on 07-22-2010 2:30 PM
First, I am new to both SAP and IdM. I am trying to set up the self service password reset and have done so according to the documentation using the SAP Provisioning Framework task "SetPasswordOnActiveDirectoryUser-Windows-VB". I set up a seperate dispatcher running under a Windows domain account with Domain Administrator rights specifically for doing the password reset jobs. My environment is IdM 7.1 sp5 against a Windows 2008 Active Directory.
The password reset works as expected with both the VB script and from a LDAP pass setting the userPassword to the MX_PASWORD value. My issue is that if the user is locked out, then it takes 2 times through the process to first unlock the user then change the password. I cannot seem to get the account modified by unlocking the account then changing the password all within the same provisioning task. In the pass I have used both userAccountControl=544 and lockoutTime=0 to unlock the user (not at the same time) and userPassword=%MX_PASSWORD% to set the password with the changetype=modify.
The really odd thing is that although the task is an Ordered Group and I have set up each of the subtasks as first reset the password then enable the user and the job log shows them run in that order, the AD controller shows the unlock occuring first every time. Any help would be much appreciated.
I have found the answer from a VBScript perspective. Apparently the scripts that come with IdM use an incorrect dn syntax, at least for Windows 2008. The way that I have mde this work is shown below for the pwdopen script;
' Main function: pwdopen
dim adsMyObject
Function pwdopen(Par)
pwdopen = ""
on error resume next
HOST = ugetconstant("rep.LDAP_HOST")
LOGIN = ugetconstant("rep.LDAP_LOGIN")
PORT = ugetconstant("rep.LDAP_PORT")
strPassword = ugetconstant("rep.LDAP_PASSWORD")
strPath="LDAP://" & HOST
strUsername = LOGIN
Set adsNamespaceLDAP = GetObject("LDAP:")
Set adsMyObject=adsNamespaceLDAP.OpenDSObject(strPath,strUsername,strPassword,0) '1
rather than:
strPath="LDAP://" & HOST & ":" & PORT & "/" & LOGIN
Where the host constant is defined as the full distinguished name of the server.
One other thing that was done also was that the the same keys ini file that was in the x:\path\Idenity Center\Key directory is installed and enabled on the as java server.
Also, the passnext script attempts to enable the user and you probably dont want that so remark out:
' oIADSUser.accountdisabled = FALSE
and use this instead;
oIADSUser.useraccountcontrol = 544
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Why dont you set the order as
unlock user ( this way if he is locked/not locked) his status would become unlock no matter what
and then reset password.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well actually I have done that and the password reset does not occur after the lockout is removed. As I said in the original post, no matter the order that it runs in, the AD controller shows the password being reset after the lockout is removed. When the account is unlocked then the password is not set but remains as the previous password until the entire password reset process occurs again, then it actually sets the password.
What you suggested is exactly what I want it to do, unlock the user then set the password so that at the end of the process the end user can login with the new password.
Here is the process I just worked through:
1. Set my password in AD
2. locked my account
3. attempted password reset
4. checked account, unlocked but new password does not work
5. tried old password and was prompted by the portal with "Password has expired" and it forces me to change my password
I will repost later.
Hi
From your statement
You have conflict of password reset between repositories Active directory and Portal, I think
the XML configuration is allowing the script reset in the Javadatabase and the AD database.
Whenever we give a user a password for portal for the first time it will ask you to reset, I think there will be a profile parameter setting on the portal to disable this feature(asking you to reset the password) , if your business accepts this why dont you try that.
Edited by: Franklin Jayasim on Jul 22, 2010 11:30 PM
I have changed the portal config to not enforce password policy so that AD can do so. I have also tried using lockoutTime=0 to reset the lockout status of the user, which works. If I include this in the modify pass as shown below;
Attribute Value
dn cn=%MSKEYVALUE%,ou=%MX_FS_PERSONNEL_AREA_ID%,ou=USERS,ou=SUSERS,%$rep.LDAP_STARTING_POINT%
changetype modify
lockoutTime 0
userPassword %MX_PASSWORD%
the first iteration unlocks the user but the password is not set, the second iteration has no need to unlock so it changes the password successfully. I know that this is not the manner that the IdM defines out of the box and when I use the script that is provided as shown below the same occurs;
pwdopen
' Main function: pwdopen
dim adsMyObject
Function pwdopen(Par)
pwdopen = ""
on error resume next
HOST = ugetconstant("rep.LDAP_HOST")
LOGIN = ugetconstant("rep.LDAP_LOGIN")
PORT = ugetconstant("rep.LDAP_PORT")
strPassword = ugetconstant("rep.LDAP_PASSWORD")
strPath="LDAP://" & HOST & ":" & PORT & "/" & LOGIN
strUsername = LOGIN
Set adsNamespaceLDAP = GetObject("LDAP:")
Set adsMyObject=adsNamespaceLDAP.OpenDSObject(strPath,strUsername,strPassword,1) '0
pwdnext
' Main function: pwdnext
dim adsMyObject
dim DefaultPassword
Function pwdnext(Par)
pwdnext = ""
RD= par("RD")
PWD = par("PWD")
OPWD = par("OPWD")
if len(PWD)< 1 then
call uerrmsg(1,"Password is not set, and will be set to default Password1")
PWD = "Password1"
OPWD = ""
else
if Instr(1,PWD,"",1) > 0 then
PWD = uDESDecrypt("",par("PWD"))
end if
end if
' This will get the user-object which shall get the password set.
Set oIADSUser = GetObject("LDAP://" & RD)
oIADSUser.setpassword PWD
oIADSUser.SetInfo
' This will enable the user-object.
oIADSUser.accountdisabled = FALSE
oIADSUser.SetInfo
if Err.Number > 0 then
Err.Clear
call uerrmsg(2,"Try to reset password to: " & PWD)
' Change password on user
oIADSUser.ChangePassword OPWD, PWD
oIADSUser.SetInfo
end if
if err.number <> 0 then
ErrMessage="Failed to set password on user " & User & ". Error no:"&Err.Number&". Description:"&Err.Description
call uErrMsg(3,ErrMessage)
end if
Set oIADSUser= Nothing
End Function
pwdclose
' Main function: pwdclose
Function pwdclose(Par)
pwdclose = ""
End Function
User | Count |
---|---|
81 | |
25 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.