- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Check/Change password w/ Apache
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2005 08:03 AM
тАО05-20-2005 08:03 AM
I'm interested in anything you can provide which will allow checking an OpenVMS user account upon their attachment to the secured WEB page.
I would like to be able to provide the following functionalities:
1.) If password expired then prompt for new password
2.) If account is disusered disallow access
3.) If account is expired disallow access
I take it SWS does NOT come with this capability?
Thanks,
jd
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2005 10:00 AM
тАО05-22-2005 10:00 AM
Re: Check/Change password w/ Apache
I'm not familiar with auth_openvms_module, but I'm assuming from your query that it prompts for username and password and validates them. I'm further assuming that it's working, except that it doesn't support expired passwords?
Disusered and expired accounts should not be passing authentication. If they are, you should raise a formal elevation, as they represent a potentially serious security hole.
That leaves expired passwords... typically these are not checked or enforced during network connections, as there isn't necessarily a mechanism for prompting and changing the password. You could write a simple program to test for an expired password. It would need to be installed with privilege, pass it a username and return status "SUCCESS" if the password is OK, and "FAIL" if it's expired, disusered, does not exist etc...
To update an expired password, your best bet is to get OpenVMS to do it for you. Is there an SWS module to pop up a terminal session of any type? If so, you can present the user with a terminal prompt which, assuming the default NODISFORCE_PWD_CHANGE, will force the password to be updated. You then need a way to detect that it's happened and log the session off. On return, you can recheck the password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2005 06:49 PM
тАО05-22-2005 06:49 PM
Re: Check/Change password w/ Apache
First, If a user's password is expired, he won't be allowed access when user-authentication is enabled in Apache. Nor is access allowed when the user's account is captive or has the flag DISUSER set.
Second: Apache - and all CGI-scripts that are invoked - run under the (non-privileged) user APACHE$WWW, and therefore, changing password (for another user!) is not allowed.
It might be that the SUEXEC module allows you to do this, I have no experience with it. I just know that there is some extra security built-in that allowes just users mentioned in a separate Apache file to run scripts under their name. That would require an extra synchronisation between SYSUAF and this file - to be executed by system management.
Furthermore, it won't work if that page is protected by the authentication module, for the fore-mentioned reasons.
Another, and IMHO a better approach, is warning that the password is about to expire, like VMS does by standard, allowing the user to take action in advance. But that would require a privileged image to be used, in order to allow APACHE$WWW the retrieve this data (based on REMOTE_USER symbol) and set this user's new password (based on this user's input).
Willem
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2005 12:45 AM
тАО05-23-2005 12:45 AM
Re: Check/Change password w/ Apache
I don't have a problem coding an executable to do this, but a proto-type or example would be helpful.
jd
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2005 01:32 AM
тАО05-23-2005 01:32 AM
Re: Check/Change password w/ Apache
what is it that you don't like about the tool I created? - see http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=739349 . As this is pure CGI, it should run with any webserver.
cu,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2005 01:57 AM
тАО05-23-2005 01:57 AM
Re: Check/Change password w/ Apache
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2005 02:06 AM
тАО05-23-2005 02:06 AM
Solution>>>
Is there any special handling of the WWW_IN, WWW_OUT & WWW_ environment variables?
<<<
As I only know these environment from Purveyor (a commercial webserver from Process software, only sold on an as-is basis today), I'm a bit surprised by seeing them in an Apache context.
Yes, my program is written to respect WWW_IN/WWW_OUT, in that if they are defined, they're used. If they're not defined, it uses plain stdin/stdout. With respect to the various other WWW_ variables, it tries a translation first without, then with the "WWW_" prefix.
cu,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2005 02:13 AM
тАО05-23-2005 02:13 AM
Re: Check/Change password w/ Apache
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2005 02:33 AM
тАО05-23-2005 02:33 AM
Re: Check/Change password w/ Apache
However, giving the method that the OpenVMS authentication module works, the page that starts this script cannot be secured by the authentication module when someone's password has expired, the account is captive ot the DISUSER flag is set: access to that page is denied BEFORE the script can run. You'll need a second (general, or SUEXEC page) to provide the functionality.
Just to be complete.
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2005 03:21 AM
тАО05-23-2005 03:21 AM