Here's the code for accessing the passage binary

[dave_23]

opr01:!:238:125:Franci :/users/bsp/sys/opr01:/usr/bin/ksh

ah see there we go, if there is a "!" then it might need to be setuid root
chown root passage
chmod 4755 passage

hopefully that works, it seems like NIS vs NIS+ vs LDAP, etc all require
setuid root to access the encrypted password - and I use that to determine
whether or not the user actually changed his password.

Thanks for the support!

Dave

[frajer]

Hi,
I did as you told me (= ch.auth.). Now, what's new:
I started from the beggining - new first logging/creating file. Then:
- substract 1 day >> order to change pwd (as last time) - I changed it and that's it :-) now it works OK, just what troubles me is that day mess; by instructions this message has to appear after 85 days ?!?
- substract 88 days >> "You have -86 days remaining......." When I changed pwd, this message had not appeared any more.

My BW client is on WinXP. Test BaaN aplication is on IBM RISC/6000 server (an older one, but it works).
"log.passage" is enclosed (with my comments).

[r_nagu]

Dave,
The 'pstat' function that you are using in the script, is it BaaN IV function or is it a unix/OS specific function?

Thanks,
NS

[dave_23]

pstat() is just a standard Baan function. NP_RAO told me about it (so I assume it goes all the way up to Reger)

Dave

[r_nagu]

Dave,

Yes, it is a standard function. It wasn’t there in the manual but the script compiled just fine. Thanks to NP for pointing this out.

Thanks,
NS

[ranias]

I have implemented the solution on one of the testing enviroment we have, but actually to continue doing all the test on the aging machanism, I need to understand the number created in the file under $BSE/security/user

For example the number in one of the files:
1107443196 1

What does this number mean 1107443196 ?

Thanks,
- Rain

[dave_23]

The first number is the date that the user's file was created or their last password change (represented in number of seconds from Jan 1 1970). The 2nd number is a flag for Active/Inactive.

Dave

[ranias]

I have tested the script on HPUX 11.00 and moved the date to another 90 days from the first creation, when logging into BaanERP 5.0b it gives a message that account is expired but doesn't force the user to change it.
User can ignore the message each time loggs in and continue to work with BW.
Does this solution provide locking accounts when no action is taken by the user to change his password ??

thanks for your help,
- Rania

[dave_23]

depends on what you mean. The passage binary + the session that is coded above will lock users out of Baan. Not unix. if you want to use it for unix then you could script it into their .profiles or something similar.

Have a look on the website http://www.mr-paradox.com/passage.html
for more info on what it does vs. what it doesn't do. and for ideas on testing and scripting.

Dave

[dave_23]

Oh also, if you can test it with PWDEBUG=1 and send me the output I might be able to tell you more about what's going on..

Plus I'm working on some bug fixes (that will be on the website soon) that might address the problem as well.

Thanks!

Dave

[ranias]

Thanks for your response,
Actually I made debugging of the script you provided with the pstat function and when running the session I don't get the right process number, therefore the kill command doesn't work in this situation, this what I meant locking not in the Unix level. The correct behaviour is to kill the bshell process from the first time user loggs in with expired pass and doesn't change it.right ?

Note: shurely it would very good solution if it's encoded for the Unix level in passage script in later stage.

I have BaanERP 5.0b
OS: HPUX 11.00
PortingSet: 7.1c.03
Any clue?
Thanks,
- Rain

[dave_23]

Right, if the user tries to log in and they are expired then the pstat portion should kill the process..

Interesting, you might be the first Baan 5 person to try this (I've mostly worked with Baan 4)

Maybe pstat is different in Baan 5 or maybe someone here can help with pstat - I'm really not much of a 4GL developer. NP you out there?

Dave

[NPRao]

Quote:

I have tested the script on HPUX 11.00 and moved the date to another 90 days from the first creation, when logging into BaanERP 5.0b it gives a message that account is expired but doesn't force the user to change it.

You would need a fix for the porting set. Here is the info from my case -

Quote:

Case 2036414
TLS-NA: BaanLogin allows a user to login even though their account has expired
SITUATION DESCRIPTION:
blogind6.2 allows a user to login even though their account has expired.

SOLUTION DESCRIPTION:
The problem had already been fixed while fixing badmin6.2 previously. Since we just sent the executable with the first fix, the blogind6.2 executable was not delivered at the same time.

Rain, it helps if you give a screenshot of whats going on. I never had issues with pstat().

[ranias]

NPRao,
Acually I didn't understand what's the role of badmin6.2 in this case when I'm trying to kill a bshell process through the script posted by dave. in the case it says when the account is expired, by which mechanism it's expired ??
I'm applying this solution which doesn't deal in the Unix level.
I'm somehow mixed up now.

Dave,
What value should be returned by pstat() for it to work properly?

Thanks,
- Rain

[NPRao]

Rain,

There was a bug in the blogin/badmin binaries that allowed one to log into BaaN and work even if the password is expired and its fixed in the latest porting sets as I have indicated.

And I am not sure of Dave's logic how the password calculation is done.

If he is using the BaaN binaries to get the expiration dates etc, then his calculations will get wrong results -

Quote:

[DEV:bsp]/app/lms/lmss/opt/bse/bin>badmin6.2 -U

Insufficient or wrong option(s) provided

Baan Administration Tool

Usage: badmin6.2 [-pUuVv] [-qo outfile] [-qe errfile] -getpwd <user> <pwd> | -chkpwd <user> | -chkuser <user> | -chkgroup <group> | -ostype <ostype>

-p : Tag for Aged Password Notification. Has only effect with other flags
-U or -u : Print usage
-V or -v : Print release number
-qo outfile : Redirect standard output to file outfile
-qe errfile : Redirect error output to file errfile
-chkuser <user> : Returns 0 if user exists, else 1
-chkgroup <group> : Returns 0 if group exists, else 1
-chkpwd <user> : Returns 0 if successful, else 1
-getpwd <user> : Returns 0 if successful, else 1
-ostype <osname> : Returns 0 if ostype is osname, else 1
osname can be NT, OS400 or UNIX

[DEV:bsp]/app/lms/lmss/opt/bse/bin>

[DEV:bsp]/app/lms/lmss/opt/bse/bin>badmin6.2 -chkpwd bsp
2: Your password can be changed within 49D 4H 7M 28S.

As I mentioned, I never had issues with pstat(). you have to give a screenshot of whats going on and post if your code if you made any changes to Dave's base script.

Quote:

What value should be returned by pstat() for it to work properly?

Refer to the online manual for more info - pstat()