Nothing special! - Passage returns zero if successful.


long ret
long info(PSMAXSIZE)
string progname(512)
long procid

function main()
{
ret = shell("${BSE}/scripts/passage",SHELL_MWINDOW)
if ret > 0 then
procid = -1
procid = pstat( procid, progname, info)
while procid > 0
procid = pstat(procid, progname, info)
kill(procid)
endwhile
endif
}

I thought I would mention that this goes with this post (http://www.baanboard.com/baanboard/showthread.php?p=80640#post80640).

Mark

Hi Guys,

I did not understand the solution. Can anyone please explain me what should I do with the password aging. I download the passage-HPUX.tar. After that what should I do?

Thanks,
Babu

Hi Babu,

Download the documentation.pdf file from the website to show how to install
the "passage" binary. Then use this code + a Startup Session in Baan to activate it.

Dave

Just thought I would note this. I have a similar type program to check for password expiration. Using startup sessions caused an issue with webtop logins. It may have been particular to my configuration but something to be aware of.

Was it the startup session or the password aging stuff that caused problems
with webtop?

I don't have webtop, but I wouldn't think this would work with that -- but I hope that startup sessions don't cause it (webtop) to choak!

Thanks!

Dave

From my case info-

SITUATION DESCRIPTION:
How is password aging is handled in webtop ?

SOLUTION DESCRIPTION:
Password aging is not currently support in Webtop - any version; however, there are plans to try and include this functionality in a future release of the PortingSet - planned for 2005, though there is not a set date or PS version as of yet.

3-GL programs are not supported in Webtop.

Good luck with that. talk about a security risk!

Dave

Hi Dave,

will you public the code source of Passage ?

Best regards,

Baxajaun

Hi Dave,
I've tested 'passage' on our test server (AIX 4.3; BaaN C4). As I see - generally it is OK.
Q: the number in "../security/user" (seconds from 1.1.70): does it mean current day or the day when password was last changed?
THX.

I tested a little more. Silly q. from my last post: the number, of course, shows the day of first login/creating file. But, the very next day, it is said, that my password had been expired. That is not ok, is it?

Hi Guys,

Sorry for the delayed response.

not planning any time soon to release the source for passage, sorry!

Frajer,

That's strange, can you duplicate the problem and set PWDEBUG=1 and send me the logfile?

Additionally, I've found with the help of mpenno that if you setuid root the passage binary it will work correctly with NIS+ and probably PAM, etc..
I'll be updating the site with at sort of info soon..

Thanks!

Dave

Hi,
There is some more writing about my testing. I followed the instructions and substracted some days:
-1 day >> "Your account has Expired. You must change your password to continue..." (1)
Then I changed pwd but at the end (bottom) it said (again): "You must change your password to log in" and in file ../security/username '1' changed to '0' !!! I login again >> same as (1)
-2 days >> same as (1)
-3 days >> "You have -1 days remaining. Would you like to change your pwd now? (Y\N)"
-5 days >> "You have -3 days remaining......."
-80 days>> "You have -78 days remaining......."

About debugging - I put "PWDEBUG=1" into my user's .kshrc file. Nothing more it is written in $BSE/log/log.passage. Only this one, when user logs in for the first time:
Wed Jan 26 09:42:43 2005: Unable to open userfile - creating: /baan4/bse/security/opr01

A couple of things -

If you're using NIS, LDAP or Shadow (i.e., you have a * or an x in your /etc/passwd file instead of an encrypted password - then passage needs to be setuid root to be able to do that comparison, otherwise it just ends up comparing * to * which always comes out the same...

Are users logging in via BW or ba? if it's BW the .profile isn't sourced. If its ba, are you doing "export PWDEBUG=1" ? or just PWDEBUG=1?

Looks like i've got something mesed up with the days too, hopefully we can get the PWDEBUG to work, that would help me.

Also, what OS are you running?

Thanks!

Dave

Very good; I followed you correctly now. I set debugging into .profile for BA and into command line in BW conf. Here it is the result for one day old (the same for BA or BW logging):
[] </baan4/bse/security> cat opr01
1106657400 0
[] </baan4/bse/security> cat $BSE/log/log.passage
Wed Jan 26 13:51:40 2005: Unable to open userfile - creating: /baan4/bse/securitiy/opr01
Wed Jan 26 14:01:40 2005: Starting Debug
Wed Jan 26 14:01:40 2005: Identified BSE /baan4/bse/
Wed Jan 26 14:01:40 2005: Identified user opr01
Wed Jan 26 14:01:40 2005: Identified userfile /baan4/bse/security/opr01
Wed Jan 26 14:01:40 2005: User account expired opr01
Wed Jan 26 14:01:52 2005: User did not change password opr01
[] </baan4/bse/security>

And from /etc/passwd:
[] </baan4/bse/security> grep opr01 /etc/passwd
opr01:!:238:125:Franci :/users/bsp/sys/opr01:/usr/bin/ksh
[] </baan4/bse/security>
I will continue to test. Maybe I missed something.

ps - thx for the effort YOU make into this sw

opr01:!:238:125:Franci :/users/bsp/sys/opr01:/usr/bin/ksh

ah see there we go, if there is a "!" then it might need to be setuid root
chown root passage
chmod 4755 passage

hopefully that works, it seems like NIS vs NIS+ vs LDAP, etc all require
setuid root to access the encrypted password - and I use that to determine
whether or not the user actually changed his password.

Thanks for the support!

Dave

Hi,
I did as you told me (= ch.auth.). Now, what's new:
I started from the beggining - new first logging/creating file. Then:
- substract 1 day >> order to change pwd (as last time) - I changed it and that's it :-) now it works OK, just what troubles me is that day mess; by instructions this message has to appear after 85 days ?!?
- substract 88 days >> "You have -86 days remaining......." When I changed pwd, this message had not appeared any more.

My BW client is on WinXP. Test BaaN aplication is on IBM RISC/6000 server (an older one, but it works).
"log.passage" is enclosed (with my comments).

Dave,
The 'pstat' function that you are using in the script, is it BaaN IV function or is it a unix/OS specific function?

Thanks,
NS

pstat() is just a standard Baan function. NP_RAO told me about it (so I assume it goes all the way up to Reger)

Dave

Dave,

Yes, it is a standard function. It wasn’t there in the manual but the script compiled just fine. Thanks to NP for pointing this out.

Thanks,
NS

I have implemented the solution on one of the testing enviroment we have, but actually to continue doing all the test on the aging machanism, I need to understand the number created in the file under $BSE/security/user

For example the number in one of the files:
1107443196 1

What does this number mean 1107443196 ?

Thanks,
- Rain

The first number is the date that the user's file was created or their last password change (represented in number of seconds from Jan 1 1970). The 2nd number is a flag for Active/Inactive.

Dave

I have tested the script on HPUX 11.00 and moved the date to another 90 days from the first creation, when logging into BaanERP 5.0b it gives a message that account is expired but doesn't force the user to change it.
User can ignore the message each time loggs in and continue to work with BW.
Does this solution provide locking accounts when no action is taken by the user to change his password ??

thanks for your help,
- Rania

depends on what you mean. The passage binary + the session that is coded above will lock users out of Baan. Not unix. if you want to use it for unix then you could script it into their .profiles or something similar.

Have a look on the website http://www.mr-paradox.com/passage.html
for more info on what it does vs. what it doesn't do. and for ideas on testing and scripting.

Dave

Oh also, if you can test it with PWDEBUG=1 and send me the output I might be able to tell you more about what's going on..

Plus I'm working on some bug fixes (that will be on the website soon) that might address the problem as well.

Thanks!

Dave

Thanks for your response,
Actually I made debugging of the script you provided with the pstat function and when running the session I don't get the right process number, therefore the kill command doesn't work in this situation, this what I meant locking not in the Unix level. The correct behaviour is to kill the bshell process from the first time user loggs in with expired pass and doesn't change it.right ?

Note: shurely it would very good solution if it's encoded for the Unix level in passage script in later stage.

I have BaanERP 5.0b
OS: HPUX 11.00
PortingSet: 7.1c.03
Any clue?
Thanks,
- Rain

Right, if the user tries to log in and they are expired then the pstat portion should kill the process..

Interesting, you might be the first Baan 5 person to try this (I've mostly worked with Baan 4)

Maybe pstat is different in Baan 5 or maybe someone here can help with pstat - I'm really not much of a 4GL developer. NP you out there?

Dave

I have tested the script on HPUX 11.00 and moved the date to another 90 days from the first creation, when logging into BaanERP 5.0b it gives a message that account is expired but doesn't force the user to change it.
You would need a fix for the porting set. Here is the info from my case -

Case 2036414
TLS-NA: BaanLogin allows a user to login even though their account has expired
SITUATION DESCRIPTION:
blogind6.2 allows a user to login even though their account has expired.

SOLUTION DESCRIPTION:
The problem had already been fixed while fixing badmin6.2 previously. Since we just sent the executable with the first fix, the blogind6.2 executable was not delivered at the same time.
Rain, it helps if you give a screenshot of whats going on. I never had issues with pstat().

NPRao,
Acually I didn't understand what's the role of badmin6.2 in this case when I'm trying to kill a bshell process through the script posted by dave. in the case it says when the account is expired, by which mechanism it's expired ??
I'm applying this solution which doesn't deal in the Unix level.
I'm somehow mixed up now.

Dave,
What value should be returned by pstat() for it to work properly?

Thanks,
- Rain

Rain,

There was a bug in the blogin/badmin binaries that allowed one to log into BaaN and work even if the password is expired and its fixed in the latest porting sets as I have indicated.

And I am not sure of Dave's logic how the password calculation is done.

If he is using the BaaN binaries to get the expiration dates etc, then his calculations will get wrong results -

[DEV:bsp]/app/lms/lmss/opt/bse/bin>badmin6.2 -U

Insufficient or wrong option(s) provided

Baan Administration Tool

Usage: badmin6.2 [-pUuVv] [-qo outfile] [-qe errfile] -getpwd <user> <pwd> | -chkpwd <user> | -chkuser <user> | -chkgroup <group> | -ostype <ostype>

-p : Tag for Aged Password Notification. Has only effect with other flags
-U or -u : Print usage
-V or -v : Print release number
-qo outfile : Redirect standard output to file outfile
-qe errfile : Redirect error output to file errfile
-chkuser <user> : Returns 0 if user exists, else 1
-chkgroup <group> : Returns 0 if group exists, else 1
-chkpwd <user> : Returns 0 if successful, else 1
-getpwd <user> : Returns 0 if successful, else 1
-ostype <osname> : Returns 0 if ostype is osname, else 1
osname can be NT, OS400 or UNIX

[DEV:bsp]/app/lms/lmss/opt/bse/bin>

[DEV:bsp]/app/lms/lmss/opt/bse/bin>badmin6.2 -chkpwd bsp
2: Your password can be changed within 49D 4H 7M 28S.
As I mentioned, I never had issues with pstat(). you have to give a screenshot of whats going on and post if your code if you made any changes to Dave's base script.

What value should be returned by pstat() for it to work properly?
Refer to the online manual for more info - pstat() (http://www.baanboard.com/programmers_manual_baanerp_help_functions_processes_pstat)

NPrao,
1. I have checked the badmin6.2 utility and it's not implemented in my system. I don't use password aging option using Baan binary badmin6.2.

#badmin6.2 -chkpwd bsp
-1005: The aging for name is turned off.

2. I haven't made any changes to Dave script with the pstat() function.

Here's the problem I'm facing:
1. I changed the digit 1 to 0 in the file $BSE/security/user and this way I forced the user password to expire according to Dave passage script usage.
2. I added the session running the script Dave provided in this thread in the BMASK with boot option/Automatical add mask checked.
3. When I log on the system with BSP user I get the shell windows opened with message to change the expired password. attached file.
4. In the shell windows I type wrong old password by purpose to see if the bshell gets killed if user doesn't proceed with the password change, thus the shell windows closes and the bshell process goes on working normally.
Process wasn't killed and user with expired password wasn't blocked and forced to change it.
5. One thing I noticed, running the tccompassage session with the script again after the failure of killing the bshell process would open the shell windows again and I would by purpose try to type a wrong old password, this time the process is killed and the user is out of the Baan BW.
6. I suspect the script can't determine process status when running with BMASK module when the user is logged in the system.

Dave, What do you think ? have you encountered this behaviour?

Thanks for your help,
- Rain

I've never really understood the bmask area... but it could be that bmask starts up the session THEN starts up the rest of the engine (regardless of what the session does) since there is no menu, or standard program running the pstat won't kill anything.

Since Baan's password aging seems to stop people from logging in there must be a function that one could call in the otccompassage program to exit Baan all together.

If anyone finds it, let me know and I can do away with the Startup Session aspect of it (since the bmask is a much better option)

Dave

Dave,
Is there a way to use bshell.pid() function to kill the process from the OS level.
The question, if there is another function that takes the value of the OS process ID returned and kills it.
kill() works for pstat only.

- Rain

cmdstr = "kill " + bshell.pid();
You could probably use something like shell(cmdstr);

I think there's got to be a return value or something that will do this
more elegantly though!

Dave

Dave,
The idea was good but I made some changes to the code you posted since it didn't work the pid should be converted to string in order to concatinate it with the "kill" command.
I tested it with the code posted, this time it work out properly and it kills the bshell process when session tccompasssage runs from BMASK.

Posted new code for the script:

long ret
long info(PSMAXSIZE)
string progname(512)
long procid
string cmdstr(500)


function main()
{
ret = shell("${BSE}/scripts/passage",SHELL_MWINDOW)
if ret > 0 then
procid = -1
procid = pstat(procid, progname, info)
cmdstr="kill " & str$(bshell.pid())
while procid > 0
procid = pstat(procid, progname, info)
shell(cmdstr,SHELL_MWINDOW)
kill(procid)
endwhile
endif
}


I will use this solution for the production invironment. I will check also the release of bug fixes for it.
Thanks for your assistrance,
- Ranias

That info helped. I think there might be a bug in Dave's program to handle startup sessions, or 3-GL programs executing from the BMS mask data.

function main()
{
ret = shell("${BSE}/scripts/passage",SHELL_MWINDOW)
if ret > 0 then
procid = -1
procid = pstat( procid, progname, info)
while procid > 0
procid = pstat(procid, progname, info)
kill(procid)
endwhile
endif
}

You shouldnt kill the current process pid, there might be other programs started after this tccompaassage 3-GL script.
Here is part of my code -

for i = 1 to proc.counter
if processid.array(i) <> pid then
kill(processid.array(i))
endif
endfor
free.mem(processid.array)
kill(pid)

hi, i cannot get it to work to logout of baan.
In neither of the scripts the kill seems to work or actually stop the bshell.