• State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 93 subscribers
  • Views 9513 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Script for Password policy

dezuykov
over 5 years ago

I use OIM 8

I need to prohibit users to set a password that match the last x used passwords for AD. For that I am going to use check script in password policy. In that script I want to compare new password's hash with hash from the table QBMPwdHistory. So  my questions:

 

Function header: Public Sub CCC_CustomPwdValidate(Policy As VI.DB.Passwords.PasswordPolicy, spwd As System.Security.SecureString)

1) How can I get the hash of new password in my function for comparing ? As far as I understand I should use something like "Policy.GetHashCode()". May be variable spwd is already in the state which fits for comparing with QBMPwdHistory.HashValue ?

 

2)How can I get XobjectKey of a base object(ADSAccount) in my function? I have found in documentation "To use a base object, take the property Entity of the PasswordPolicy class." However, my variable Policy (VI.DB.Passwords.PasswordPolicy) doesn't have property Entity. Please help.

  • +1 over 5 years ago

    For my understanding, why are you trying to compare the new password against the password history in the script? The password policy should test that automatically for you if you set password history to a value greater than 0.

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Yes, you are right, thank you.
    I wanted to make my life harder :))

    However, I still need answer for the second question, because I need to compare my password with the parts of the SAMAccount name from ADSAccount.

  • +1 over 5 years ago in reply to dezuykov

    You do have Base (iSingleDBObject) or Entity (iEntity) directly available in the password policy scripts.

    Important: Use only read access against those otherwise you might have unwanted side effects.

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Markus, I designed script according to your recommendation, however recently I have found a problem, I can’t change password in standard web form for changing password. I get an policy error “Object reference not set to an instance of an object” . I get the same error in designer if I don’t choose base object for checking policy. So I can’t understand why base object is not chosen for changing password on web portal because before resetting password asks for account. Do you think that this is system bug, or I make something wrong?

    P.S. Version OIM 8.0.1

  • 0 over 5 years ago in reply to dezuykov

    Can you post the script? It would ease reproducing this.

  • 0 over 5 years ago in reply to dezuykov

    Forgot something, are you referring to a password reset web page? When do you get the error exactly?

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Here it is:

    Public Sub CCC_PwdValidateAD(policy As VI.DB.Passwords.PasswordPolicy, spwd As System.Security.SecureString)
	Dim pwd As String = spwd.ToInsecure()
	Dim sama As String = Base.GetValue("SAMAccountName")
	Dim PasswordMinLengthService As Int32 = Convert.ToInt32( Connection.GetConfigParm("Custom\ADS\PasswordMinLengthService") )
	Dim PasswordMinLengthAdmin As Int32 = Convert.ToInt32( Connection.GetConfigParm("Custom\ADS\PasswordMinLengthAdmin") )
	

	
	If Base.GetValue("IdentityType") = "Service" And pwd.Length() < PasswordMinLengthService:
			Throw New Exception(#LD("Password for service account can't be less than {0} symbols",PasswordMinLengthService)#) 
	End If
	
	If  Base.GetValue("IdentityType") = "Admin" And pwd.Length() < PasswordMinLengthAdmin:
		Throw New Exception(#LD("Password for admin account can't be less than {0} symbols", PasswordMinLengthAdmin)#)
	End If 
	
	
	pwd = pwd.ToLower()
	sama = sama.ToLower()
	If sama.Length() > 3:
		For index As Integer = 0 To sama.Length()-3
			If pwd.Contains( sama.Substring(index,3) ) Then
				Throw New Exception(#LD("Password contains 3 or more symbols from ADSAccount.SAMAccount name in a row")#)
			End If
		Next
	End If
End Sub

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    We have some customization on portal but this form is standard

  • 0 over 5 years ago in reply to dezuykov

    Thanks. I'll check and let you know when I am finding something.