SAP IDM : Using regex for password

Similar Messages

• Pam.conf does not use ldap for password length check when changing passwd

  I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
  I have dsee 6.0 installed on a solaris 10 server (client).
  I have a solaris 9 server (server) set up to use ldap authentication.
  bash-2.05# cat /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= X, Y
  NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_BIND_TIME= 10
  bash-2.05# cat /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
  NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
  bash-2.05# cat /etc/nsswitch.conf
  # /etc/nsswitch.ldap:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd: files ldap
  group: files ldap
  # consult /etc "files" only if ldap is down.
  hosts: files dns
  ipnodes: files
  # Uncomment the following line and comment out the above to resolve
  # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
  # IPv4 addresses are searched in all of the ipnodes databases before
  # searching the hosts databases. Before turning this option on, consult
  # the Network Administration Guide for more details on using IPv6.
  #ipnodes: ldap [NOTFOUND=return] files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: ldap
  automount: files ldap
  aliases: files ldap
  # for efficient getservbyname() avoid ldap
  services: files ldap
  sendmailvars: files
  printers: user files ldap
  auth_attr: files ldap
  prof_attr: files ldap
  project: files ldap
  bash-2.05# cat /etc/pam.conf
  #ident "@(#)pam.conf 1.20 02/01/23 SMI"
  # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1 use_first_pass
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authenctication
  other auth requisite pam_authtok_get.so.1 debug
  other auth required pam_dhkeys.so.1 debug
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy debug
  passwd auth required pam_ldap.so.1 use_first_pass debug
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1 debug
  other account required pam_projects.so.1 debug
  other account binding pam_unix_account.so.1 server_policy debug
  other account required pam_ldap.so.1 no_pass debug
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password required pam_authtok_store.so.1 server_policy debug
  # Support for Kerberos V5 authentication (uncomment to use Kerberos)
  #rlogin auth optional pam_krb5.so.1 try_first_pass
  #login auth optional pam_krb5.so.1 try_first_pass
  #other auth optional pam_krb5.so.1 try_first_pass
  #cron account optional pam_krb5.so.1
  #other account optional pam_krb5.so.1
  #other session optional pam_krb5.so.1
  #other password optional pam_krb5.so.1 try_first_pass
  I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
  May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
  May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
  May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
  May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
  May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
  May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
  May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
  May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
  May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
  May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
  May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
  If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
  bash-2.05$ passwd
  passwd: Changing password for VV
  Enter existing login password:
  New Password:
  passwd: Password too short - must be at least 8 characters.
  Please try again
  May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
  May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
  May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
  May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
  May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
  May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
  May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
  I am using the default policy on the directory server which states a minimum password length of 6 characters.
  server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
  pwd-accept-hashed-pwd-enabled : N/A
  pwd-check-enabled : off
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 1d
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : off
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : off
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : disabled
  pwd-max-failure-count : 3
  pwd-max-history-count : disabled
  pwd-min-age : disabled
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : CRYPT
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : off
  pwd-strong-check-require-charset : lower
  pwd-strong-check-require-charset : upper
  pwd-strong-check-require-charset : digit
  pwd-strong-check-require-charset : special
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : off
  Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
  . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
  I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
  Edited by: ericduggan on Sep 8, 2008 5:30 AM

  you can try passwd -r ldap for changing the ldap passwds...

• Using SHA1 for passwords in Solaris 10

  Does any know how to use SHA1 encryption for passwords on Solaris 10? I know I'd need to modify crypt.conf, but I don't know where to get the .so to go along with that.
  I'm moving some users from Mac OS X, and their passwords are SHA1 hashes.
  Thanks!
  Mike VanHorn
  [email protected]

  yes, no and maybe :-)
  There is a command in /usr/platform/SUNW,Sun-Fire-V210/sbin which allows you to control the LOM, the name of this command is "scadm", the LOM packages on the supplemental CD are for different (older) types of LOM and doesn't to anything useful at all on a SunFire V210.
  However, even though the scadm command let you administer the LOM, it won't display the temprature, but you can use the prtdiag -v command to display information about fans, tempratures and friends.
  Happy Easter.
  //Magnus

• How to get SAP to use SSL for Content repository?

  I have defined a content repository in OAC0.  I would like SAP and the end user to use SSL when talking to the repository.  I have obtained a certificate for the repository, so that I can manually trference the repository via https... but in OAC0 when I press the Test Connection button I get "Connection Error:No SSLsupport available".  Do I have to import the content repository certificate into STRUST or something?

  Hi Ken,
  please have a look at the SAP note [712330|https://service.sap.com/sap/support/notes/712330].
  Best regards,
  Klaus

• SAP SSO using CUA for Transport Express implementation

  I am implementing Transport Express application as part of a larger project on a Dual Track environment. The business want TE to be integrated into the SSO landscape. This is where I am having difficulties. I need advice from anyone having implemented BTI's Transport Express into SAP requiring SSO with CUA as part of the business landscape? Our Domain Controller is Solution Manager. The TE settings in SolMan allow for a Web UI email notification, this contains a hyperlink to a user Dashboard. The expectation with SSO is that clicking on the hyperlink will automatically connect us to the Web UI Dashboard. Currently this does not work. Any suggestions?
  I have also been given three options to concider; 1. Our Portal manages ABAP and Java SSO, 2. SPNego is for ABAP systems, 3. A system to system config might work.

  Hi,
  Now SPNego is working on ABAP stack as well as Java stack.
  If you want to use this solution, the following videos may help.
  Single Sign-On with Kerberos
  Best regards,
  Shuai

• Problem using regex for url

  Heres the problem im trying to match
  <b>Heres my text</b>
  and using this pattern
  Pattern rnpattern = Pattern.compile(".+rel-.+html.+id=.+>(.+)</a>.+");
  and I'm having to matches returned at all. Its actually pulling a full text file and running the pattern on a CharBuffer, but I dont think thats the issue. I have 2 other patterns being run the same way in the same file and theres no problem with them. I know the pattern is not optimized at all, Ive gone through about 15 different iterations of trying different combinations to try and get a match, and this is the last one I tried. the numbers in the url such as this one being 3533 change so that cant be static. And the text such as "Heres my text" changes and thats what I want to capture. If anyone could lend any assistance I would appreciate it.
  Chris N.

  http://www.foad.org/~abigail/Perl/url2.html

• Use OIM 11g UI directly for password resets

  1. What is the best practice in using OIM for password resets? Two options that i have usually heard of are writing a custom app or UI and use OIM APIs for password resets. The other is use OIM UI directly.
  Are there any other options.
  2. Of the two options mentioned above, are there any concerns if we want to expose the OIM UI password reset link to internet- example, post the OIM UI link across the company's website which is available to everybody?
  Regards,
  Anand

  People,
  Any help will be really appreciated. I am looking for some suggestions in this regards. Thanks
  Anand

• Badi:BADI_SD_SALES(SAP says it is for internal use): But i was implemented

  Hi Experts,
  Badi:BADI_SD_SALES(SAP says it is for internal use): But i was implemented this badi. It is legal or not.
    I was implemented badi: BADI_SD_SALES . But it is for SAP internal use.
  For implementing this  i was changed the field u2018internalu2019  in Standard table: SXS_ATTR.
  I removed the X in that field.
  All these things done for  Creating Return order with reference to invoice. The client requirement is to was external number range instead of internal number rangees.
  For this thing I was implement the method t u2018TRANSACTION_INITu2019. I passed the
  Our external number in that vbak-vbeln..
  It works correctly in development. I am not yet tested in quality and production.
  This way is correct one  or not. When I removed the u2018Xu2019(Internal use) in field:
  SXS_ATTR. In future it gives any other problems or it is legally correct or not.
  Helpful answers definitely rewarded.
  Regards
  Pratap.M

  Hello Pratap
  Labelling this BAdI as "Internal Use only" SAP can do whatever they want with this BAdI - they may even remove it !!!
  Thus, your development relies on something very unreliable.
  Perhaps SAP releases this BAdI for general use in the future - or not.
  Therefore, I would recommend to use the enhancement framework instead if already available in your SAP system.
  Final remark: If you set your implementation of this internal BAdI productive and the customer runs into trouble later on when SAP changes or deletes this BAdI with support packages YOU are liable - and not SAP.
  Regards
    Uwe

• Regex for RDF parsing

  Hi.
  I need help with parsing a rdf-format input stream. I want to use regex for parsing.
  The stream looks like this:
  <?xml version="1.0" encoding="ISO-8859-1" ?><rdf:RDFxmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"xmlns="http://my.netscape.com/rdf/simple/0.9/"><channel> <title>heise online news</title><link>http://www.heise.de/newsticker/</link><description>Nachrichten aus der Welt des Computers</description></channel><item><title>Scharfe Regeln f?r Chinas Cybercafes</title><link>http://www.heise.de/newsticker/data/gr-12.10.02-004/</link></item>.........</item></rdf:RDF>
  The information i need is placed between the <item></item> tags.
  I have wrote following code to get all subsequences like "<item>...</item>":
  String rval = new String("");
  Pattern p = Pattern.compile("<item[ >](.*)</item>");
  Matcher m = p.matcher(retval);
  while (m.matches()) {
  rval = rval + m.group() + "<br>\n";
  But this loop only once and the output is one large String from the first "<item>" to the last "</item>" like "<item>......</item><br>\n". The <item>...</item> combos within are ignored. Maybe the regex must be change?
  Thanks for answer,
  sushiprinz

  You need to use the non-greedy star:Pattern p = Pattern.compile("<item>(.*?)</item>");Also, I think you want to use find() instead of matches().

• Installation SAP IDM 7.1/SAP GRC Access Control 5.3

  Hello,
  I can install Access Control products with Solution Manager, Enterprise Portal... But it is possible to install Access Controll 5.3 and IDM 7.1 on the same server?
  Thanks and best Regards
  Alexander

  Hi Alexander,
  SAP IDM 7.1 is still in the ramp up state.  as per the product availability matrix [pam|https://websmp104.sap-ag.de/~form/handler?_APP=00200682500000001303&_EVENT=DISP_NEW&00200682500000002804=01200314690900001014] ,  I am not yet sure if  SAP IDM is available for 64 bit servers.
  SAP GRC AC 5.3 should be installed on as java netweaver
  server after properly sizing. If your hardware can support sizing for both GRC AC 5.3 and SAP IDM 7.1 , then you can install both on them. usually netweaver 7.0 sp12  will be in 64 bit system.
  You can get GRC AC 5.3 sizing information from [link|http://service.sap.com/~form/sapnet?_SHORTKEY=00200797470000071612&_SCENARIO=01100035870000000112&_OBJECT=011000358700000435122007E]

• SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?

  Hello IDM-experts,
  where can my customer find information about
  SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?
  Customer situation description:
  The situation is that we are using SAP IDM 7.2. We are using a functionality to allow our users to access a webpage from where they can gain
  SSO access to the Abap systems via the SAPGui. See screenshot as an example.
  Now what we want is to access the CRM and GRC WebUI also with the same SSO possibility. We cannot find any guide/best practice on how to do
  this or if it is possible via SAP IDM 7.2.
  You can see a weblink in the first screenshot but it does not work. It will ask you for a username and password, see second screenshot.
  Kind regards,
  Daniela

  Do you know how the SAP GUI SSO is setup ? Is it using SNC/Kerberos ?
  If it is (I suspect it is), then you will need to use similar method of authentication for the ICF Services. These cannot use SNC since they are accessed via browser, but what you want is possible.
  Thanks
  Tim

• Provisioning Framework for SAP IDM 7.2 -- Download link required

  Hello Experts,
  Could you please provide me the link to download Provisioning Framework for SAP IDM 7.2 .
  Thanks in Advance,
  Regards,
  Dev

  you can get links to all doco [here|http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/4000d09f-a9b9-2d10-8b90-ba3a0f9fe0c8]. That link is accessible from IdM 7.2 homepage.
  Yes, I meant using version 7.2 of provisioning framework with 7.1 components.
  Cheers

• I want to use wifi for Apple TV, but it doesn't prompt for a password, so never connects.  What am I missing?  Can I only use it via a non-password-protected wifi connection?

  I want to use wifi for Apple TV, but it doesn't prompt for a password, so never connects.  What am I missing?  Can I only use it via a non-password-protected wifi connection?

  Hi - you might want to post this question on the Apple TV area - you would probably get a quicker response - if you have a specific question relating to Apple routers then post back here

• I used the wrong password for my belkin wifi. Now that I know the correct password I can not get pass the unable to connect or join message. I have turned off all the options such as wifi and join and also put my touch to sleep.. but nothing seems to work

  I used the wrong password to join my new belkin wifi. Now that I have the correct password, I can not get the to the join screen with the space to type in the password. I continue to get the unable to join message.  I have put the touch to sleep and I have turned on and off the wifi and join options on the Network screen page.  Does anyone know how to get pass this block of the wrong password to a new page that will allow me to type in the correct password.  I see there is a option that asks if I want to reset the network settings.. is that what I should do? and what does it erase when I do that?  Thanks for any input anyone has.

  Yes.  Reset network settings. Head to Settings -> General -> Reset and tap Reset Network Settings.
  B-rock

• HT201415 I want to purchase a month of cellular service for my IPAD2.  When I use my ITunes password,  it states that I have the wrong password but does not offer a way to reset my password.  Please advise.

  I want to purchase a month of cellular service for my IPAD2.  When I use my ITunes password,  it states that I have the wrong password but does not offer a way to reset my password.  Please advise.

  Read through this link and maybe you'll see something that will help you:
  http://www.tech-recipes.com/rx/5827/ipad-3g-activating-purchasing-att-cellular-d ata-for-the-ipad-3gwifi/