This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Script for Password policy

I use OIM 8

I need to prohibit users to set a password that match the last x used passwords for AD. For that I am going to use check script in password policy. In that script I want to compare new password's hash with hash from the table QBMPwdHistory. So my questions:

Function header: Public Sub CCC_CustomPwdValidate(Policy As VI.DB.Passwords.PasswordPolicy, spwd As System.Security.SecureString)

1) How can I get the hash of new password in my function for comparing ? As far as I understand I should use something like "Policy.GetHashCode()". May be variable spwd is already in the state which fits for comparing with QBMPwdHistory.HashValue ?

2)How can I get XobjectKey of a base object(ADSAccount) in my function? I have found in documentation "To use a base object, take the property Entity of the PasswordPolicy class." However, my variable Policy (VI.DB.Passwords.PasswordPolicy) doesn't have property Entity. Please help.

Top Replies

Parents

+1 Markus Weiss-Ehlers over 5 years ago

For my understanding, why are you trying to compare the new password against the password history in the script? The password policy should test that automatically for you if you set password history to a value greater than 0.
Cancel
Up +1 Down

Cancel
0 dezuykov over 5 years ago in reply to Markus Weiss-Ehlers

Yes, you are right, thank you.
I wanted to make my life harder :))

However, I still need answer for the second question, because I need to compare my password with the parts of the SAMAccount name from ADSAccount.
Cancel
Up 0 Down

Cancel
+1 Markus Weiss-Ehlers over 5 years ago in reply to dezuykov

You do have Base (iSingleDBObject) or Entity (iEntity) directly available in the password policy scripts.

Important: Use only read access against those otherwise you might have unwanted side effects.
Cancel
Up +1 Down

Cancel
0 dezuykov over 5 years ago in reply to Markus Weiss-Ehlers

Thank you. Now it works.
Cancel
Up 0 Down

Cancel
0 dezuykov over 5 years ago in reply to Markus Weiss-Ehlers

Markus, I designed script according to your recommendation, however recently I have found a problem, I can’t change password in standard web form for changing password. I get an policy error “Object reference not set to an instance of an object” . I get the same error in designer if I don’t choose base object for checking policy. So I can’t understand why base object is not chosen for changing password on web portal because before resetting password asks for account. Do you think that this is system bug, or I make something wrong?

P.S. Version OIM 8.0.1
Cancel
Up 0 Down

Cancel
0 Markus Weiss-Ehlers over 5 years ago in reply to dezuykov

Can you post the script? It would ease reproducing this.
Cancel
Up 0 Down

Cancel

Reply

0 Markus Weiss-Ehlers over 5 years ago in reply to dezuykov

Can you post the script? It would ease reproducing this.
Cancel
Up 0 Down

Cancel

Children

0 dezuykov over 5 years ago in reply to Markus Weiss-Ehlers

Here it is:

Public Sub CCC_PwdValidateAD(policy As VI.DB.Passwords.PasswordPolicy, spwd As System.Security.SecureString)
	Dim pwd As String = spwd.ToInsecure()
	Dim sama As String = Base.GetValue("SAMAccountName")
	Dim PasswordMinLengthService As Int32 = Convert.ToInt32( Connection.GetConfigParm("Custom\ADS\PasswordMinLengthService") )
	Dim PasswordMinLengthAdmin As Int32 = Convert.ToInt32( Connection.GetConfigParm("Custom\ADS\PasswordMinLengthAdmin") )
	

	
	If Base.GetValue("IdentityType") = "Service" And pwd.Length() < PasswordMinLengthService:
			Throw New Exception(#LD("Password for service account can't be less than {0} symbols",PasswordMinLengthService)#) 
	End If
	
	If  Base.GetValue("IdentityType") = "Admin" And pwd.Length() < PasswordMinLengthAdmin:
		Throw New Exception(#LD("Password for admin account can't be less than {0} symbols", PasswordMinLengthAdmin)#)
	End If 
	
	
	pwd = pwd.ToLower()
	sama = sama.ToLower()
	If sama.Length() > 3:
		For index As Integer = 0 To sama.Length()-3
			If pwd.Contains( sama.Substring(index,3) ) Then
				Throw New Exception(#LD("Password contains 3 or more symbols from ADSAccount.SAMAccount name in a row")#)
			End If
		Next
	End If
End Sub