cancel
Showing results for 
Search instead for 
Did you mean: 

AD and Self Service Password Reset

Former Member
0 Kudos

First, I am new to both SAP and IdM. I am trying to set up the self service password reset and have done so according to the documentation using the SAP Provisioning Framework task "SetPasswordOnActiveDirectoryUser-Windows-VB". I set up a seperate dispatcher running under a Windows domain account with Domain Administrator rights specifically for doing the password reset jobs. My environment is IdM 7.1 sp5 against a Windows 2008 Active Directory.

The password reset works as expected with both the VB script and from a LDAP pass setting the userPassword to the MX_PASWORD value. My issue is that if the user is locked out, then it takes 2 times through the process to first unlock the user then change the password. I cannot seem to get the account modified by unlocking the account then changing the password all within the same provisioning task. In the pass I have used both userAccountControl=544 and lockoutTime=0 to unlock the user (not at the same time) and userPassword=%MX_PASSWORD% to set the password with the changetype=modify.

The really odd thing is that although the task is an Ordered Group and I have set up each of the subtasks as first reset the password then enable the user and the job log shows them run in that order, the AD controller shows the unlock occuring first every time. Any help would be much appreciated.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

I have found the answer from a VBScript perspective. Apparently the scripts that come with IdM use an incorrect dn syntax, at least for Windows 2008. The way that I have mde this work is shown below for the pwdopen script;

' Main function: pwdopen

dim adsMyObject

Function pwdopen(Par)

pwdopen = ""

on error resume next

HOST = ugetconstant("rep.LDAP_HOST")

LOGIN = ugetconstant("rep.LDAP_LOGIN")

PORT = ugetconstant("rep.LDAP_PORT")

strPassword = ugetconstant("rep.LDAP_PASSWORD")

strPath="LDAP://" & HOST

strUsername = LOGIN

Set adsNamespaceLDAP = GetObject("LDAP:")

Set adsMyObject=adsNamespaceLDAP.OpenDSObject(strPath,strUsername,strPassword,0) '1

rather than:

strPath="LDAP://" & HOST & ":" & PORT & "/" & LOGIN

Where the host constant is defined as the full distinguished name of the server.

One other thing that was done also was that the the same keys ini file that was in the x:\path\Idenity Center\Key directory is installed and enabled on the as java server.

Also, the passnext script attempts to enable the user and you probably dont want that so remark out:

' oIADSUser.accountdisabled = FALSE

and use this instead;

oIADSUser.useraccountcontrol = 544

Former Member
0 Kudos

Why dont you set the order as

unlock user ( this way if he is locked/not locked) his status would become unlock no matter what

and then reset password.

Former Member
0 Kudos

Well actually I have done that and the password reset does not occur after the lockout is removed. As I said in the original post, no matter the order that it runs in, the AD controller shows the password being reset after the lockout is removed. When the account is unlocked then the password is not set but remains as the previous password until the entire password reset process occurs again, then it actually sets the password.

What you suggested is exactly what I want it to do, unlock the user then set the password so that at the end of the process the end user can login with the new password.

Former Member
0 Kudos

From your statement and logic it looks like you have done everything correctly.

if grouped taks is not following order its an SAP issue.

Former Member
0 Kudos

Here is the process I just worked through:

1. Set my password in AD

2. locked my account

3. attempted password reset

4. checked account, unlocked but new password does not work

5. tried old password and was prompted by the portal with "Password has expired" and it forces me to change my password

I will repost later.

Former Member
0 Kudos

Hi

From your statement

You have conflict of password reset between repositories Active directory and Portal, I think

the XML configuration is allowing the script reset in the Javadatabase and the AD database.

Whenever we give a user a password for portal for the first time it will ask you to reset, I think there will be a profile parameter setting on the portal to disable this feature(asking you to reset the password) , if your business accepts this why dont you try that.

Edited by: Franklin Jayasim on Jul 22, 2010 11:30 PM

Former Member
0 Kudos

I have changed the portal config to not enforce password policy so that AD can do so. I have also tried using lockoutTime=0 to reset the lockout status of the user, which works. If I include this in the modify pass as shown below;

Attribute Value

dn cn=%MSKEYVALUE%,ou=%MX_FS_PERSONNEL_AREA_ID%,ou=USERS,ou=SUSERS,%$rep.LDAP_STARTING_POINT%

changetype modify

lockoutTime 0

userPassword %MX_PASSWORD%

the first iteration unlocks the user but the password is not set, the second iteration has no need to unlock so it changes the password successfully. I know that this is not the manner that the IdM defines out of the box and when I use the script that is provided as shown below the same occurs;

pwdopen

' Main function: pwdopen

dim adsMyObject

Function pwdopen(Par)

pwdopen = ""

on error resume next

HOST = ugetconstant("rep.LDAP_HOST")

LOGIN = ugetconstant("rep.LDAP_LOGIN")

PORT = ugetconstant("rep.LDAP_PORT")

strPassword = ugetconstant("rep.LDAP_PASSWORD")

strPath="LDAP://" & HOST & ":" & PORT & "/" & LOGIN

strUsername = LOGIN

Set adsNamespaceLDAP = GetObject("LDAP:")

Set adsMyObject=adsNamespaceLDAP.OpenDSObject(strPath,strUsername,strPassword,1) '0

pwdnext

' Main function: pwdnext

dim adsMyObject

dim DefaultPassword

Function pwdnext(Par)

pwdnext = ""

RD= par("RD")

PWD = par("PWD")

OPWD = par("OPWD")

if len(PWD)< 1 then

call uerrmsg(1,"Password is not set, and will be set to default Password1")

PWD = "Password1"

OPWD = ""

else

if Instr(1,PWD,"",1) > 0 then

PWD = uDESDecrypt("",par("PWD"))

end if

end if

' This will get the user-object which shall get the password set.

Set oIADSUser = GetObject("LDAP://" & RD)

oIADSUser.setpassword PWD

oIADSUser.SetInfo

' This will enable the user-object.

oIADSUser.accountdisabled = FALSE

oIADSUser.SetInfo

if Err.Number > 0 then

Err.Clear

call uerrmsg(2,"Try to reset password to: " & PWD)

' Change password on user

oIADSUser.ChangePassword OPWD, PWD

oIADSUser.SetInfo

end if

if err.number <> 0 then

ErrMessage="Failed to set password on user " & User & ". Error no:"&Err.Number&". Description:"&Err.Description

call uErrMsg(3,ErrMessage)

end if

Set oIADSUser= Nothing

End Function

pwdclose

' Main function: pwdclose

Function pwdclose(Par)

pwdclose = ""

End Function