Set password policy using iPlanet SDK

Similar Messages

• Setting password expiry using the SDK

  Without using the iDS console, meaning just by using the SDK, could I set the period for password expiry?
  Since the userPassword is a multi-value attribute, how can I differentiate between which is the password for signing-onto the server and which are passwords for other applications?

  If you mean to configure the password policy using the SDK, a Modify operation for the base object "cn=config" and replacing the value of "PasswordMaxAge" attribute will work.
  If you intend to set a specific expiration time for a specific user, you should not do this and let the server set the expiration time based on the configured password ploicy.
  For more information on the password policy configuration, you can refer to the Administration Guide.
  Also, although userPassword is multivalued, the pasword policy as currently defined in the Directory server suppose that the userPassword attribute contains only 1 value. If the password contains more than 1 value, the result of the password policy is undefined.
  And there is no way to differentiate between passwords.
  Regards,
  Ludovic.

• Unable to set Password Policy controls

  When I call oracle.ldap.util.User.autheticateUser() I receive the exception "Unable to set Password Policy controls". What is the cause of this error? I was not able to find anything useful through google searches.
  I am running everything inside ServiceMix. Furthermore, I am able to create a context and retrieve properties through oracle.ldap.util.User.getProperties().
  Here is the stack trace:
  my.company.Exception.AuthenticationException: Unable to set Password Policy controls
  at my.company.OracleLdap.authenticateClient(OracleLdap.java:171)
  at service.AuthenticationInInterceptor.isAuthenticated(AuthenticationInInterceptor.java:55)
  at service.AuthenticationInInterceptor.handleMessage(AuthenticationInInterceptor.java:32)
  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
  at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:111)
  at org.apache.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:80)
  at org.apache.cxf.transport.http_osgi.OsgiServletController.invokeDestination(OsgiServletController.java:321)
  at org.apache.cxf.transport.http_osgi.OsgiServletController.invoke(OsgiServletController.java:107)
  at org.apache.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:53)
  at org.apache.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
  at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
  at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:401)
  at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
  at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
  at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
  at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.handle(HttpServiceContext.java:111)
  at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:68)
  at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
  at org.mortbay.jetty.Server.handle(Server.java:326)
  at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
  at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
  at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
  at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
  at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
  at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
  at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
  Caused by: oracle.ldap.util.UtilException: Unable to set Password Policy controls
  at oracle.ldap.util.User.authenticateUser(User.java:1243)
  at my.company.OracleLdap.authenticateClient(OracleLdap.java:158)
  ... 29 more
  Edited by: user1094798 on Feb 22, 2011 12:53 PM
  Edited by: user1094798 on Feb 22, 2011 12:55 PM
  Edited by: user1094798 on Feb 22, 2011 1:17 PM

  I fixed it by changing the way my InitialDirContext is created.
  Previously I was using:
  InitialDirContext ctx = oracle.ldap.util.jndi.ConnectionUtil.getDefaultDirCtx(hostname, portNum, adminName, adminPass);
  Now I'm using:
  Hashtable env = new HashTable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://" + hostname + ":" + portNum);
  env.put(Context.SECURITY_PRINCIPAL, adminName);
  env.put(Context.SECURITY_CREDENTIALS, adminPass);
  InitialDirContext ctx = new InitialDirContext(env);
  Edited by: user1094798 on Feb 23, 2011 8:29 AM

• How to set password policy for apps users

  Hi All,
  Can anyone please help me.
  I am working on apps 11i.
  How to set password policy for users
  Thanks

  Check Note: 189367.1 - Best Practices for Securing the E-Business Suite
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=189367.1

• Set Password Policy For System Administrator Account in UCCE Servers

  Hi All,
  We want to setup a password policy ( expires in 30 days) for the local administrator account in all our UCCE servers.
  We found that the all the UCCE services are running in local system account except logger and distributor( these services are running in domain user account).
  Is it a supported configuration ? Are there any impacts with this setting ?
  Thanks a lot in advance!
  Thanks and Regards,
  Thammaya

  Hi,
  what is the UCCE (~ ICM) version? Is there OS hardening applied?
  By the way, yes, if you mean the local "administrator" account, you can do whatever you want to do with it, provided you don't lock yourself out - this should not happen, naturally, having all ICM servers in the domain and you can always use the domain admin (or a user belonging to the domain admins group).
  By the way, I don't really see the meaning of having a local administrator account being enabled. :-)
  G.

• Setting Password Policy in Oracle 10g

  Hi,
  Could you guide me please? Up to date there has not been a Policy for passwords in our 10g Database which means the user can set anything for their password. We however now require to implement a Password Policy and would appreciate some guidance in doing this.
  We don't use Enterprise Manager,we have chosen not to configure it on our system.
  These are the steps I propose to take to set the password policy:
  1. Edit $ORACLE_HOME/rdbms/admin/utlpwdmg.sql to change default profile values to desired values.
  2. as SYS run utlpwdmg.sql
  Is this correct? Is there anything else I should do?
  thank you.

  user8869798 wrote:
  Hi,
  I had a look at dba_profiles:
  DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
  This suggests that the default profile is not using the function. It doesn't "suggest" it. That's exactly what it means. The default profile is not using a password verify function.
  In the light of this, is it safe then to edit the function and the default profile will be unaffected? The profile cannot be affected by a change to a function that it does not reference.
  I don't want to change the default profile. I plan to create another profile that will make use of the function and then apply it for the users
  thanksthen proceed to do so. Why would you not want the function to be 'default' -- referenced by the default profile?
  BTW, you can name that function anything you want. When you assign a password complexity function to a profile, you assign it by the name of the function. So you are not limited to the name used by the 'out of the box' script provided by oracle. You might want to name your own function something like MYCORP_PSWD_POLICY. And of course the name of the sql file where you keep the code can also be named anything you like, so you might want to name it accordingly. Just so you have a clear seperateion between your company's stuff and that provided by Oracle.

• Linux and Solaris Clients with password policy using LDAP

  Anybody managed to get Linux (RHEL) and Solaris 9 Client authenticate against Sun Directory Server 5.2p4 using the same password policy?
  For me it looks like Linux needs attribute shadowlastchanged set to display proper Warnings, that the password will expire/needs to be changed now. On the other hand Solaris (using pam_ldap) never writes this attribute, because it's using the password policy attribute pwdchangedtime.
  Hints very wellcome!
  Can anybody confirm Solaris9 pam_unix still sets this shadow* attributes correct on any password change executed by a user?

  Hi Jeremy,
  here the answers to your questions:
  >My question is which system takes precedence over the password policy?
  Unfortunately there is no policy verification between the portal and your Sun One LDAP. So if you reset the password from the portal then only the portal password policies can be checked.
  >  If I wanted to do password resets from the Portal, does the portal then store only the password in its database?
  No, the password will be stored in the LDAP, but only if it also corresponds with the LDAP policies. If not, then you will get an error, but you will not see the real LDAP exception.
  > Also what would then happen if you tried to reset the password from the LDAP?
  The password in the LDAP does not have to fit to the Portal password policies. When you log in, the portal will only check if the password you tipped in is the new one in LDAP and will not check any policies.
  Hope this brings some light in,
  Robert

• Can I load a LDIF file and initalise the database using iPlanet SDK?

  I know how to create a new context in the DS, initialise its database with a LDIF file from the console or using the LDAPModify.
  But would it be possible if I can create the context & initialise the database using the iPlanet SDK for Java?
  I'm developing a module that would allow an user to create a new organisation, thereby the need to create the database using the SDK. How can I go about to achieve this?
  Many thanks!

  I don't understand. If you know how to do everything using ldapmodify, it should be very straightforward to use java. What don't you understand?

• Password policy not applying properly

  I have set password policy for my domain that
  Maximum age: 60days
  Minimum age is: 45days
  but I get messages every week that passwords would expire in 4 days
  I checked using rsop.msc and policy seems to be correctly applied.
  what could be the problem?

  > Maximum age: 60days
  > but I get messages every week that passwords would expire in 4 days
  If your GPO is applied correctly, this simply means that the last
  password change was 56 days ago.
  > I checked using rsop.msc and policy seems to be correctly applied.
  On the client? Your user is not a local user on the client, but most
  probably a domain user. So you need to check RSoP.msc on the PDC
  emulator, not on the client.
  > what could be the problem?
  You forgot to link your password policy to the domain, and after doing
  so, make sure you move it upwards above the existing "default domain
  policy". In the security filter, add at least "Domain Controllers" -
  better leave "Authenticated Users". And finally, do not block
  inheritance on the "domain controllers" OU.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Password Policy Directory 6.2

  Hello;
  I am trying to implement password policy on directory 6.2. After, I set the following parameters, my instance fails to start. Is there a specific way to turn password policy? Much appreciated!
  dsconf set-server-prop pwd-strong-check-enabled:on
  dsconf set-server-prop pwd-check-enabled:on
  Thanks,
  Irfan

  Thanks Ludovic;
  There are some issues with "messages" that the server displays in 6.2. I got passed the error messages and server is starting. My issue is really setting up a password policy on an ou not using global password policy. I created a new policy in DSCC and assigned to a user. However, that policy doesn't apply to the user. The global policy that I changed to have numeric and upper caps applies to this ou as well -- which is not what I want.
  I have a global policy which has numeric and uppercaps etc on o=example.
  I have a new password policy (using DSCC) on ou=people,ou=orgexample,o=example. (weak policy -- min length 3)
  Somehow only the policy on o=example applies to everyone.
  Thanks,

• Password policy

  I am setting password policy in solaris 10, I want that locked account of user should be unlock after some time with ouit the help of system administrator means the account would be unlock after 30 min automatically.

  Hi,
  Thanks for your reply ...I had already configure the password policy for the solaris servers but when the account got locked, It will only unlocked by the administrator or root user i want that account should be unlock automativally after sometime.

• Password policy to be active at DB level

  Dear All,
  As per Audit requirement,we have to set password policy at Database level.
  Present password policy:-
  Parameter:-
  1.Password verification  NULL
  2.Password Lifetime      UNLIMITED
  Is there any complication after setting password policy ?
  Please suggest
  Regards,
  Mahesh Phegade

  Mahesh,
  Is there any complication after setting password policy ?
  No, thr are no complication . Only thing you need to do is change the password of those user ids regulary before the expiry date
  Check below links
  http://twit88.com/blog/2008/08/04/oracle-alter-password-policy/
  http://articles.techrepublic.com.com/5100-10878_11-5784756.html
  http://articles.techrepublic.com.com/5100-10878_11-5784756.html
  http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/users.htm
  Hope it helps
  Thanks
  Sushil

• ODSEE11g / DSEE7 Password Policy from DS6 Mode back to DS5 compatible mode

  Hello all,
  I am currently working on a migration from DSEE7 to OUD(Oracle Unified Directory). Oracle's documentation states that to do this migration, you will need to be running in DS6 mode. I made that change.
  dsconf pwd-compat to-DS6-migration-mode
  then
  dsconf pwd-compat to-DS6-mode
  I have discovered that if you want to go from DSEE7 to OUD, you actually need to be in DS5 compatible mode. There is a bug in OUD replication gateway that creates a password policy using DS5.
  How would you revert from DS6mode to DS5 compatible mode?
  I have tried to run the commands backward and that was not successful.
  Regards,
  Nikesh

  Hello Nikesh,
  You are right, it is not possible to revert to the original "ds5.2" password policy mode.
  The documentation is right.
  The ds2oud tools used to migrate the configuration and schema to OUD requires the ds6 password policy mode.
  Unfortunatelly, in 11.1.1.5.0, the replication gateway setup creates a password policy in 'ds5.2' mode which is refused by a server running in ds6 mode.
  I see 2 options here :
  - contact your Oracle support representative to get a patch
  - redeploy a fresh temp DSEE 11gR1 master server (by default in ds5.2 password policy mode), enable replication but dont create any replication agreement, run the replication gateway setup between that server and the OUD instance, then switch to ds6migration and ds6mode. At that stage the odsee config contains a few entries that would need to be copied manually to your original DSEE server.
  Please tell me the preferred option as the description of the workaround would require a detailed post.
  Hope this helps
  Sylvain
  Edited by: Sylvain Duloutre on Feb 13, 2012 8:34 AM

• Using BO SDK creation of User with Password

  Hello All,
  I am creating web application in which I am passing User name
  and password.
  In case of password it give some BO specific error like.
  1) password should be 6 character.
  2) password must contain number and alphanumeric value.
  it is application using BO SDK.
  it is possible that I can create User in BO with any password(BO SDK)
  or I want to enter according to BO validation?
  Please help me.
  Regards,
  Prashant Joshi

  You need to refer to BO Validation
  Here is a snippet code
  void addUserAndProperties(IInfoStore infoStore, String accountName, String userName, String description, boolean namedUser, boolean passwordNeverExpires, boolean mustChangePassword, boolean cannotChangePassword, String password)
      try{
      // Call the addUser method to create the new user account.
      int newUserID = addUser (infoStore, accountName, userName, description);
      // Retrieve the specified user object.
       IInfoObjects rUser = infoStore.query("Select SI_ID, SI_PROGID From "
                         + "CI_SYSTEMOBJECTS Where SI_ID=" + newUserID);
       if (rUser.size() == 0)
           //The query returned a blank collection (no object found).
          throw new Error("The user could not be found.");
       IInfoObject iUser = (IInfoObject) rUser.get(0);
      // Check that the InfoObject has the User ProgID.
      String uProgID = (String) iUser.properties()
                       .getProperty(CePropertyID.SI_PROGID).getValue();
      if (uProgID.equals(CeProgID.USER))
          // Set the user object's plugin-specific properties.
          ((IUser)iUser).setFullName (userName);
          ((IUser)iUser).setPasswordExpiryAllowed (passwordNeverExpires);
          ((IUser)iUser).setPasswordToChangeAtNextLogon (mustChangePassword);
          ((IUser)iUser).setPasswordChangeAllowed (cannotChangePassword);
          ((IUser)iUser).setNewPassword (password);
          //((IUser)iUser).setDescription(((IUser)iUser).getFullName());
          if (namedUser)
              ((IUser)iUser).setConnection(0);
          else
              ((IUser)iUser).setConnection(1);
          infoStore.commit (rUser);
      }catch (SDKException e) {
            System.err.println("Failed to add the user's properties. Exception caught: " + e.getMessage());
  Cheers

• Set password to PDF file using ADS server

  How to set password to .PDF file using ADS(Adobe Development Service) server?
  Moderator Message: Not enough effort seen from OP. Thread Locked.
  Edited by: kishan P on Jul 14, 2011 11:51 AM

  Thanks for your prompt reply. Well forget about conversion but there should be a way to just password protect any PDF file, correct?
  We have a 3rd party tool which does that for our VB6 apps, I am surprised how come Acrobat SDK doesn't expose those Properties/Methods for VB6 model.
  Andy