Urgent !!!!! Authentication scheme to include a password policy

Similar Messages

• Defining an Authentication Scheme for user ID and password and client certi

  Hi,
                  I do need to define an Authentication Scheme for user ID/Password and client certificate,, both at the same time, so whenever the end user access the SAP Portal he/she will be asked to provide user and password as well digital certificate,
                  Despite of the whole idea behind o f the concept of digital certificate, my client sill wants to keep the user ID and password to complies with business requirements.
       I found a documentation that discuss Authentication Scheme with example using both ID and Digital certificate, but the priority was set different for each authentication method.
  http://help.sap.com/saphelp_nw04s/helpdata/en/d3/1dd4516c518645a59e5cff2628a5c1/content.htm
       So I am wondering with I can accomplish User ID/Pwd plus digital certificate just by making the priority the same value. Anyone had a similar requirement?
  Best Regards
  Claudio Rocha

  Hi
  Did you get an answer for this Query ?
  Regards
  Priyanka

• Password Policy : PwdMustChange problem

  Hi,
  i'm facing some strange issues with the password policy under Oracle Directory Server v6.3.
  I modified the global policy to force user to change their password after administrative reset.
  In the policy i see PwdMustChange set on TRUE.
  The problem is that it has no effects on users.
  I use several administrative accounts (including directory manager) to change user password (made a reset) and it is still possible to log with their account.
  I don't get it, it's like the property PwdMustChange had no effect.
  Has anyone faced this problem??
  Thanks

  The "must change" state does not prevent a user from logging in. It only requires that the next LDAP operation that the user does on that open connection be a MOD where the user changes his own password. All subsequent operations other than the password reset will fail (most likely with err=53 - DSA Unwilling To Perform).
  However, many applications will not do anything subsequent as the user. In other words, the BIND will succeed and then the application will go on about its business servicing the user, because the way the application code is written, it doesn't need to do anything other than the BIND to authenticate the user, and the BIND has succeeded.
  When an LDAP-enabled application is going to integrate with the LDAP password policy model, it needs to consume LDAP controls properly. In this case, the BIND request and response should include a password policy control that indicates the user must reset his password. This is how, even in the case of an application that need not do anything except BIND, the password policy functionality can work.
  If you want to verify that the server's password policy is working, you can do it in a number of ways. If you have the audit log turned on, when the administrative reset occurs, you should see some server-side modifications to the user that set a "must reset" operational attribute. If you do ldapsearch as the user, you should get an informational message that the search has failed. Depending on which ldapsearch tool you use, you may get a fairly informative message about the user needing to reset his password and/or the server being unwilling to service the SRCH request. If your ldapsearch as the user succeeds immediately after the admin reset, then the server password policy is not set up correctly.

• Authentication Scheme with Username / Password stored in App Table

  Hi all,
  Up to now all of our applications have used SSO authentication, but I now need to step away from this to allow users from outside our organisation (and therefore not in our OID system) to use one specific application.
  I therefore have a table in my application that stores username and password. I have a function that compares the entered username and password to this table and returns a boolean result. This function is then registered in my Authentication Scheme as the Authentication function.
  All this works well and is causing no problems. The problem is that the password is stored and checked in plain text - obviuosly not very good.
  How do I go about changing the password column in my table, the pages that allow this password to be set and updated and the authentication function that checks the username / password to use some form of encryption?
  Also, do I need to be worrying about all the other fields (Page Sentry Function,Session Verify Function, Pre-Authentication Process etc) that the Authentication Scheme offers me - or can I just leave these blank as they are now.
  If someone can give me a complete 'out-of-the-box' solution that would be wonderful - otherwise a good hard pusj int he right direction would be much appreciated.
  Many thanks,
  Martin

  Hello Martin,
  If you check out the Discussion Forum application here, you should find the information you need. This app stores an encrypted version of the user's password in the table.
  http://www.oracle.com/technology/products/database/application_express/packaged_apps/packaged_apps.html#FORUM
  Good luck,
  Don.
  You can reward this reply by marking it as either Helpful or Correct :)

• Password reset every 30 days (APEX authentication scheme)

  Hello,
  one of my application uses APEX authentication scheme. I would like to force end users to change their passwords every 30 days.
  Account Expiration and Locking is enabled. Is it enough to set "30 days" in End User Account Lifetime (days) option that I've found in Home>Administration>Manage Services>Set Workspace Preferences, or should I do something else?
  Regards,
  Przemek

  for developers who login into workspace - yes, it opens 'change password' page
  for end users - who knows?
  for example, take a look at one BUG-or-FEATURE here:
  Locked user IS ALLOWED to login in Application Express 3.2.1.00.12
  Locked user IS ALLOWED to login in Application Express 3.2.1.00.12

• How to deal with expired passwords in authentication schemes?

  IHi,
  I am trying to build an authentication scheme that deals with expired passwords. After the user has provided their valid but expired password they should be redirected to a password reset page. After they have provided a new password they should be allowed to continue to the page they would have otherwise gone to had their password not expired.
  I have written my authentication processs as follows:
  CREATE OR REPLACE FUNCTION inventory_test.inventory_authentication (
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  RETURN BOOLEAN
  IS
  r1 apex_users%ROWTYPE;
  valid_password BOOLEAN;
  BEGIN
  IF p_password IS NULL
  THEN
  RETURN FALSE;
  END IF;
  SELECT *
  INTO r1
  FROM apex_users
  WHERE UPPER (username) = UPPER (p_username);
  valid_password :=
  DBMS_OBFUSCATION_TOOLKIT.md5 (input_string => p_password
  || TO_CHAR (r1.SEED, '99999')
  ) = r1.PASSWORD;
  IF valid_password AND (r1.password_expiration_date < SYSDATE)
  THEN
  apex_util.set_session_state ('FSP_AFTER_PASSWORD_RESET_URL', v ('FSP_AFTER_LOGIN_URL')); -- My new application item
  apex_util.set_session_state ('FSP_AFTER_LOGIN_URL',
  'F?P=' || v ('APP_ID') || ':14:' || v ('APP_SESSION')
  END IF;
  RETURN valid_password;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RETURN FALSE;
  END;
  This redirects the user to the password reset page but FSP_AFTER_PASSWORD_RESET_URL is null - presumably because the login process changes the session.
  This seems the wrong approach anyway as the user, once authenticated, can change the page number in the URL and avoid the password reset. I would guess that I need to use the APEX_CUSTOM_AUTH package somehow. However, I am thoroughly confused about the relationship between the LOGIN and POST_LOGIN procedures. Also, I gather from other posts in this forum that there is some asynchronous processing that goes on as new sessions are created. Can someone point me in the right direction please?
  --Tony
  [http://tonyhasler.wordpress.com/][http://tonyhasler.wordpress.com/]

  Sorry for taking so long to acknowledge your helpful suggestions.
  Scott's proposal is a tiny tiny bit awkward as,if i understand it correctly, the user would have to reauthenticate after resetting the password.
  /dev/null's suggestion is actually not too bad for me. I already have each page being authorised and I use only a limited mumber of (once per session) authorization schemes. I think all I have to do is to place an extra line or two in each scheme to check the expiration date of the user's password and remember to call APEX_UTIL.RESET_AUTHORIZATIONS when the password is reset.
  I successfully redirected to the password reset page using owa_util.redirect_url from the post-authentication procedure but what I am still having trouble with is the deep-linking bit. It seems I have to obtain the target URL by 'editing' FSP_AFTER_LOGIN_URL to replace '|' characters by ':' characters and inserting the session id in the right place. Given the fact that FSP_AFTER_LOGIN_URL may not be set and that there may not be sufficient ':' characters in the URL this is very clunky.
  Is there an easier way to do this?
  --- Never mind. I worked out how to use regular expressions with SQL to do this. A full explanation is in my blog.
  --Tony
  http://tonyhasler.wordpress.com
  Edited by: TonyHasler on Sep 6, 2008 3:17 PM

• Authentication scheme affecting report formatting

  Hi all,
  I'm new to HTMLDB, and using 1.5.0.00.33. Super product. All was going splendidly until...
  I created an authentication scheme ('ANIX') from scratch. Its function checks agains database users, and performs correctly. It uses login page 101. All other parameters defining the scheme I left at defaults.
  I have some multi-column sql reports which include a text column (call it FRED) with typical contents of say 500 to 2000 characters.
  With HTML_DB as the current authentication scheme, column FRED wraps as expected, and reports render correctly.
  With ANIX as the current authentication scheme, column FRED doesn't wrap, so report tables no longer size to the width of the browser window - they extend way to the right in an unacceptable manner.
  I can toggle between correct and incorrect report displays by switching which auth scheme is current. This happens whatever report template I use.
  Anyone shed light on this please?
  Thanks,
  John D

  Hi Scott,
  Thanks for prompt reply.
  Auto-sizing of columns and wrapping of cell contents to fit (e.g. in columns of a <table width="100%">) is default HTML behaviour, no? - as with the paragraph you're reading right now.
  Clearly authentication shouldn't have any thing to do with it. But that's what's happening...
  I'd like to install on oracle.com, but the dependencies of the app on objects and data in other schemas (users, tables etc. in the 'main' transactional database) make this a prohibitively complex task at this stage.
  Perhaps I could sort out some access for you to the app in situ? (First I'll have to find out how - it's all behing firewalls etc at the moment).
  If it helps, the authenticate function is below.
  John
  create or replace function authenticate_u_p
  ( p_username in varchar2,
  p_password in varchar2
  return boolean
  -- Called from the htmldb login procedure
  as
  l_account_status varchar2(32);
  l_old_expiry_date date;
  l_old_encrypted varchar2(30);
  l_new_encrypted varchar2(30);
  l_stmt varchar2(255);
  begin
  if p_username is null
  or p_password is null then
  return false;
  end if;
  begin
  select account_status
  into l_account_status
  from sys.dba_users
  where username = upper(p_username)
  and account_status <> 'LOCKED';
  exception
  when no_data_found then
  -- The user doesn't exist or account is locked...
  return false;
  end;
  -- Get the user's current password...
  begin
  select password,
  expiry_date
  into l_old_encrypted,
  l_old_expiry_date
  from sys.dba_users
  where username = upper(p_username);
  exception
  when no_data_found then
  -- The user doesn't exist...
  return false;
  end;
  -- We have the encrypted value of the current password, but only the plain value of the supplied password.
  -- To compare the current and supplied passwords, we have to:
  -- - 1. change the user's password to the supplied parameter (which encrypts the value)
  -- - 2. obtain the encrypted value of this new password
  -- - 3. compare the two encrypted values
  -- 1. change the user's password to the supplied parameter (which encrypts the value)...
  l_stmt := 'alter user '||p_username||' identified by '||p_password;
  execute immediate l_stmt;
  -- 2. obtain the encrypted value of this new password...
  begin
  select password
  into l_new_encrypted
  from sys.dba_users
  where username = upper(p_username);
  exception
  when no_data_found then
  -- This should never occur, but let's be safe...
  return false;
  end;
  -- 3. compare the two encrypted values...
  if l_old_encrypted <> l_new_encrypted then
  -- Change the password back to its old value...
  l_stmt := 'alter user '||p_username||' identified by values '||chr(39)||l_old_encrypted||chr(39);
  execute immediate l_stmt;
  end if;
  if l_old_expiry_date < sysdate then
  l_stmt := 'alter user '||p_username||' password expire';
  execute immediate l_stmt;
  end if;
  return l_old_encrypted = l_new_encrypted;
  end authenticate_u_p;

• OAM Password policy not working.

  Hi All,
  I am configuring a password policy in OAM which enforces the user to reset his password at first login. OAM is using OID as user store and I have added oblix password related objectclasses to OAM schema. OIM is used to provision all users to OID. I have also enabled the Checkbox Change on Reset in password policy.
  I have also made certain attributes visible in OAM user manager such as obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin etc.,
  Once the user is created in OID through OIM, the values for attributes obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin are empty.
  Case1: obpasswordchangeflag attribute value is empty for user say oamtestuser. oamtestuser logs in to OAM protected application with default password provided in OIM. I could see the oblastsuccesfullogin attribute value updated in oamtestuser profile as expected. Similarly oblastfaillogin value also got updated for failed login as expected.
  Case2: obpasswordchangeflag set to true manually in user profile for oamtestuser. oamtestuser logs into OAM protected application with default password. Upon submit, user is redirected the change password page which prompts the user to enter current password and new password. Upon submit user will be shown another page with backup button. Upon clicking back button, user is asked to login to the application once again with new password. Upon submit, user is shown change password page again instead of logging to application with new password. I have noticed that obpasswordchangeflag attribute value is still set as true.
  Case3: After executing Case2, even after modifying the obpasschangeflag value to false or making empty, the attribute values of oblastsuccesfullogin and oblastfaillogin are not getting updated accordingly.
  Please let me know if you have any clue on this.
  This is really urgent. Would appreciate quick help.
  Thanks.
  Mahendra.

  HI Sagar,
  Thanks for the response.
  Another major update: When we tried creating user using OAM workflow, the obpasswordchangeflag got true value by default and password change functionality worked as expected. So it is obviously an issue with provisioning user through OIM. We manually created an attribute obpasswordchangeflag and provisioned a new user with value as true but still the user profile in OAM User Manager for attribute obpasswordchangeflag is empty. This means that there needs to be some mapping which we are missing i.e., an attribute in OIM has to be mapped correctly with OID attribute obpasswordchangeflag .
  So we are searching for this mapping stuff. Do you have any other opinion on this?
  Thanks
  Mahendra.

• OpenLDAP, password policy.

  Hi
  I need some help or advice about how to use password policy with ldap authentication. I folowed that manual. I had slapd.conf configurated and I have ou=policies and the cn=default,ou=policies,dc=example,dc=com policy.
  Now what shoud I do to let the cliets use that policy? I still have pam_cracklib.so in my /etc/pam.d/system-auth-ac (the clients are CentOS). Should I remove the pam_cracklib.so and add something else?
  I red in another place that I should add "pwdPolicySubentry: cn=default,ou=policies,dc=example,dc=com" in the user`s entry, but I am unable to do that. Do you know in which objectClass is that attribute included?
  Regards.

  I believe that most of pam_ldap modules on these machines understand the Sun DS password policy controls.

• Password policy "change password at first login" errors!

  Complete panic!
  I've updated to OS X Server 4.1 and all my users appear to be ok. All green lights within the server app. Computers are NOT giving the red light 'network accounts unavailable'. However, no one can login. Every user, new and old, are being prompted at login to create a new password (say: Password 1). They type in a new password (say: Password2), the box shakes like it didn't accept it. However, if they try to login again, it won't accept Password1. If they type Password2, they again get prompted to change the password.
  So it looks like it's accepting the password, but stuck in this reset password loop.
  I've checked in the server app and workgroup manager. Neither have 'reset password at first login' selected.

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.
  2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. If you have accounts with network home directories, make sure the URL's are correct in the user settings. A return status of 45 from the authorizationhost daemon in the log may mean that the URL for mounting the home directory was not updated after a change in the hostname. If the server and clients are all running OS X 10.10 or later, directories should be shared with SMB rather than AFP.
  5. Follow these instructions to rebuild the Kerberos configuration on the server.
  6. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
  7. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  8. Reboot the master and the clients.
  9. Don't log in to the server with a network user's account.
  10. Disable any internal firewalls in use, including third-party "security" software.
  11. If you've created any replica servers, delete them.
  12. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.
  13. Reset the password policy database:
  sudo pwpolicy -clearaccountpolicies
  14. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.
  If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

• Password Policy and user account lockout in OAM

  Hi folks,
  I'm new to OAM and have rather silly question: I created Password Policy where I've defined the Number of login tries allowed, Custom Account Lockout Redirect URL, etc. Now, how do I tie it to the authentication / authorization rules inside my Policy Domain which I'm using to protect a certain resource?
  Thank you
  Roman

  Hi Colin,
  I do have the validate_password plugins defined in the Authent scheme, here they are:
  credential_mapping      obMappingBase="xxxxxx"
  validate_password      obCredentialPassword="password"
  validate_password      obReadPasswdMode="LDAP"
  validate_password      obWritePasswdMode="LDAP"
  Yet, after the third unsuccessful login, nothing happens. I still don't get it how the password policy I've created kicks into the action? Should it be evaluated each time a user attempts an access? Is it getting engaged due to the validate password plugin names?
  I've also noticed that the only default step I have in the Authent scheme doesn't list the last two validate password plugins in it. Does it have to?
  Thanks Roman
  Edited by: roman_zilist on Dec 17, 2009 9:12 AM

• OAM : Which identity server is used by Password Policy?

  Hi,
  The OAM setup has two identity servers (ois1, ois2), two webpass (wp1, wp2) on two web servers. wp1 is pointing to ois1 only and wp2 is pointing to ois2.
  We have two sets of Policy manager, Access server and WebGate. wg1 is pointing to aaa1 and wg2 is pointing to aaa2.
  Now, when a user tries to access a OAM webgate protected page and the password policy gets applied, do the identity server comes into picture? if yes, which identity server is used here, ois1 or ois2?
  I want to use ois1 for all the requests coming to webserver with wg1. How do I do it?
  Thanks in advance.

  Hi Colin,
  Thanks for your reply.
  The reason I put this question was - in a scenario when I dont have Access Server (any access component), then also Password Polices work. So, I understand identity server is used here. When we have access side components, what makes OAM not to use identity server at all. Or is it the feature of OAM - when the accessed resource is ptotected by WebGate the Password policies are taken care of by Access Server, otherwise by identity server or is it because of the 'obReadPasswdMode' and 'obWritePasswdMode' in the authentication scheme?
  I stopped my identity server and I saw the password policy working - so I know the behavior; still asking the above question for my better understanding of OAM.
  Thanks for your help!

• Simple authentication scheme

  I am looking for a very simple authentication scheme. Security is not important, it just has to stop a not very determined accidental visit. And I do not want to set up a real user for this. Think for instance an invitation page for a party that needs to be discussed with a few people before going live for the rest of the invitees.
  Is there a way to do this? Something simple in Apache would probably do as well.

  Although you might not want to create a real user account for this, it'll actually make it a LOT easier t do so.
  You see, Server Admin includes the ability to define protected realms in your web environment, but it only works against users and groups in the directory.
  Apache, of course, can use a variety of ways to define users, but then you have to get under the hood and mess around in the Terminal.
  So my suggestion would be to create a new user account - at least temporarily (you can delete it when the party invite is live).
  Then use Server Admin -> (server) -> Web -> Sites -> (your site) -> Realms to create a new realm for your pages. The realm simply matches the URI, so if your content is at http://www.yourserver.net/invite/ then you create a realm that covers /invite/
  Then expand the users and groups pane (on the side of the window) and drag the newly-created user into the access list.
  That's all there is to it. When the server sees a request for anything in /invite/ it will ensure the user is authenticated using a username/password that has been granted access.
  Once the site goes live, remove the realm, then you can delete the account.

• Configuring the authentication scheme for a web application

  Hi all,
  We have a requirement to configure the authentication scheme for a web application where some set of users should access the application using basic LDAP (userid/password) authentication and some using digital certificate authentication.
  Since the deployment descriptor (web.xml) allows only one directive for auth-method in logic-config, we want to know if there is any other way to achieve this requirement. We are thinking of a custom login module approach. But we are not able to figure out how to configure the auth-method at runtime from the login servlet.
  Please let us know if there is any other approach to achieve this.
  I will be thankful if any body shares any specific solution to this issue.

  This forum is probably not the correct one to ask in. It's more related to the web container than Java Programming.
  Kaj

• Can I use LDAP server's authentication mechanism rather than comparing password ?

  Hi All,
  The weblogic security and adminguide says that the user authencation can be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP server rather
  than picking up the password from LDAP and comparing at weblogic end. Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3 picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparing it:
  1. Netscape directory server can store the password in oneway hashed form(and
  that is preferred , too). So when userpassword attribute is read , it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpassword attribute
  itself is a security threat, as if someone can crack that user's dn and password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson

  Thanks a lot Jerry.
  I got these stuff from weblogic 6.1 docs sets security.pdf and adminguide.pdf.
  I have another question, if that is the case (in Case of BIND), then why do we
  a require a dn of user and password who has the access to read the entire directory
  And at the same time, u specified this for Bind, what are the cases for other
  two-local and external ? And then what is actually difference between Bind and
  Local ?
  Pls help me.
  Thanks,
  Sudarson
  Jerry <[email protected]> wrote:
  Hi Sudarson,
  Whatever doc you were reading is at least partially incorrect, unfortunately...
  I know for sure that when you specify BIND, weblogic sends the username/password
  to your
  LDAP server in an attempt to bind to it.
  If the bind is successful, WLS determines that the username/password
  pair were correct.
  If the bind was unsuccessful, WLS determines that the username/password
  pairing is not
  valid.
  At all times, WebLogic is letting the LDAP server do the actual compare
  of
  username/password. WLS does not, at any time, retrieve a password from
  the LDAP server.
  I hope this helps,
  Joe Jerry
  sudarson wrote:
  Hi All,
  The weblogic security and adminguide says that the user authencationcan be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP serverrather
  than picking up the password from LDAP and comparing at weblogic end.Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparingit:
  1. Netscape directory server can store the password in oneway hashedform(and
  that is preferred , too). So when userpassword attribute is read ,it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpasswordattribute
  itself is a security threat, as if someone can crack that user's dnand password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson