Solved: password_max_idle_time property

Former Member · ‎06-04-2009

Hi,

We are working with EP 7.0 SP 13.

User data for portal is maintained in two datastores - LDAP & UME.

Our requirement is that - If UME user has not logged in to portal for xx days his account/password should be locked. We found out that this can be achived by using UME property password_max_idle_time.

I have one doubt. If we use this propery , will LDAP users alsi be locked after xx inactive days or this property will be applicable only for UME users?

Thanks,

Apurva

Former Member · ‎06-15-2009

After setting value for this property we found that password for LDAP users are getting expired after xx inactive days and he is not able to login to portal with same password. He can access other n/w resources with his LDAP password but not portal.

Can anyone let me know if I can restrict property password_max_idle_time so that it affects only UME users and not LDAP users?

Regards,

Apurva

Former Member · ‎06-04-2009

If you are only using LDAP to authenticate the user against the AD password (is that correct?) then only the AD rules have an effect.

So I would think that not only does this propery have no effect on the AD, but it would have no effect on the portal either.

Cheers,

Julius

Former Member · ‎06-04-2009

Hi,

Some of the users are created in LDAP , while some users are created in portal (UME) using Identity management.

Wont this property work for users created in portal?

Regards,

Apurva

Former Member · ‎06-04-2009

My understanding is that it will only work for those users who have a portal specific password.

If the AD password is used or the ABAP password, then these are not relevant.

But Patrick's post seems to suggest that you can use (some of) them anyway. But I am not sure how not logging onto a portal will lock an AD account password. I think that was your concern, right?

Cheers,

Julius

former_member432219 · ‎06-04-2009

The UME security policies only apply for applications deployed on the Java Server that use UME authentication. Therefore a user whether it be from the DB datsource or the LDAP datasource will be affected by these security policies when trying to use the applications deployed on the Java Server. If the users password becomes locked in the UME for example due to the max idle time being exceeded as discussed here, the user will not be able to logon to java applications deployed on the Java server. This however will not mean that the user from the LDAP will have his password in the LDAP locked, he simply will not be able to authenticate on the J2EE until such time as the password is unlocked. The user will still be able to authenticate against the LDAP directly using userId and password.

When we are referring to a password being locked we are referring to what happens in the UME when a security policy is violated, e.g too many incorrect passwords entered and user is not then able to logon to the applications of the J2EE server.

Whereas when we are referring to an account being locked we are referring to an administrator delibrately locking a users account in the UME.

Edited by: Patrick Whitty on Jun 4, 2009 6:14 PM

Former Member · ‎06-04-2009

Thanks Patrick. That is basically the same as the ABAP system as well.

@ Apurva: When the user who's "datastore" is the LDAP logs onto the portal, do they enter their LDAP Active Directory Network password to logon, or do they enter a Portal specific password?

Cheers,

Julius

Former Member · ‎06-05-2009

Hi,

Thank you Patrick & Julius.

@Julius : Yes, my concern is that password for LDAP users should not be locked because of this setting. Users who's "datastore" is the LDAP logs onto the portal with LDAP password, they dont have portal specific password.

Regards,

Apurva

Former Member · ‎06-05-2009

Then I do not see any risk for you (your "LDAP").

On the contrary, the existence of a local Portal passwords not being used nor changed from an initial value is a risk, so it is best to disable such passwords without unnecessary delay.

Cheers,

Julius

ps: Can one also delete passwords in the portal, in the way that one can in ABAP systems?

former_member432219 · ‎06-04-2009

It will apply for all users in the UME irrespective of datasource (DB or LDAP). For users that have not logged on previously their last successful logon date can be set by parameter

ume.logon.security_policy.password_successful_check_date_default.

Together with ume.logon.security_policy.password_max_idle_time, this can determine if the user has exceeded the max interval allowed for succesful logon and the password will be locked.

See this page

http://help.sap.com/saphelp_nw70/helpdata/en/b5/16c43bdd3da244a1d3372a77b5f83f/content.htm

Former Member · ‎06-15-2009

After setting value for this property we found that password for LDAP users are getting expired after xx inactive days and he is not able to login to portal with same password. He can access other n/w resources with his LDAP password but not portal.

Can anyone let me know if I can restrict property password_max_idle_time so that it affects only UME users and not LDAP users?

Regards,

Apurva

Former Member · ‎06-15-2009

This sounds strange to me...

Authentication using an external password (LDAP) locks also external password based authentication when that password (which would not need to be changed at first logon) is not used to logon to the SAP system (portal) for an "idle" period?

I would think that it should only disable a local password.

Cheers,

Julius

former_member432219 · ‎06-29-2009

As I mentioned earlier the UME security policies apply to all users using applications that use UME authentication irrespective of the "UME datasource". Here UME datasource can be an ABAP AS, a LDAP server or the DB of the AS Java. (Note: When the UMEs datasource is an ABAP system the security policies are applied a little differently to when the datasource is DB only, or LDAP - see http://help.sap.com/saphelp_nw04s/helpdata/EN/45/af3ac012d32e78e10000000a155369/frameset.htm)

When the UME is configured to use the LDAP server as its datasource, users from the LDAP server will be able to logon to the portal with the LDAP ID and password. However they will be subject to the UME security policies.

These policies only impact the use of the applications deployed on the AS Java, so an LDAP user may be have its account locked in the UME by trying to logon to the portal with an invalid password, this will prevent the user from accessing the portal with the LDAP id and password, but will not stop the user from using the same credentials to access other systems that check the credentials against the LDAP server. The account is locked in the UME only.

There is no way to configure the UME security policies to vary dependent on the datasource where the user account resides, so they apply to all users (except the users defined as technical users, which are subject to different policies - see http://help.sap.com/saphelp_nw70/helpdata/EN/49/bf6e8101755d5de10000000a421937/content.htm)

Update: New functionality offered from NW 7.00 SPS20/ NW 7.01 SPS05 onwards allows you to create custom security policies, so this may suit your needs. Please see note 1339611 for more information

Edited by: Patrick Whitty on Jun 30, 2009 4:50 PM, update with note 1339611

Former Member · ‎07-01-2009

Thank you Patrick for the explaination.

Regards,

Apurva