock down the user admin functionality so a specific role can only change passwords?
We have a large user base of >10K infrequent users that are forced to change their passwords every 30 days. We suspect a lot will require password changes and we are keen to not have the tech team spending most of their time dealing with such requests. We would like to pass this task onto data management but not allow them the system administrator functionality.
We know we can create a responsibility with a limited menu available so the operator can see only the security/user/define menu. But this will still allow the person to add responsibilities to existing user accounts and create new user accounts, both of which are deemed unacceptable security risks. Is it possible to lock down the form as well as the menu? Allowing operators to only change the password of existing users? Or can we use the custom.pll to error when a user tries to do anything except edit the password field when in this role?
Thanks
Matt

You should be able to do that. You would create a new privilege level (ie 7), assign all commands to that level except (this is my guess) the command vpn-sessiondb, you would put that at a lower privilege level (ie 6). Here's a write-up that may help getting you in the right direction.
http://www.packetpros.com/2012/08/read-only-asdm.html

My "website login info remember function" won't recognize/save new password changes to Yahoo mail

I've just changed my password into my Yahoo email account - however the Foxfire website login data remember function box doesn't appear asking if I want to save my new login information.
I've checked my Tools/Options/Security info and all is as should be... And my Tools/Options/Privacy/Remember History box is checked too...
In fact the "remember password data" box just popped up when I registered with this site and added my new login info to my list of saved login ID's and passwords...
Seems to be the "login data remember function" isn't recognizing my Yahoo mail login password change as new info that needs to be re-saved...

hello bthrower, websites can specify if browsers should be able to save username/passwords (through the autocomplete="off" attribute in the login form in the html source code) - this is often the case when a higher level of security is presumably required by those sites.
you can either [https://addons.mozilla.org/firefox/addon/remember-passwords/ install an addon] or [https://www.squarefree.com/bookmarklets/forms.html#remember_password use a bookmarklet] to circumvent this restriction.
[[Usernames and passwords are not saved]]

AMConsole - modify password change

Hey guys and gals,
We are currently using Access Manager in conjunction with Samba to provide a primary domain controller. We are utilizing the user profile section of amconsole in order to change the users LDAP password. However, we also need to generate the Samba NT/LM hashes to syncronize the password for SSO abilities.
Currently I've written a separate web app that provides this functionality, but would like to include it into the amconsole change password functionality.
I've looked into possibly extending the UMChangeUserPassword class, however I get nothing but headaches. Is there an example of how this can be accomplished or has anyone else solved this issue?
Thanks in advance!
Joshua Preston.

Hi
I dont claim to be an expert in this field, but I think you may be able achieve this by extending the functionality of the Directory Server that stores the LDAP password. The Sun DS has a way you can include a plugin. Have a look at
http://docs.sun.com/app/docs/doc/817-7617
Now using this, if you can define a postoperation (after every password change), then may be you can achieve what you are looking for.
My 2 cents.
-MD

EFS, password change denies access to encrypted data

Hi,
Has anyone had the issue with admin changing users password in Console One
resulting in users not being able to access their encrypted data.
Laptop users are using EFS to encrypt their data.
These users have WinXPPro SP2 and we are running ZfD 6.5SP2.
I have found IR 1 for ZfD 6.5 SP2 which includes TID3003874 "Personal IE
certificates and EFS stop working after password change" however this does
not fix the issue.
Could someone explain in more detail what this fix does as I may have
misunderstood what this fix is.
Regards,
Eric.

I know this is an old thread, but I thought it would be best to those who
found it realized that the best method for addressing this issue may be
found here:
http://www.novell.com/support/viewCo...rnalId=3724689
However the MS article could still be useful for some.
Craig Wilson - MCNE, MCSE, CCNA
Novell Support Forums Volunteer Sysop
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
"ghoskins" <[email protected]> wrote in message
news:[email protected]..
>
> I'm having the same problem. I ran acrosss this Microsoft KB and it
> seems to fix the issue. I'm not certain this is the best security
> practices, but it does work.
>
> 'User cannot gain access to certificate functionality after password
> change or when using a roaming profile'
> (http://support.microsoft.com/default...b;en-us;331333)
>
>
> --
> ghoskins
> ------------------------------------------------------------------------
> ghoskins's Profile: http://forums.novell.com/member.php?userid=12306
> View this thread: http://forums.novell.com/showthread.php?t=215857
>

Vpn client radius ad password change

Hi
I've read a few posts about this on the forum and it seems like very few people are able to resolve the issues they are having.
I have a working remote access vpn and I'm trying to add the password-expiry functionality. I've set a test user in AD to "change password at next logon" and when I logon using this user in the vpn client (5.0.07.0410) I am prompted for a box to type my new password twice. This is never written back to the server and the original authentication box pops up again. The password change box has the codes E=648, R=0, V=3 as in the attached image.
Does anyone have this working with radius and AD? A windows password change would normally request the old password to reauthenticate and then the new password twice.
Thanks
Cammy

Cammy,
Are you using radius to authenticate the vpn session or are you using ldap which is pointing to AD for authentication? This will work with radius since you can use mschap v2, however i want to be sure how you have your ASA setup first.
Thanks,
Tarik Admani

Mass password change for selective User id's ?

Hi,
 Thanks to answer for my last question, really appreciated your help.
My new question:
1. If I create Mass User Id's by using SU10, pwd's are generated automatically. Is there a way to pick a pwd e.g initpass for all ?
2. Is there any program available which can be used to reset pwd's for several User Id's as initpass or something like that ?
Please help. thnx in advance.
Syd.

You can also create an ABAP program which can be used to mass change users passwords.
Here are the functions that will do what you need
SUSR_GENERATE_PASSWORD - Generates a Password
BAPI_USER_CHANGE - You can use this BAPI to change just the password of a user
Here is an example of some abap code. There may be some syntax errors and possible other issues. I just typed this out and didnt check it. Hope this helps
constants: con_comma TYPE c VALUE ','.
data: it_tab TYPE filetable,
 gd_subrc TYPE i,
 v_filename_string TYPE string,
 p_npass like XU400-NEWCODE.
DATA: BEGIN OF itab OCCURS 0,
 dLine(40) type c,
 END OF itab.
DATA: begin of it_Users occurs 0,
 UserID like BAPIBNAME-BAPIBNAME,
 Password Like XUBCODE,
 end of it_Users.
parameters: p_file like rlgrap-filename default 'c:\users.txt' LOWER CASE.
AT SELECTION-SCREEN ON VALUE-REQUEST FOR p_file.
*& FILE_OPEN_DIALOG METHOD *
 CALL METHOD cl_gui_frontend_services=>file_open_dialog
 EXPORTING
 window_title = 'Select File'
 default_filename = '*.txt'
 multiselection = ' '
 CHANGING
 file_table = it_tab
 rc = gd_subrc.
 LOOP AT it_tab INTO p_file.
 ENDLOOP.
 v_filename_string = p_file.
START-OF-SELECTION.
*& GUI_UPLOAD function *
 Upload file to internal table
 CALL FUNCTION 'GUI_UPLOAD'
 EXPORTING
 FILENAME = v_filename_string
 FILETYPE = 'ASC'
 HAS_FIELD_SEPARATOR = 'X'
 TABLES
 DATA_TAB = ITAB
 EXCEPTIONS
 FILE_OPEN_ERROR = 1
 FILE_READ_ERROR = 2
 NO_BATCH = 3
 GUI_REFUSE_FILETRANSFER = 4
 INVALID_TYPE = 5
 NO_AUTHORITY = 6
 UNKNOWN_ERROR = 7
 BAD_DATA_FORMAT = 8
 HEADER_NOT_ALLOWED = 9
 SEPARATOR_NOT_ALLOWED = 10
 HEADER_TOO_LONG = 11
 UNKNOWN_DP_ERROR = 12
 ACCESS_DENIED = 13
 DP_OUT_OF_MEMORY = 14
 DISK_FULL = 15
 DP_TIMEOUT = 16
 OTHERS = 17.
 IF SY-SUBRC <> 0.
 MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
 WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
 ENDIF.
Loop through internal table and split the comma delimited file
LOOP AT ITAB.
 SPLIT ITAB-dLINE AT con_comma INTO it_Users-UserID
 it_Users-Password.
 APPEND it_Users.
ENDLOOP.
LOOP AT it_Users.
 if it_users-Password is initial.
 CALL FUNCTION 'SUSR_GENERATE_PASSWORD'
 IMPORTING
 PASSWORD = p_npass
 endif.
 CALL FUNCTION 'BAPI_USER_CHANGE'
 EXPORTING
 USERNAME = it_users-userid
 PASSWORD = p_npass
 PASSWORDX = 'X'
 TABLES
 RETURN = it_ret2.
 Loop at it_ret2.
 if it_ret2-number = 039.
 write: / 'password changed'.
 else.
 write: / it_ret2-message.
 endif.
 endloop.
 Write: / ''.
 refresh it_ret2.
ENDLOOP.

Active directory, SSGD and password change

Hi everybody, we have some problems with SSGD, active directory and password change
Scenario:
We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
We have 2 different tarantella installations called "Sgd" and "Tlv";
Sgd servers are working servers and users authenticate against Eracle, used by our customer.
We made 2 basic different test with Tlv:
1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
2. we configure Tlv to authenticate users against Eracle ---> everything was ok
There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
There is ONE DIFFERENCE beetween Eracle and Gruppo:
Eracle Active Directory's properties:
Domain functional level: Windows 2000 mixed
Forest functional level: Windows 2000
Gruppo Active Directory's properties:
Domain functional level: Windows 2000 native
Forest functional level: Windows 2000
SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
Can someone help us^Hi Simon
I'll try again to explain you our problem, because it seems that I wasn't so clear.
Scenario:
We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
We have 2 different tarantella installations called "Sgd" and "Tlv";
Sgd servers are working servers and users authenticate against Eracle, used by our customer.
We made 2 basic different test with Tlv:
1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
2. we configure Tlv to authenticate users against Eracle ---> everything was ok
There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
There is ONE DIFFERENCE beetween Eracle and Gruppo:
Eracle Active Directory's properties:
Domain functional level: Windows 2000 mixed
Forest functional level: Windows 2000
Gruppo Active Directory's properties:
Domain functional level: Windows 2000 native
Forest functional level: Windows 2000
SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
Can someone help us?
Many thank
Patrizia

Added question.
Do you guys know if changing the password will change the password on their Active directory access.
Thanks,
helmut

Solaris 10 - ldap client - tls/ssl - password change

we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
passwd -r user1
passwd: Changing password for user1
passwd: Sorry, wrong passwd
Permission denied
where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
any ideas will be highly appreciated.

Not that it helps any but I am getting his same error. I am also using 6.3.1

Password Changed by

Hi,
I wanted to get the list of users who changed their passwords.
In USR02 table there is a last date of password changed. But the user who change the password is not recorded.
Is there any way to get this data?
Thanks
Pratibha

Hi,
yes, there is a way to get this information.
You can use the table USH02.
The report RSUSR100 (Change documents for Users) can show you this function, when you tick the box "Changes to header data" and "Password changes".
Regards,
Stefan

Password changed by employer

My employer or someone in relating to my job which I'm currently out sick and awaiting a supposed diciplinary hearing has changed my skype password simply by knowing my work email address
and username.
We use skype at work but i may also use it personally. Therefore,
what if anything can be done to regain access to my account? I dont have access to my work email address of course. Thank you.

Hi,
yes, there is a way to get this information.
You can use the table USH02.
The report RSUSR100 (Change documents for Users) can show you this function, when you tick the box "Changes to header data" and "Password changes".
Regards,
Stefan

Request password change

Hi, I need to request a password change to a group of users, is there a function or bapi that I can use to request the change?
Thanks

Hi,
Try rhis BAPI 'BAPI_USER_CHANGE' or contact BASIS team.
Regards,
Jyothi CH.

RBACx Encrypted Password Change Utility

Hi all,
In the OIA/SRM installation guide, there is a reference to a tool, to find out the password of rbacxservice.
"Oracle Identity Analytics utilizes an encrypted password when communicating with the database.
To change the default database password, use the RBACx Encrypted Password Change Utility"
Could you please help me finding out this tool.
Many thanks in advance.
Warm regards,
Manipradeep Sunku.

The mentioned tool only encrypts the password so that you don't have to store a plain text password in the config file. It does not decrypt it. The default rbacxservice password is rbacxservice.
The tool does not come with the OIA/SRM distribution so if you need it, you will need to contact support.

ACS 5.3 UCP Password Change

Hi at all,
i have a Problem with the UCP Webside Password Change.
The Side is running without Problem. A Password Change for the normal User is also o.k.
Here me Problem.
I will use this Side also for our Admins to Change here Password but this User has also a Enable Password.
Is it Possible to Change also this Password with the UCP Webside?
Thanks for help.
regards
Andreas

Hey Tushar,
That is our current setup. Right now each user logs in with their AD credentials to get into user exec mode and the same password to get into privileged exec mode. I would like to have a user login with their normal AD credentials to get into user exec mode and a different password (specific to each user, not locally on the device) to login to privileged exec mode. We are doing this for security reasons. Hopefully that clarifys what I'm trying to do.
Thanks

Extend Password Change Functionality

Similar Messages

Maybe you are looking for