You would have to add some code and maybe a checkbox to the password change page that users can use.
Checkbox that says 'use LDAP authentication' or whatever wording your users will understand. Checkbox being unchecked would allow the password reset (and set the check on the user account that says password rules don't apply to this user). Checkbox being checked would disable the password boxes, set the password to null, and set the check on the user account so that password rules WILL apply. It's all very easy to talk about, probably not so easy to do. :) Not having worked with this area, I don't remember whether Remedy can use strong password rules--but I thought it could. Kristina Hartman Distributed Systems IT Global Infrastructure & Operations 408-576-7890 -----Original Message----- From: Danaceau, Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2008 4:29 PM Subject: Re: Who has done any password management while using AREA LDAP Authentication Correct me if I'm wrong, but anyone with an LDAP account could update their password (for instance to "password"). That would give them a weak password, they would subsequently NOT authenticate through LDAP - by virtue of having a non NULL password, and they would still not be subject to any password management. To reiterate, this is a security finding that we have to ENSURE strong password management. -- Chris Danaceau This e-mail and its attachments are confidential and solely for the intended addressee(s). Do not share or use them without Fannie Mae's approval. If received in error, contact the sender and delete them. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of strauss Sent: Wednesday, October 29, 2008 10:31 AM To: arslist@ARSLIST.ORG Subject: Re: Who has done any password management while using AREA LDAP Authentication All of our customer accounts (170,000) that are populated from LDAP (and authenticate to LDAP) get this checkbox selected as part of the integration that creates their CTM:People and User records. The 300 manually created and managed support staff accounts with local passwords are left subject to the OOTB password management rules. It was not that hard to separate the two types of users in our case, and they have been coexisting with no apparent problems. One caution if you modify any of the password management workflow - if you ever apply any patch to the AR Server using the installer, it will restore the original OOTB version of the password management workflow. Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing & IT Center http://itsm.unt.edu/ > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Grooms, Frederick W > Sent: Wednesday, October 29, 2008 9:10 AM > To: arslist@ARSLIST.ORG > Subject: Re: Who has done any password management while using AREA LDAP > Authentication > > On 7.1 there is the "Disable Password Management For This User" > checkbox > > All you would have to do is to add code to set that field automatically > if the password is null > > Fred > > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of David Durling > Sent: Wednesday, October 29, 2008 8:49 AM > To: arslist@ARSLIST.ORG > Subject: Re: Who has done any password management while using AREA LDAP > Authentication > > I haven't used Remedy's password management, but Roger's suggestion > sounds good if Remedy will let you evaluate the password field contents > in a qualification. I don't think it will let you directly do that, > though. > > If that's true, how about a naming convention on the utility accounts > that you could search against (i.e., util-1, util-2, etc.), or perhaps > even adding an (admittedly unsupported) selection field on the User > form > to mark the accounts you want to exclude. > > David D. > > > Review the OOTB workflow and determine if you can add a qualification > > where password is not null should work. > > > > > > > > -----Original Message----- > > From: Danaceau, Chris <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Sent: Wed, 29 Oct 2008 9:04 am > > Subject: Who has done any password management while > > using AREA LDAP Authentication > > > > ** ITSM 7, ARS 7.1 > > > > > > > > Our issue is that while our LDAP password rules are good, we have > > some accounts solely in Remedy (utility accounts) for which we need > > to enforce password rules. The password Management function does > > not look like an option. We'd need to keep it disabled for the LDAP > > folks (99%) which would be a logistical nightmare. I'm leaning > > towards disabling the password change abilities for all users except > > contact people admin. I'm on a short deadline to come up with a > > solution, and the volume of passwords we would have to manage would > > be minimal. > > > > -- > David Durling 706-542-0223 > Enterprise IT Services [EMAIL PROTECTED] > University of Georgia > > _______________________________________________________________________ > ________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
