BapiException: 'PASSWORD_NOT_ALLOWED'

Former Member · ‎02-19-2010

ESS 6.0 Novell IDM 3.6.1 SAP User Driver

When syncing a password from Novell to SAP ESS I am receiving the following message:

<description>SUSR_USER_CHANGE_PASSWORD_RFC : com.novell.nds.dirxml.driver.sapusershim.BapiException: 'PASSWORD_NOT_ALLOWED' exception while setting password. Password violates Server security policy</description>

The issue I a having is not the failed password. I was testing that by setting the password to "aaaDf1ne" . The issue is that the message is different between Dialog Account and Service Accounts. The message I get with the Service Account is "<description>BAPI_USER_CHANGE : com.novell.nds.dirxml.driver.sapusershim.BapiException: The first three characters of the password must all be different</description>"

My question is can I configure the Dialog Account to receive the same message as the Service Account? I want to trap and log this message.

Thank you,

Brad

Former Member · ‎02-19-2010

> The issue is that the message is different between Dialog Account and Service Accounts.

This is also intentional.

A dialog user has the capability to change its own password, without requiring administrator access for this.

A service user does not have this option (at logon, regardless of the protocol used!) or in it's own context (transaction SU3, in the SAPGui context!)

The restraints which you are observing are a design error in the Novell "front end" server. It is trying to force you to grant admin rights to the user to change their own password as administrator, and not as the user itself.

There are very good reasons for this, and to be honest with you I would choose a different vendor if they force you into such "bottle-necks".

Particularly you need to consider that different system configuration and different system types (and vendors) offer inconsistent password options. If you distribute passwords (which your Novell system is trying to do..) then you should not be surprised when not only your minimum password policies have to be weak, but the maximum password option available to the user does not work consistently.

You can settle for 8 characters all UPPER-CASE for all systems (also non-SAP) as a standard if you wish, but don't come crying back when the user chooses something else if all your home grown applications support it.

It is the user's right to change their own password at will!

General recommendation for normal use-cases --> go for Single-Sign-On and not password synchronization, if you want to achieve central password management (a.k.a. Single-Sign-One --> only entering the password once).

Cheers,

Julius

Edited by: Julius Bussche on Feb 19, 2010 10:06 PM

Former Member · ‎02-19-2010

> <description>SUSR_USER_CHANGE_PASSWORD_RFC :

> com.novell.nds.dirxml.driver.sapusershim.BapiException: 'PASSWORD_NOT_ALLOWED' exception while setting password. > Password violates Server security policy</description>

If you search SDN for the term "Novell AND problem" then you will find some interesting discussions.

If you think about it and look at the technical attributes of the function module then it should be clear to you --> not released and subject to change without warning.

This FM was predestined for change on the "other side" of it's interface, even if you did not search for documentation on it.

I will not say anything more, but you can read between the lines...

Cheers,

Julius

WolfgangJanzen · ‎02-22-2010

Well, most likely this problem arises from an invalid mixed use of the two function modules BAPI_USER_CHANGE (intended to be used by an user administrator, thus requiring S_USER_* authorization) and SUSR_USER_CHANGE_PASSWORD_RFC (intended to be used by the user itself; does not require any S_USER_* authorization but the correct old password needs to be provided; some additional checks are performed (comparing old and new password)).

Both function modules have been designed for different usage scenarios - you cannot combine them into one single scenario.

I'm aware that some (non-SAP) Identity Management (IdM) solutions are ignoring this fact attempting to implement some kind of password synchronization feature - knowing that [this is not supported|https://service.sap.com/sap/support/notes/376856].

Regards, Wolfgang

Former Member · ‎02-22-2010

Ah yes, now I remember the original flamewar as well...

Cheers,

Julius

Former Member · ‎02-22-2010

Wolfgang and Julius,

Thank you for your replies.

My issue is not that I am getting an error message. It should be giving me an error because the password I am using does not meet one of SAP's Password Rules. i.e. " The first three characters cannot all be the same." Predefined in SAP system. But, from Wolfgang's response because Novell is first changing the password as an administrator and then changing it as the user. This might be causing the password error message from not including the reason why the password did not meet the SAP Password Rule requirements. My goal was to trap the message and then write to a log file.

On SSO, I agree but the customer is not ready to implement a SSO solution at this time.

Brad Williams

Former Member · ‎02-22-2010

> My goal was to trap the message and then write to a log file.

Yeah, but that is just a "workaround". If you could "catch" the exception in the BAPI then you could "handle" it as well...

A more sustainable approach (but more hassle) would be to create your own wrapper function for the BAPI, which writes the message and then (dependently on the message) calls the "surface" for the password change. You can prior already check the "formal compliance" of the provided password.

But that would mean you need to maintain the wrapper (release dependently!) and have to get your code in first (software logictics are involved!). Vendors don't like doing that (understandable to some extent). It is not "hacker culture" either to do something unnecessarily, even if it violates the semantics of two functions with conflicting purposes.

Using existing code to workaround checks and intended contraints... it is like breaking windows, or pulling the girls' hair at school.

Decision error. Take it like a man when it backfires.

Cheers,

Julius

WolfgangJanzen · ‎02-23-2010


My issue is not that I am getting an error message. It should be giving me an error because the password I am using does not meet one of SAP's Password Rules. i.e. " The first three characters cannot all be the same." Predefined in SAP system. But, from Wolfgang's response because Novell is first changing the password as an administrator and then changing it as the user. This might be causing the password error message from not including the reason why the password did not meet the SAP Password Rule requirements. My goal was to trap the message and then write to a log file.

No, this kind of error message is raised independently from the (invalid) combined usage of both API functions.

If you are interested in the proper error message, then simply invoke SUSR_USER_CHANGE_PASSWORD_RFC with the optional importing parameter USE_BAPI_RETURN set to value 1 and evaluate the exporting parameter RETURN (of type BAPIRET2). See: [SAP Note 899614|https://service.sap.com/sap/support/notes/899614]

Former Member · ‎02-23-2010

Hi Wolfgang,

Does that mean the USE_BAPI_RETURN import parameter and interface for it is released, but the FM itself and other import parameters is not?

I understand the "at own risk" aspect but always thought the released flags where intentionally not maintained liberally...

Cheers,

Julius

Former Member · ‎02-23-2010

All I know is when the password meet the SAP requirement it is set and I can log into SAP. No error message is returned. Here is the message that Novell is returning: "User BWILSON has changed : Password Change Successful" after the password is change.

Also I do not have full access to SAP so I cannot see the notes and therefore have not been able to read them.

Brad Williams

WolfgangJanzen · ‎02-24-2010


the released flags where intentionally not maintained

Yes - because they have a special (documented) meaning:

"The function module is released within SAP and for customers. When making changes, you must be careful to ensure upward compatibility. A programmer who has used the function module must be able to rely on the fact that he will never in the future need to change the way he has called it."

Well, "ordinary" function modules do not guarantee such compatibility (and do not have to).

Only BAPIs have to comply to such strict rules (irregardless of the flags).

Cheers, Wolfgang

WolfgangJanzen · ‎02-24-2010

>


> All I know is when the password meet the SAP requirement it is set and I can log into SAP. No error message is returned. Here is the message that Novell is returning: "User BWILSON has changed : Password Change Successful" after the password is change. 
> 
> Also I do not have full access to SAP so I cannot see the notes and therefore have not been able to read them.
> 
> Brad Williams

Anyway - if the coding comes from Novell, then they have to provide a patch.

And they are supposed to have access to the notes.