Reset an expired password in 11g

Similar Messages

• Resetting an Expired Password

  Hello All
  I am not sure if this is the right forum so please let me know if not.
  I currently have an ASP page that authenticates users against a Sun ONE LDAP server. The problem we seem to have is that when a users password expires, we cannot bind anymore. The easiest way for us to sort this would be to get the "Password has expired" return code but I cannot work out how to do this in ASP.
  Or is the problem deeper than this and once a password has expired a user cannot reset it? Do we need to change something else to allow a user to bind with their old password to reset their password. Remembering we are trying to do this all with asp.net.
  Thanks
  D

  I also am ignorant of asp.net; however, Sun DS 6 has several features that can help solve your problem if you can figure out how to access them:
  1. If you configure the "expiration warning" feature in the password policy, once a entry's password is in the warning period, an unsolicited "expiration warning" control is returned with each bind. The control data is the seconds until expiration. Password policy configuration is documented in http://docs.sun.com/app/docs/doc/820-2491/fhkrj?a=view . You can search for "OID 2.16.840.1.113730.3.4.5" on google for info about the control. You should also become familiar with the unsolicited password expired control "OID 2.16.840.1.113730.3.4.4". These controls are also implemented in DS5.
  2. If you supply the bind (or most other) operation with the IETF draft password policy request control, Sun DS 6.1 and later return a (properly encoded) password policy response control containing password policy operational state. Search for "OID 1.3.6.1.4.1.42.2.27.8.5.1"
  3. Your application can request the operational state of an entry via the user status control in Sun DS 6.1 and later. Search for "OID 1.3.6.1.4.1.42.2.27.9.5.8"
  4. If you have implemented some form of expiration warning, then presumably the majority of your users will have changed passwords before expiration, and you can force the others to go through some self-service or help-desk password reset function (i.e., enable must-change-on-reset, then administratively change the user's password, forcing him/her to change it at next bind).
  5. If you want to allow users with an expired password to access the DS solely for the purpose of changing the password, see http://docs.sun.com/app/docs/doc/820-2491/6ne3dhdht?a=view#resetting-expired-passwords . If you do some more investigation on Sun DS (6.2 and later) implementation of the password modify extended operation (and ldappasswd), you should find details on enabling the extension to allow a user to change an expired password.
  6. You might also take a look at http://docs.sun.com/app/docs/doc/820-2490/6ne3cisoj?a=view#pwdpol for an overview of the new password policy implementation in DS6, compared to the DS5 password policy, and the strategy to migrate from DS5 to DS6.

• Introducing a custom Password policy to expire passwords. odsee 11g - what are the expected results

  We have left the default Password Policy untouched. As a default password aging is off. Our DS compatibility mode is now DS6 so we can add Password Policies with max age!
  Some users need to have their passwords changed regularly due to political reasons.
  We have introduced a custom Password Policy which has a pwd_Max_age value of 180 days and allows the user to Change Password. Entry is cn=Custom Pwd Policy for ABC,dc=mycorp,dc=com
  Ok. Now we get confused by the behaviour of this ODSEE 11g server. Now, we are ADDING a new custom Password Policy to just a few selected users!
  1. When we add the Policy to the user by setting the passwordpolicysubentry attribute = "cn=Custom Pwd Policy for ABC,dc=mycorp,dc=com"
  - Nothing seems to happen.
  - WHEN IS THE PASSWORD EXPIRED?
  2. After we change a password for a user who has the passwordpolicysubentry attribute, he gains a new attribute pwdChangedTime
  - IS THIS THE ONLY TIME THE EXPIRY CLOCK STARTS TICKING? *AFTER* THE PASSWORD IS CHANGED?
  3. Is it true, that if a user never changes his password, even if he gets the new custom password policy applied, his password never automatically expires????
  I just cannot work out what is supposed to happen. I would have hoped that at the very least, the password begins to expires as soon as he gets a Password Policy with pwd_Max_age set.
  How is ODSEE 11g designed/supposed to function.
  Help!!!!!
  *HH

  Sylvain ,Many thanks for your reply and suggestions. Always good to have a choice!
  So it seems the only way to get the password aging clock to tick is for the password to be changed after having the password policy applied.
  Option1 is not really an option although it certainly would make the users change the password and set up the password aging...
  The main difficulty with odsee 11g  (Version 11.1.1.7.0) is that pwdChangedTime is a system read-only attribute linked to a modification to userPassword attribute, I cannot use ldapmodify to add/modify the pwdChangedTime attribute.
  I was amazed that I can read/store the userpassword as the base64 string and replace the userpassword attribute with this value using ldapmodify. This is very easy (and works!) but will cause the pwdChangedTime attribute to contain the same time for all users. I can imagine helpdesk loving it when everyone calls them in 6 months time.
  Using the LDIF backup/restore utility looks the best option, if it succeeds. At least we can randomize the actual value of pwdChangedTime with this approach.
  Mercy Buckets.

• Changing expired password on a cbckend database from a frontend database

  I have a split database with an Oracle backend (BE) and MS Access frontend (FE). My question is how to reset an expired password on the BE from the FE.
  If I log on to the backend via sqlplus an error ORA-28001 (Password expired) occurs and the system immediately prompts for a new password before completing the login process.
  If I log on from the frontend I get the same ORA error from the BE, but as far as I can tell, I can't reset the password from the FE.
  I can capture the error fine at the FE and I am thinking that I could use this to open a dialog to reset the password and change it over the ODBC connection. The problem is that I need to get a connection to the BE database before sending a command to change the password from the FE, but since login cannot be completed from the FE, because of the expired password, I can't get an ALTER USER statement to execute on the BE to reset the password.
  Is there a way to change a pre-expired password on an Oracle backend database from a frontend database? I don't see this as an Oracle/Access problem but as a problem that exists for any split database.

  I have thought about this a little and I am thinking about keeping a table of password update information. I can use this to create a "soft" expired password, using an expiration date in the table for each account. If the password is expired by the database then we can just update it with sqlplus or one of the other options.
  As far as getting the organization to change it is waaaay to big and stupid to change their policy.

• Reset expired Passwords?

  Recently the DBAs overhauled out account policies to have passwords expire every X days. I'm running into my first expired account and I'm getting an ORA-28001: the password has expired error, but no prompt to reset the password.
  I thought I'd put in a feature request for a password reset window for this situation, but it seems that there was already one out there: http://htmldb.oracle.com/pls/otn/f?p=42626:39:2786248920877118::NO::P39_ID:22121
  Closed: "Context menu to Reset Password is available"
  Does anybody know how to go about resetting expired passwords in SQL Developer?

  So my help-desk finally got around to doing an install of the 11g client. Still having an issue. I've done the following:
  -Made my ORACLE_HOME the 11g client base dir.
  -Made %ORACLE_HOME%\bin the first entry in my path
  Still getting the same error. Even tried creating a new connection. I can connect with 11g SqlPlus.
  Any thoughts?

• Password reset is disabled.  Expired password does not cause reset prompt o

  Server: Oracle 11.2 on Linux Redhat 64-bit. Installed 32-bit 11.2 Oracle full client on Windows 7 64-bit workstation. Setting up user to test expired password promp capability of SQLDeveloper 3.0.0.4. So far, failing every time. Password Reset on menu is disabled. Loging in or testing in properties (Connection) simply fails with ORA-28001: the password has expired. Not sure how to proceed or enable password reset. FYI, connections only work for connection type of Basic and TNS if I disable OCI/thick driver. When enabled, I get "<oracle_home>\bin\ocijdbc11.dll Can't find dependent libraries"
  Not sure how to proceed. Need guidance and instruction or at least point me to documentation please. I'm not finding much on this issue.

  Thanks -K- for the response. I'll try that but it shouldn't be the cause of my issue. You see, a few weeks ago, I had SQLDeveloper installed on all our team's 32-bit Windows XP SP3 workstations. The reported issue was occurring then as well. Since then, the 64-bit Windows 7 workstations arrived and the saga continues:-)
  Any other thoughts on my issue is appreciated.

• Resetting expired password from JDBC

  Hi All,
  I would like to know if it is possible to change an expired password from a java client that uses JDBC (classes12.zip) "thin client" to connect to oracle database (8.1.7.4).
  Can we capture the "password expired" exception from the client and change the expired password from within the java client.
  The current connect string is --->
  Connection conn;
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  conn = DriverManager.getConnection("jdbc:oracle:thin:@host:port:sid",user,pass);
  Is it possible to do something like this ???
  try {
  conn = DriverManager.getConnection("jdbc:oracle:thin:@host:port:sid",user,pass);
  catch ( SQLException sqle ) {
  if ( sqle.getErrorCode() == 28001 ) // i.e. passwd expired
  //1. ask user to enter the new passwd &
  //2. change it in the database.
  Is there any other way of doing this ??
  Thanks in advance
  Arun

  I haven't tried this, but there some things to think about.
  1) Have you tried to capture the Exception? Is it a problem?
  2) Have you tried to alter a password through JDBC? Is it a problem? To execute other DDL you have to use executeUpdate() I would assum that if you can do this it will also require an executeUpdate().
  Now assuming #1 and #2 are OK
  3) How are you going to change a password when the you cannot connect because the password has expired? Are you going to hard code another non-expired userid/password in the code (bad idea). Are you going to ask the user to enter some type of administrative userid/password that will allow them to change their password?
  Just some thoughts, sorry I cannot help more...

• Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?

  What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
  We already send automated email notifications to users reminding them to change their soon-to-expire passwords.  However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
  and lack of attention to email messages) or they see the warning messages and forget to act on it.
  When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired.  So, they end up confused and call the help desk to get their
  password reset.
  Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
  their login failed for unknown reasons or password is "incorrect?"

  It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
  A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
  For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
  There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
  http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

• Simple Interface expired password change prompt

  We have a population of users who access GW exclusively through WebAcc. Some of this population has jumped on the mobile device bandwagon and so we've directed them to the simple interface when accessing GW from a mobile device.
  Some of these mobile device users now exclusively use the simple interface on their tablet/phone to access GW and when their password is expired, are never presented with the password change dialogue.
  Ive verified when user with an expired password navigates directly to the simple interface url , https://gwserver/gw/webacc?User.interface=simple, either on a mobile device or desktop browser, IE, FF, Chrome, the user consumes a grace login and is taken directly to the simple interface mailbox.
  Resetting grace logins and navigating to the standard webacc interface the GW password change dialogue is presented as expected.
  GroupWise 8.0.1 webacc on netware. I think wed refrained from going to newer releases in fear of some nasty bugs in the subsequent versions, but Ive not kept current on issues with the latest release.
  I understand the next GW version with native mobile device templates is around the corner, but management may want to address this sooner.
  Is this failure to recognize password expiry in the simple interface a know behavior?
  Regards,
  Fdiaz

  On 8/8/2011 8:36 AM, vodobaas wrote:
  > We have a population of users who access GW exclusively through WebAcc.
  > Some of this population has jumped on the mobile device bandwagon and so
  > we've directed them to the simple interface when accessing GW from a
  > mobile device.
  > Some of these mobile device users now exclusively use the simple
  > interface on their tablet/phone to access GW and when their password is
  > expired, are never presented with the password change dialogue.
  >
  > Ive verified when user with an expired password navigates directly to
  > the simple interface url ,
  > https://gwserver/gw/webacc?User.interface=simple, either on a mobile
  > device or desktop browser, IE, FF, Chrome, the user consumes a grace
  > login and is taken directly to the simple interface mailbox.
  > Resetting grace logins and navigating to the standard webacc interface
  > the GW password change dialogue is presented as expected.
  > GroupWise 8.0.1 webacc on netware. I think wed refrained from going to
  > newer releases in fear of some nasty bugs in the subsequent versions,
  > but Ive not kept current on issues with the latest release.
  > I understand the next GW version with native mobile device templates is
  > around the corner, but management may want to address this sooner.
  >
  > Is this failure to recognize password expiry in the simple interface a
  > know behavior?
  >
  > Regards,
  > Fdiaz
  I'll ask.

• Ad-User script to check if expired password = true and email helpdesk

  I have a script that runs each day and reminds my users that their password will expire. This works well.
  I'm having trouble creating a script to email our helpdesk once the password has expired so engineers can reset it automatically.
  The code I have displays nothing yet I know I have expired passwords.
  Get-ADUser -filter {(Enabled -eq $True) -and (PasswordNeverExpires -eq $False) -and (PasswordExpired -eq $True)} -properties PasswordLastSet, PasswordExpired, PasswordNeverExpires, EmailAddress, GivenName
  Please help!

  I looked at a test user meeting these criteria. Although the AccountExpirationDate was in the past, the AccountExpired property was still $False. I'm not sure what process is responsible for changing the AccountExpired property based on AccountExpirationDate,
  but this is where your script seems to fail. 
  This works:
  Get-ADUser -filter {(Enabled -eq $True) -and (PasswordNeverExpires -eq $False)} -properties PasswordLastSet, PasswordExpired, PasswordNeverExpires, EmailAddress, GivenName, AccountExpirationDate |
  Where { $_.AccountExpirationDate -lt (Get-Date) }
  Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________
  Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx
  Account expired is derived by the Classes.  It is not on the raw object. It is all that needs to be checked.  If an account is not set to be expired then that will always be false.
  Like this:
  Get-ADUser -filter * -properties * |?{$_.passwordexpired}  | select passwordexpired
  You can also do the math.
  ¯\_(ツ)_/¯

• How to deal with expired passwords in authentication schemes?

  IHi,
  I am trying to build an authentication scheme that deals with expired passwords. After the user has provided their valid but expired password they should be redirected to a password reset page. After they have provided a new password they should be allowed to continue to the page they would have otherwise gone to had their password not expired.
  I have written my authentication processs as follows:
  CREATE OR REPLACE FUNCTION inventory_test.inventory_authentication (
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  RETURN BOOLEAN
  IS
  r1 apex_users%ROWTYPE;
  valid_password BOOLEAN;
  BEGIN
  IF p_password IS NULL
  THEN
  RETURN FALSE;
  END IF;
  SELECT *
  INTO r1
  FROM apex_users
  WHERE UPPER (username) = UPPER (p_username);
  valid_password :=
  DBMS_OBFUSCATION_TOOLKIT.md5 (input_string =&gt; p_password
  || TO_CHAR (r1.SEED, '99999')
  ) = r1.PASSWORD;
  IF valid_password AND (r1.password_expiration_date &lt; SYSDATE)
  THEN
  apex_util.set_session_state ('FSP_AFTER_PASSWORD_RESET_URL', v ('FSP_AFTER_LOGIN_URL')); -- My new application item
  apex_util.set_session_state ('FSP_AFTER_LOGIN_URL',
  'F?P=' || v ('APP_ID') || ':14:' || v ('APP_SESSION')
  END IF;
  RETURN valid_password;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RETURN FALSE;
  END;
  This redirects the user to the password reset page but FSP_AFTER_PASSWORD_RESET_URL is null - presumably because the login process changes the session.
  This seems the wrong approach anyway as the user, once authenticated, can change the page number in the URL and avoid the password reset. I would guess that I need to use the APEX_CUSTOM_AUTH package somehow. However, I am thoroughly confused about the relationship between the LOGIN and POST_LOGIN procedures. Also, I gather from other posts in this forum that there is some asynchronous processing that goes on as new sessions are created. Can someone point me in the right direction please?
  --Tony
  [http://tonyhasler.wordpress.com/][http://tonyhasler.wordpress.com/]

  Sorry for taking so long to acknowledge your helpful suggestions.
  Scott's proposal is a tiny tiny bit awkward as,if i understand it correctly, the user would have to reauthenticate after resetting the password.
  /dev/null's suggestion is actually not too bad for me. I already have each page being authorised and I use only a limited mumber of (once per session) authorization schemes. I think all I have to do is to place an extra line or two in each scheme to check the expiration date of the user's password and remember to call APEX_UTIL.RESET_AUTHORIZATIONS when the password is reset.
  I successfully redirected to the password reset page using owa_util.redirect_url from the post-authentication procedure but what I am still having trouble with is the deep-linking bit. It seems I have to obtain the target URL by 'editing' FSP_AFTER_LOGIN_URL to replace '|' characters by ':' characters and inserting the session id in the right place. Given the fact that FSP_AFTER_LOGIN_URL may not be set and that there may not be sufficient ':' characters in the URL this is very clunky.
  Is there an easier way to do this?
  --- Never mind. I worked out how to use regular expressions with SQL to do this. A full explanation is in my blog.
  --Tony
  http://tonyhasler.wordpress.com
  Edited by: TonyHasler on Sep 6, 2008 3:17 PM

• How do i reset my master password on MacBook Pro previously owned by someone else?

  I purchased from someone else in 2011 and needed to reset master password.  It was done, but now I am having problems resetting it.  It does not recognize the reset password.  I am trying to add new software and can't do so without password.  Can someone please help me?  I entered to change in terminal window, but when it comes to adding new password, computer won't allow to add new passcode in blank. 

  Check out KB Articles http://support.apple.com/kb/HT1274 Changing or resetting an account password and http://support.apple.com/kb/PH11390 OS X Mountain Lion: Reset a login password  if you are using ML.  You never stated which OS you are currently using. 

• HT204053 Seems my iCloud password is not the same as my iTunes.  Where do I go to reset my iCloud password?  I cannot access anything when prompted to put in my iCloud password because I do NOT KNOW it.  Thanks!

  Seems my iCloud password is not the same as my iTunes.  Where do I go to reset my iCloud password?  I cannot access anything when prompted to put in my iCloud password because I do NOT know it.  Thanks!  I've used my iTunes password for everything else Apple does and would like to use the same one for my iCloud.

  Do the following:
  Make sure you are signed into iMessage and FaceTime with your current ID.  If they are signed into the old ID, go to Settings>Messages>Send & Receive and Settings>FaceTime, tap the ID, sign out, then sign back in with your current ID.
  Then temporarily recreate the old ID by going to https://appleid.apple.com, click Manage my Apple ID and sign in with your current iCloud ID.  Click edit next to the primary email account, change it back to your old email address and save the change.  (You should not have to verify the old email account so it doesn’t matter if you no longer have access to it.)  Now go to Settings>iCloud, turn off Find My iDevice and enter your current password when prompted (even though it prompts you for the password for your old ID).  Then go to Settings>iCloud, tap Sign Out (or Delete Account if you are not running iOS 8) and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud).  Next, go back to https://appleid.apple.com and change your primary email address back to the way it was.  Now you can go to Settings>iCloud and sign back in with your current iCloud ID and password (your data will download back to your device).

• How to reset my login password for macbook air

  How can I reset my login password for my laptop? For some weird reason, my login password no longer works. I now have to get on by logging into guest and then clicking on my username.

  Reset Password using Recovery HD
  OS X 10.7 Lion /10.8 Mountain Lion
  Follow the instructions in the first and third boxes.
  http://pondini.org/OSX/Password.html

• HT4798 i created my apple id account, verified but know i m unable to log on, it says incorrect password, i tried to reset via forgot password option but it does not send reset password page to my e- mail address, how can i get this sorted or delete my pr

  User created apple id account, verified but know she is unable to log on, it says incorrect password, she tried to reset via forgot password option but it does not send reset password page to here e- mail address, how can i get this sorted? or how can i get her whole apple account deleted and created new one using same e - mail address?

  The idea to jumpstart by change was not the smartest one, but gives you an opportunity to use that "temporary" account as permanent. You do not have a choice cause obviously despite you thinking that old account is no more -it does exist on Apple servers. And if you are unwilling to share your [email protected] with friend, just create one extra [email protected] for your friend. One suggestion - do not use gmail.