TMSADM: Initial password expired

Dear community,
I've a urgent question, because the SAP support hasn't answered yet and I have got to fix the problem.
Because of security reasons we changed the following instance Parameters:
login/password_max_new_valid = 1 (The initial password of new users is only valid on the day of creation)
login/password_max_reset_valid = 1 (The initial password of an reseted user account is only valid on the day of change)
Now we have an problem with our Transport Management System (STMS) and the used communication user TMSADM. One day after the change of the parmters we always got an login prompt when we wanted to see the import queue of the systems in transaction STMS. When I start a authority-check in transaction SM59 for the RFC [email protected]_SID Iget the error "The initial password has expired; request a new one".
Now comes my question. Does anyone know how to fix the problem? I havn't found any solution in the SAP Service Marketplace and the SAP Support only wrote me that I should check the note 761637 and 713622, which don't fit exactly to my problem.
I'm searching now for an possibility to set an password for an communication or CPIC user. When I set an password in SU01 I can only set an initial password. So does anyone knows how to do? E.g.: when I have an dialog user i can change the password at startup, but how can I change it at an communication user?
Another posibilty is to run the check of the initialpassword not for the user TMSADM. Is this possible and if yes who can me tell how?
Please help me, I'm in urgent trouble, because me colleagues are angry about this result of changement.
Many thanks in advance.
Michael

I don't think that it is an good idea to change the password on the database. The values are only saved as hash-values and so it is not possible.
Further I found a solution on my own to fix the problem. I changed the user type from communiction to dialog and so I set the password in the dialog screen at login.
After that I changed the user type to communication aggain.
It works. I've just tested it and the next days I will take the change for our productive system.
Bye

Similar Messages

SAP initial password expired... how to renew it?

SAP initial password expired... how to renew it?

hi there
check with your basis team to renew the password,, or get the help from your team lead( he may have authorization for the SU01) there you can change the Initial password
Thanks
Senthil

Initial password expires:Communication Users

Hi All,
I have created one user for early watch alert generation purpose user password expires every 15 days :
Defined profile parameter is:login/password_max_idle_initial:14
As per my understanding communication user password never expires.
Kindly please suggest me
Thanks in Advance
Regards
Nekkalapu

Hi Siva,
Thanks for you response.
But it will effect to all the users right,sap also is not recomending to put 0 value this parameter.
Is their any other way to resolev this issue.
I am using communication users for generating earlywatch laerts.
Advance thanks
Regards
Nekkalapu

Jco Function issue : The initial password has expired (request a new one)

Hi Friends,
Could you please help me to resolve this issue. I am able to start my session using SAP Jco Start Action block. But while invoking the BAPI using
SAP JCo Function action block I am getting the below error. I am 100% sure that my credentials are correct. I am able to logon to ECC using SAP Front GUI.
I am using MII 14.0 patch SP4
Any help on this very much appreciated.
<Rowsets DateCreated="2014-07-22T12:33:49" EndDate="2014-07-22T12:33:49" StartDate="2014-07-22T12:33:49" Version="14.0 SP4 Patch 0 (Nov 22, 2013)">
<FatalError>JCOProxy error: Problem retrieving JCO.Function object: The initial password has expired (request a new one)</FatalError>
</Rowsets>]]
Thanks in advance
Shaji

Hi Friends,
This issue got resolved when I cleared the BAPI list cache at MII using below URL.
http://hostname:port/XMII/JCOProxy?Mode=Reset

Expired or initial passwords with SPNego

Hi,
we're implementing a SAP Enterprise Portal right now using SPNego as the method of authentification. The UME of our Portal is connected to our HCM-ABAP-System. In HCM we set the parameter login/password_change_for_SSO to 0 so the status of a PW (e.g. initial or expired) is not relevant when using SSO. This works fine for our HCM, but of course not for the Portal which is only connected to HCM via the UME.
Anybody got an idea how to have our portal react the same way to initial and expired passwords? I couldn't find anything so far...

Hi Mario,
Though I can't provide you the solution, I have a query...
If my guess that you have implemented SPNego authentication, you are trying to implement Kerbero's Authentication.
Please let me know if you are able to configure Portal for Kerbero's authentication. We tried to implement the same with CRM+Portal, we were able to configure SAP GUI for Kerbero's authentication, but with portal, we were not able to implement.
When we changed the UME configuration file, portal went down. We raised an OSS note, and got reply stating that "Kerberos authentication can not be implemented for ABAP+Java stack. For portal to support Kerbero's authentication, it should be a separate installation.
If you are able to configure portal for SPNego, and able to run the SPNego wizard successfully, please let me know.
Regards,
Nrisimhanadh

Initial and expired password status is not checked during login for ITS Services

Dear all,
we have the following Basic problem or question regarding ITS-based ABAP Services provided via browser to internal and external customers:
The user call the ITS via URL "https://<host>:<port>/sap/bc/gui/sap/its/it13?sap-client=03&sap-language=en" his browser.
To access the Service a simple login Dialog appears for entering the credentials (UserID + Password).
The problem with this simple Dialog is that after resetting the users password this initial password status seems not to be checked here.
That means, that the user is able to login with this initial password and he is not forced to change the password.
In difference to this the intended behavior is provided for example when the SAP Standard ITS Service "webgui" is launched by the user:
The user launches der Service via URL "https://<host>:<port>/sap/bc/gui/sap/its/webgui?sap-client=03&sap-language=en"
In this case an additional first SAP WebAS login dialog appears where the users has to click on a Login-Button. This login button opens
another login dialog as a popup where the user is able to enter his credentials. But if the password has an initial status the user is
forced afterwards to change his password.
So the login behavior of the webgui Service is what we also want for the any other ITS Service. We've already compared the service properties and
settings (SICF), but we could not find any difference.
What can we do to change the login behavior for the ITS services ?
Thanks in advance for any kind of help !
Joerg

Hello Joerg,
Can you attach a screenshot of the "Logon Data" tab of the service 'it13' in transaction SICF?
In SICF - Tab: Error Pages -> Logon Errors
is 'SYSTEM Logon' selected for both the 'WEBGUI' service and 'IT13' service?
Regards,
Oisin

Capturing the Message on the Login Page (Invalid user/password expired etc.

Hi, I have a requirment for capturing the error message on the Login page if the User's Account is expired or Account is Disabled or Invalid credentials, Password Lockout etc.
I am using the attached login page. Can any one please help me out on this.
<html><head><title>AARPLogin Page</title>
<script type="text/javascript" language="JavaScript" xml:space="preserve">
// This function automatically gets called for broswer detection
var isNav4 = false;
var isIE4 = false;
var isNS6 = false;
function obDetectBrowser()
if ( navigator.appVersion.charAt( 0 ) == "4" )
if ( navigator.appName == "Netscape" )
isNav4 = true;
} else {
isIE4 = true;
else
if ( navigator.appVersion.charAt( 0 ) >= 5 )
if ( navigator.appName == "Netscape" )
isNS6 = true;
obDetectBrowser ();
var HOSTNAME =
var COOKIE_OBREQUESTEDURL = "OBREQUESTEDURL";
var COOKIE_OBFORMLOGINCOOKIE = "ObFormLoginCookie";
var NCID_LANDING_PAGE_URL = "/landing/";
var QS_REDIR = "ReDir";
var keyChooser;
function checkPasswordEnterKey( event )
var form = document.forms[0];
if (isNav4 || isNS6) {
keyChooser = event.which ;
} else if (isIE4) {
keyChooser = window.event.keyCode;
if (keyChooser == 13) {
if (
form.userid.value
&& form.userid.value != ""
&& form.password
&& form.password.value != ""
form.submit();
return true;
else
alert('Please enter a UserId and Password');
return false;
function showHidePanel( panelID, displayValue )
var panelElement = document.getElementById( panelID );
if ( displayValue == 'show' )
panelElement.style.display = 'block';
else
panelElement.style.display = 'none';
function getQueryVariable( variable )
var query = window.location.search.substring( 1 );
var vars = query.split( "&" );
for ( var i=0; i < vars.length; i++)
var pair = vars[ i ].split( "=" );
if ( pair[ 0 ] == variable )
return unescape( pair[ 1 ] );
return "";
function Get_Cookie( name )
var nameEQ = name + "=";
var ca = document.cookie.split( ';' );
for( var i=0; i < ca.length; i++ )
var c = ca[ i ];
while ( c.charAt( 0 )==' ' )
c = c.substring( 1, c.length );
if ( c.indexOf( nameEQ ) == 0 )
return c.substring( nameEQ.length, c.length );
return null;
function Set_Cookie( name, value, expires, path, domain, secure)
document.cookie = name + "=" + escape( value ) +
( ( expires ) ? ";expires=" + expires.toGMTString() : "" ) +
( ( path ) ? ";path=" + path : "" ) +
( ( domain ) ? ";domain=" + domain : "" ) +
( ( secure ) ? ";secure" : "" );
function Delete_Cookie( name, path, domain )
if ( Get_Cookie( name ) )
document.cookie = name + "=" +
( (path) ? ";path=" + path : "" ) +
( (domain) ? ";domain=" + domain : "" ) +
";expires=Thu, 01-Jan-1970 00:00:01 GMT";
function lostPassword()
var CurrentLogin = document.forms[0].userid.value;
if ( CurrentLogin == "" ) {
alert ( "Please enter your eMail Address." );
document.forms[0].userid.focus();
else {
Set_Cookie( COOKIE_OBFORMLOGINCOOKIE, "done", 0, "/" );
var LOST_PWD_PAGE = "/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=passwordChallengeResponse&login="+CurrentLogin+"&backUrl=http://oradev2.na.aarp.int/login/login.html&target=top";
window.location = LOST_PWD_PAGE;
function emailPassword()
document.passform.submit();
function onLoad()
if (getQueryVariable( "MSG" ) == 'LOGIN_FAILED' )
alert ("Login Failed, Please try again");
else if (getQueryVariable( "MSG" ) == 'PWD_EXP' )
alert ("Your Password Is About to Expire. Please Change it at your earliest convenience.");
var pwdExpUID = getQueryVariable( "login" );
var hostTarget = getQueryVariable( "hostTarget" );
var resURL = getQueryVariable( "resURL" );
var PWD_EXP_PAGE = "/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login="+pwdExpUID+"&backURL="+hostTarget+resURL+"&target=top";
window.location = PWD_EXP_PAGE;
else if (getQueryVariable( "MSG" ) == 'CHGPWD' )
alert ("You are required to change your password.");
var chgPwdUID = getQueryVariable( "login" );
var hostTarget = getQueryVariable( "hostTarget" );
var resURL = getQueryVariable( "resURL" );
var CHG_PWD_PAGE = "http://"+HOSTNAME+"/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login="+chgPwdUID+"&backURL="+hostTarget+resURL+"&target=top";
window.location = CHG_PWD_PAGE;
</script></head><body onload="onLoad();document.login.userid.focus();" alink="blue" bgcolor="#ffffff" link="blue" vlink="blue">
<p align="center">
<img alt="AARP Header Logo" src="login_files/aarpLogo.gif" border="0" height="91" width="219">
<br>
</p><form name="login" method="post" action="/access/oblix/apps/webgate/bin/webgate.so">
<div class="boldText" align="center">
<h2>Login</h2>
<div class="boldText" align="left">
<div id="LoginFailed" style="display: none;">
<table align="center" bgcolor="#ff0000" border="0" cellpadding="2" cellspacing="0" width="500">
<tbody><tr>
<td>
<table bgcolor="#e5e5e5" border="0" cellpadding="5" cellspacing="0" width="100%">
<tbody><tr bgcolor="#ffffff">
<td rowspan="3" height="40" nowrap="nowrap" valign="top">
<img src="login_files/error.gif" name="error" height="20" width="20">
</td>
<td rowspan="3" align="center">
<p>
<font color="#ff0000" size="-1">
<b>
<div id="TryAgain" style="display: none;">Login Failed! Invalid UserID and/or Password, Please try again.<br></div>
<div id="AccountLocked" style="display: none;">Your Account has been Locked!</div>
</b>
</font>
</p>
<p>
<font color="#ff0000">
<b>For
assistance call E-Services Help Line at (XXX) XXX-XXXX Monday through
Friday between the hours of 8:00 am and 5:00 pm eastern standard time.</b>
</font>
</p>
</td>
</tr>
<tr bgcolor="#ffffff">
</tr><tr bgcolor="#e5e5e5">
</tr></tbody></table>
</td>
</tr>
</tbody></table>
</div>
<br>
</div>
<table border="0" cellpadding="0" cellspacing="0" width="500">
<tbody><tr>
<td background="login_files/border_upper_left.gif" height="20" nowrap="nowrap" width="20"> </td>
<td background="login_files/border_top.gif" height="20" nowrap="nowrap"> </td>
<td background="login_files/border_upper_right.gif" height="20" nowrap="nowrap" width="20"> </td>
</tr>
<tr>
<td background="login_files/border_left.gif" nowrap="nowrap" width="20"> </td>
<td>
<table bgcolor="#ebebce" border="0" cellpadding="2" cellspacing="0" height="100%" width="100%">
<tbody><tr>
<td colspan="3" align="center">
<font color="darkred" face="Arial" size="3">
<b>
</b></font>
<b> </b></td>
</tr>
<tr valign="bottom">
<td colspan="3" width="100%">
<table bgcolor="#ebebce" border="0" cellpadding="5" cellspacing="0" width="100%">
<tbody><tr bgcolor="#e5e5e5">
<td rowspan="2" bgcolor="#ebebce" height="20" nowrap="nowrap" valign="top" width="4%">
<font color="#000000">
<span class="text">
<img src="login_files/arrow.gif" align="top" height="20" width="20">
</span>
</font>
<font color="#000000"> </font>
</td>
<td rowspan="2" bgcolor="#ebebce" width="96%">
<font color="#000000" size="-1">
<span class="text">Please enter your Email and Password. If you are a new user to AARP, please select First Time AARP User.
</span>
</font>
</td>
</tr>
<tr bgcolor="#e5e5e5">
</tr></tbody></table>
</td>
</tr>
<tr valign="bottom">
<td colspan="3">
<table align="center" border="0" width="349">
<tbody><tr>
<td nowrap="nowrap" width="74">
<font color="#000000" size="-1">
<div align="left">eMail:</div>
</font>
</td>
<td width="265">
<input name="userid" value="" size="32" maxlength="32" tabindex="2" type="text">
</td>
</tr>
<tr>
<td>
<font color="#000000" size="-1">
<div align="left">Password:</div>
</font>
</td>
<td>
<p>
<font color="#000000" size="-1">
<input name="password" size="32" maxlength="32" length="30" tabindex="3" type="password">
</font>
</p>
</td>
</tr>
</tbody></table>
</td>
</tr>
<tr>
<td>
<font color="#000000" size="-1">
<p align="center"><b>Forgot Your Password?</b></p>
</font>
</td></tr>
<tr>
<td align="center"> <font color="#000000" size="-1">
Email New Password
</font>
</td></tr>
<tr>
<td colspan="4">
<div class="boldText" align="center">
<br>
<input src="login_files/button_login.gif" name="Submit" value="" alt="login" type="image">
 <b class="boldText"><img src="login_files/button_clear.gif" name="img_clear" alt="clear" border="0" height="25" width="68"></b>
<b class="boldText"><img src="login_files/button_help.gif" name="img_help" alt="help" border="0" height="25" width="68"></b>
<b class="boldText"><img src="login_files/button_cancel.gif" name="img_cancel" alt="cancel" border="0" height="25" width="68"></b>
</div>
</td>
</tr>
</tbody></table>
</td>
<td background="login_files/border_right.gif" nowrap="nowrap" width="20"> </td>
</tr>
<tr>
<td background="login_files/border_lower_left.gif" height="20" nowrap="nowrap" width="20"> </td>
<td background="login_files/border_bottom.gif" height="20" nowrap="nowrap"> </td>
<td background="login_files/border_lower_right.gif" height="20" nowrap="nowrap" width="20"> </td>
</tr>
</tbody></table>
<p></p>
<span class="text"><br><br><b>NOTICE:
This system is the property of AARP and is for authorized use only.
Unauthorized access is a violation of federal and state law. All
software, data transactions, and electronic communications are subject
to monitoring.</b></span>
<div id="hr" style="position: absolute; width: 100%; height: 10px; z-index: 90; top: 657px; left: 10px;">
<hr>
</div>
<div id="footer" style="position: absolute; width: 700px; height: 55px; z-index: 115; top: 678px; left: 50px;">
<span class="subhead">
Privacy Policy
Disclaimer
Contact Us
</span>
<span class="bodytext">
</span></div>
<form name="passform" action="http://oradev2.na.aarp.int/wampassword/passwordReset.html" method="post">
<input name="login" value="" type="hidden">
<input name="backUrl" value="http://oradev2.na.aarp.int/login/login.html" type="hidden">
</form>
<script type="text/javascript" language="JavaScript" xml:space="preserve">
var undefined;
if (
document.login
&& document.login.password
function clearForm()
document.login.reset();
function navigate( linkName )
if ( 'login' == linkName )
if ( document.accountLogin.userID.value != '' && document.login.password.value != '' )
alert('Please click the Account Registration Setup link for now');
//document.location = 'userDataPersonal.htm';
else
alert('Please enter a UserId and Password');
function openHelp()
helpDoc = window.open( "http://www.aarp.org", "", "scrollbars=yes,resizable=yes,width=500,height=300" );
function cancel()
// open dialog
var initX = parseInt( window.screenX ) + parseInt( window.outerWidth ) / 2 - 100;
var initY = parseInt( window.screenY ) + parseInt( window.outerHeight ) / 2 - 50;
cancelDialog = window.open( "./cancelDialog.html", " cancelDialog", "resizable=yes,toolbar=no,menubar=no,width=200,height=150,screenX=" + initX +",screenY=" + initY );
</script>
</div></form></body>
<script type="text/javascript">
</script></html>

Is it not possible that someone fired the password expiration cmd ?
SQL> select limit
2 from   dba_profiles
3 where profile='DEFAULT'
4 and resource_name='PASSWORD_LIFE_TIME';
LIMIT
UNLIMITED
SQL> select profile from dba_users where username='MYUSER';
PROFILE
DEFAULT
SQL> conn myuser/myuser
Connected.
SQL> conn / as sysdba
Connected.
SQL> alter user myuser password expire;
User altered.
SQL> conn myuser/myuser
ERROR:
ORA-28001: the password has expired
Changing password for myuser
New password:
Password unchanged
Warning: You are no longer connected to ORACLE.
SQL> conn / as sysdba
Connected.
SQL> select name, astatus, TO_CHAR(ctime,'DD-MM-YYYY HH:MI') CTIME, TO_CHAR(ptime,'DD-MM-YYYY HH:MI') PTIME, TO_CHAR(EXPTIME,'DD-MM-YYYY HH:MI') EXPIRE
2 from sys.user$ where name ='MYUSER';
NAME
   ASTATUS CTIME
PTIME
EXPIRE
MYUSER
         1 23-11-2011 11:15
23-11-2011 11:15
23-11-2011 11:17
SQL>Nicolas.

SAP Portal unable to recognize AD requirement to change initial password

Hi,
We configured Active Directory server (2008 R2) as UME for SAP Portal (Netweaver 7.01 SP7). We matched as many of the security parameters as possible* (ex. minimum password length, require one number in password, etc.). The AD parameter "User must change password at Next logon" is set ON. However, upon attempt to login to SAP Portal with the initial password that was set in AD we are not prompted to change the password. Rather, the SAP Portal logon attempt fails with message: "Authentication Denied"
Has anyone dealt with this problem before?
Other information:
*Our MarketPlace researched indicated that the SAP Portal parameter "ume.ldap.security_policy.password_change_required" (which would correspond to the AD parameter mentioned above) is no longer an available parameter for our SAP Portal version (Netweaver 7.01 SP7).
In our version of SAP Portal, the AD parameter "User must change password at Next logon" has one parameter which is similar, but does not directly correspond. The SAP Portal parameter which we do have is "No password change required". Notice this is the logical opposite of the AD parameter: AD says to require the password, whereas SAP Portal says it's NOT required. Therefore, when the AD parameter is set to ON, this results in the Portal parameter being set to OFF. Even still, we face the login failure.

You have to note here that implementing SAP IDM is only ONE of the possible options you have. The implementation of IDM in itself is a huge undertaking because of the number of systems and the decision making process involved with it.
In one of my previous implementations, when SAP IDM was not around, we had Tivoli Access Management tools which took care of the password problems.
even though we implement IDM and deploy IDM UI on Portal , still user should change password before it expires on AD right ?
Even with IDM in place, user will not be able to login to SAP portal with an expired AD password. However, in our case, we provide a link on the logon page of SAP portal to the IDM password self service application which will allow the user to change the password.
Does IDM has any feature like sending notifications before password expiration period ?
I don't think it does - however I have not explored this option in IDM since most of our users do not have email addresses and we cannot send a reminder. You should be able to create a task (with some customization) in IDM to achieve this.
Also will the IDM implementation help us in creating users with option "User should change password at next logon" on AD ?
Yes - IDM does create users with option "User should change password at next logon" in AD.
With IDM in place and tied to AD, it should be the central place of creating users. It is recommended NOT to create or manipulate the users in any target systems (SAP, AD, etc). IDM should be taking care of all the user provisioning activities.
is this like a work around to allow users to change password from Portal before it gets expired on Active Directory(AD) ?
This is not a work around - it is rather a full blown identity management solution for all your company needs.
You will get a lot of your IDM specific questions answered in the Identity Management forum.
Thanks,
Shanti

[Initial Password] CUA vs IdM

Hi,
Please correct me if I am wrong: when the CUA cha,ges to password in the child systems, they are set as initial. It means that, on the first logon, the user has to change it.
Is there a possibility for IdM to set "definitive" password. It seems so to me after reading
| | CUA | Identity Management |
| Password management | Initial passwords | yes incl. workflow support |
in https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab, page 29
Thanks in advance.
Best regards,
Guillaume

IdM can only do what SAP permits. Depending on how one is authenticating determines the password policy. An initial password, an expired password and a password reset by an administrator all set the same flag. The user must change their password on next logon. The only way around this to write directly to the db with SAP's hash. A terrible idea and a big security risk.
UME uses a delegated model so the password policy depends on what you are authenticating against. This question is normally asked because a company wants to do password synchronization; one is better off doing SSO.

Problems in Changing LDAP (AD) Initial Password from Portal

Hello ,
We are using EP 7.01 SP 05 with Microsoft AD as our user data store (flat structure).
For newly created users on AD, we are wanting them to be able to change their initial passwords from portal (on their first logon).
SSL is set up between EP and AD.
The user we are using to access LDAP has write privileges.
We are using a standard configuration file (writeable version) (dataSourceConfiguration_ads_writeable_db.xml)
We are able to modify users from User Administration console (including password change) without any problem.
However, there are two problems we are facing:
1. If the flag "User must change password at first logon" is set on AD/LDAP, then on Portal the user is not getting prompted for changing password - and User authentication failed
2. If the flag "User must change password at first logon" is NOT set on AD/LDAP, then - User is getting prompted to change the password" - however password change is not going through successfully - Error says - "Missing".
From logs I can see the following error:
#1.5#0050568767DE006B0000000700005D7C00048EC433D5B0FC#1282873241046#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=64495]#Guest#0#SAP J2EE Engine JTA Transaction : [044ffffffd35700451]#n/a##19ae55e0b17c11dfb0d00050568767de#SAPEngine_Application_Thread[impl:3]_23##0#0#Error##Java###Can not change password
[EXCEPTION]
{0}#1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:
0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
]; remaining name 'cn=portal test'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2943)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1449)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
Can any one pls suggest what is this error about and what I am missing.
Thanks ,
Shanti

Hello All,
Thank you for your time and valuable replies.
I got rid of the "Missing" error and now I am one step away from the solution.
Now I am at a stage where: (for a user with initial password on LDAP)
1. In AD if "User needs to change password on next logon" flag is NOT set - user can successfully logon to portal. (without being prompted for password change)
2. In AD if "User needs to change password on next logon" flag is set - then user cannot logon to portal - I get User authentication failed error.
I have went through a lot of discussions around this topic on SDN and different SAP Notes. I have tried to maintain UME Security policy as close as possible to LDAP (I cannot make it exactly same due to some differences in LDAP and UME).
However, when and administrator can change passwords from UME successfully without any problem - it means that:
- Security policy is being met
- Service user used to communicate to LDAP has all the required access
The only missing piece of the puzzle is how to enable the users to be able to change their passwords (with initial or expired passwords).
According to Note 865399 - the default value for The property ume.ldap.access.set_pwd is TRUE.
Also the property ume.ldap.access.pwd.via.usercontext can only be TRUE when ume.ldap.access.set_pwd is set to FALSE.
So, I have tried setting the following without any success:
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>false</ume.ldap.access.set_pwd>
Thanks,
Shanti

Cronjob not to execute when root password expires

I noticed that when Solaris 10 root password expires, the cron job under root won't run.
Anyone have any suggestion for allow expired root password to run cronjobs?

WorMzy wrote:Why are you using encryption if you want it to be that easy to access your data?
Yea, bypassing the password completely defeats the purpose of encryption. Just decrypt your drive if you don't want to type your password and gain some performance back while you're at it.
DSpider wrote:I think you can use a keyfile instead of a password.
A keyfile can be a decent encryption method but it has to be selected manually or it's worthless. You can't just automatically have everything decrypted on boot or anyone can just boot once then copy all your data unencrypted to another drive.
shadyabhi wrote:
I initially did it for the sake of learning.
But, after I installed systemd, I feel like it's increasing my bootup time.
I don't want to discourage you from learning at all but encryption does come with a performance hit. It can be mitigated if you use AES encryption and have a recent CPU that supports AES-NI (or buy a purely hardware self encrypting drive). But it sounds like you'd best be served just decrypting.
Last edited by weirddan455 (2012-11-03 05:01:15)

Initial password for SAP* in SAP NetWeaver 2004s ABAP Edition

Hello,
I have just installed the SAP NetWeaver 2004s ABAP Edition on my PC and I want to setup some new clients to simulate an ALE model.
Does anyone know the initial password for SAP* ?
I have already tried PASS and pass because I know it is case -sensitive now but it did not work.
Thanks a lot.
Wim Van den Wyngaert

Hi,
initial SAP* password is 06071992
DDIC is 19920706

How to programmatically set initial password when a user is created in OID

We are using the odihragent synchronization process to automatically create users in OID when an employee record is created. We would like to set the initial password for the newly created user to their last name + the last 4 digits of their SSN.
The odihragent process is successfully creating the user in OID and populates the last name and the last 4 digits of the SSN in OID. According to an open SR I have with Oracle, we cannot use the odihragent process to set the initial password because any time the employee record is updated, the synchronization process will reset the password to last name + SSN. They have recommended that we use a pl/sql plug-in to set the password using the WHEN_ADD plug-in procedure.
I am new to using OID and plug-ins and the examples provided in the Developer's Guide are limited.
I would like to know if anyone else is using plug-ins or another process to set initial passwords when a user is created? If you are using plug-ins would you be willing to share a code sample?

I am surprised that I have not received any responses... Surely there are others who are experienced with programmatically setting passwords when new users are programmatically created. Does anyone have any pointers on how to best accomplish this?

How can I display the password expiration date for a user

I have created a GUI (using PrimalForms) which runs powershel scripts to pull information like user ID, email address, last logon ec. for the helpdesk to help establish the validity of some user claims of "it worked yesterday" and the like.
I have been asked to add the password expiration date, but I am struggling to get the code for this addition.
Does anyone know how I can include this, and have it in a human readable format?
The current scripts (there are 3) allow the helpdesk staff to search on user ID and display name, the third provides the last logon, it was impossible to include this in the other scripts so I added an extra search button and called it good. An example of
these scripts is below (please note, PrimalForms needs a slightly different syntax in order to get the results displayed, but the core script is standard PS, I use Powershell 3.0)
$results.Text=Get-ADUser -Filter "sAMAccountName -eq '$($EntryBox.text)'" -Properties DisplayName, sAMAccountName, mail, extensionattribute5, PasswordLastSet, PasswordExpired, PasswordNeverExpires, buMemberOf, telephoneNumber, msExchOmaAdminWirelessEnable, whenCreated, whenChanged, enabled, AccountExpirationDate | select givenName, surname, DisplayName, sAMAccountName, mail, extensionattribute5, PasswordLastSet, PasswordExpired, PasswordNeverExpires, buMemberOf, telephoneNumber, msExchOmaAdminWirelessEnable, whenCreated, whenChanged, enabled, AccountExpirationDate | Out-String
$results.Focus()
for info:
$results.text is the window in the GUI results are displayed in
$entrybox.text is the text box the helpdesk staff use to input the user ID or display name of the account they are querying
$results.focus simply tells the script to put the results in the results.text window
The screenshot below shows the current setup, this is purely to put the above information into perspective. Obviously some of the information displayed has been removed/redacted along with our logo.

Hi,
Here's an example you can build from:
$maxPasswordAge = 120
Get-ADUser USER -Properties PasswordLastSet |
Select SamAccountName,
PasswordLastSet,
@{N='PasswordLifeRemaining';E={$maxPasswordAge - ((Get-Date) - $_.PasswordLastSet).Days}},
@{N='PasswordExpirationDate';E={(Get-Date $_.PasswordLastSet).AddDays($maxPasswordAge)}}
Don't retire TechNet! -
(Don't give up yet - 13,085+ strong and growing)

Want a solution for a scenario-To Set Password expiration in OID from OIM

Hi,
I have one scenario. Please guide me in some details to achieve this.
I have one password policy in OIM. When user's password expires in OIM, then his password should also expire in OID. We have OID as user's repository.
For this I have one solution but dont know how to implement this in OIM.
"OID has the LDAP attribute called “pwdMaxAge” map this attribute to the OIM resource object and reset this value to number of days (as per password policy) whenever you change the password in OIM. This will set the password expiration time in the OID without having the password policy in place. "
Plesae suggest.
Thanks in advance.

Well here is what you can do:
- For OIM the user's password will be governed with the Xellerate User password policy, which says that password must be changed every 28 days. So you are good in handling this in OIM.
Now for OID side, you have two options - *1. User changes OID password directly* and *2. User changes OID password through update in OIM profile password*. Most probably tou would want the second case. If true then here is what you can do.
- As user changes the OIM password. Create automatic trigger Change User Password which updates the password in the process form of OID.
- This invokes the Password Updated task.
- On SUCCESS of this task, call another task which goes to OID target and updates the attribute pwdMaxAge to Current date + 28
Thanks
Sunny

TMSADM: Initial password expired

Similar Messages

Maybe you are looking for