PI21458: SUPPORT FOR LOGIN POLICY TO CHANGE PASSWORD AFTER FIRST LOGIN IN FEDERATED REPOSITORY WITH LDAP REPOSITORY CONFIGURED.

Fixes are available

APAR status

Closed as program error.

Error description

Currently federated repository throws an exception only for
Active directory if the login policy is configured in it. For
the rest of the LDAPs federated repository allows the login
and does not entertain the login policy configuration in the
back end LDAP.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
****************************************************************
* PROBLEM DESCRIPTION: No support for entertaining LDAP login  *
*                      policy to "change password after first  *
*                      login" in federated repository.         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If in the backend LDAP user has set the login policy to
"change password after first login" then federated repository
is not enforcing the login policy during login.

Problem conclusion

Federated repository entertains the login policy of "password
must be reset" after first login if it is set in the backend
ldap and throws an appropriate exception to the user.

To enable this functionality a custom property need to be
configured in each of the LDAP repositories for which login
policy supported is required. The custom property that needs
to be set is isPolicyEnforced whose value should be set to
true. Unless this custom property is not the login policy will
not come into effect for the login operation.

This custom property can be set through the
setIdMgrCustomProperty CLI as:

Syntax: $AdminTask setIdMgrCustomProperty {-id
<ldap_repository_name> -name <property_name> -value <value>}

Example:
$AdminTask setIdMgrCustomProperty {-id LDAP1 -name
isPolicyEnforced -value true}

Restart the sever after configuring the custom property.

The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.35, 8.5.5.4 and 8.0.0.10.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI21458
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-07-08
Closed date
2014-09-15
Last modified date
2015-02-25

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R700 PSY
UP
R800 PSY
UP
R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
12 January 2022

Tips

PI21458: SUPPORT FOR LOGIN POLICY TO CHANGE PASSWORD AFTER FIRST LOGIN IN FEDERATED REPOSITORY WITH LDAP REPOSITORY CONFIGURED.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

R850 PSY

Document Information

Share your feedback

Need support?