Passwords

System, Admin and non-Admin Passwords

Topics

LLDB
- database system
Hosts
- application host
LeasePak
- LeasePak client
- LeasePak driver
General
- OS
Users and Roles
- System Administrator
- LeasePak non-administrative user
  - Security Authority
- password
  - translated password
    - client string password
  - lpchgpass

IMPORTANT NOTE

The discussions on this page focus on dedicated users, who have individual OS accounts and DBMS accounts. Hosted users, who share credential sets provided by a proxy user, and not subject to most of the processes described on this page.

User Passwords

LeasePak has a complex password scheme due to its complexity as a product as well as to the variety of platforms it runs on.

The user has his or her plain text password, or client string password. Generally this is all that most users are aware of. However, to access the LLDB and drivers, the user must also have accounts in the application host OSs and in the database systems that contain the LLDBs. Initially, these were set by the System Administrator.

To effect a password change for a user, the following locations need to be updated:

The database system which has the user's account. If there are multiple database systems installed, then potentially each of them must be individually updated.
The application host must have its /etc/passwd or /etc/shadow updated.
There are tables in the LLDB governing certain aspects of password administration which may have to be updated.

This section of the System Administration Guide covers briefly how to change passwords for various types of users.

The following list describes who can change which passwords:

Users with client string passwords can update their own passwords by using Change Password on the LeasePak client.
$NSTADMIN and $NSTDBA can update their passwords by using the OS passwd program.
$SRVADM, sa, and sysdba can change his or her password by executing the Oracle or Sybase password update; see System User Passwords.
Non-administrative users can have their password changed using Change Password on the LeasePak client by anyone with Security Authority and Ability to change other users' passwords (set in [U0706] Security). See Granting Security Authority.
Database owners and non-administrative users can have their password changed by anyone with Security Authority using lpchgpass. See Granting Security Authority.

Security Administrator

Granting Security Authority

Topics

LLDB

database system

Hosts

application host
DBMS host

General

shell

command prompt
shell programs

sh
csh
ksh
bash

Users and Roles

System Administrator
database system user

database system root user
- sysdba
- sa

LeasePak administrative users

NSTDBA

LeasePak database administrator

$SRVADM

Database server administrator

LeasePak non-administrative user

LeasePak supervisor
Regular user
Security Authority

Any user with application host or DBMS host login access, and who knows the $SRVADM's password, can perform this procedure.

Normally, the $SRVADM, the database server administrator, wields Security Authority in the database system. However, the administrator may want to give this authority to a regular user or to the LeasePak supervisor so that that person can effect user password changes without exposing the $SRVADMpassword unnecessarily.

Procedure to Grant Security Authority to a user

Security Authority is granted in different ways in the different database systems.

The operator should log onto the application host as $NSTDBA, the LeasePak database administrator. To be sure that the $NSTDBA can connect to the database system needed, the operator, after logging in as $NSTDBA, must execute the following command. In the below command lines, the portion of path components that are given as dbms, should be replaced with ora or syb, as appropriate.

If using the sh, bash, or ksh shell, the operator should execute:

~~[nsdba76a:~]~~ . $TOPDIR/env/adm_dbms/etc/.lpprofile

or if using the csh or tcsh shell, the operator should execute:

~~[nsdba76a:~]~~ source $TOPDIR/env/adm_dbms/etc/.lplogin

Oracle

Once $NSTDBA can access Oracle, execute:

~~[nsdba76a:~]~~ sqlplus "sys as sysdba"

And enter the sysdba password when prompted. Then at the ~~SQL>~~ prompt, execute:

~~SQL>~~ grant alter user to target-user;

Now the target-user can log onto sqlplus and change the passwords of other users.
Sybase

Once $NSTDBA can access Sybase, execute:

~~[nsdba76a:~]~~ isql -Usa

And enter the sa password when prompted. Then at the prompt, execute:

1> grant role sso_role to target-user
2> go

Now the target-user can log onto isql and change the passwords of other users.

System User Passwords

`DBO`, `$SRVADM`, `sa`, `sysdba`

Topics

LLDB

database system

General

shell

command prompt

Users and Roles

database system user

database system root user

sysdba
sa

LeasePak administrative users

$SRVADM
DBO
System user

LeasePak non-administrative user

Security Authority

Performing database system-only password changes

The system users are the DBOs, $SRVADM, sysdba and sa. A DBO and $SRVADM may exist in multiple database systems; if so, the password used for that user should be uniform across all of the installed database systems.

Oracle

The Oracle database system-only password change is performed by the system user or a user with Security Authority logging into sqlplus as follows:

% sqlplus

enter the user-name and user-password when prompted.

~~SQL>~~ alter user system-user identified by new-password

where:

user-name is the system user or a user with Security Authority
user-password is the password of the user with Security Authority
system-user is a DBO, $SRVADM or sysdba
new-password is the new password being assigned to the system-user

Sybase

The Sybase database system-only password change is performed by the system user or a user with Security Authority logging into isql as follows:

% isql -Uuser -Puser-password
1> sp_password user-password, new-password, system-user
2> go

where:

user is the system user or a user with Security Authority
user-password is the password of the user with Security Authority
system-user is a DBO, $SRVADM or sa
new-password is the new password being assigned to the system-user

Change Password Update

Password Change By User

The user can perform this update only if allowed by the LeasePak supervisor through [U0706] Security.

The user changes his or her own password by accessing the Change Password update on the LeasePak client Options Menu. The Reference Guide describes how to go about this.

lpchgpass

Password Change By Administrator

Topics

LLDB

database system
NetSol utility script
- db_add_user

Hosts
- application host
LeasePak
- LeasePak instance
  - LeasePak release
- SETUP
- Upper Level Directories
  - top directory
General
- OS
- shell
  - command prompt
Users and Roles
- super-user
- System Administrator
- LeasePak administrative users
  - $SRVADM
    - Database server administrator
  - Security Administrator
- LeasePak non-administrative user
  - Security Authority
- password
  - translated password
    - client string password
  - lpchgpass

The lpchgpass utility may be run only by root (the System Administrator). It also requires knowing the $SRVADM's password, or knowing a user account with Security Authority.

If there are multiple database systems installed and the user has accounts in more than one, the administrator will have to perform this procedure on each database system. The user's password needs to be changed only once per database system, even if he or she has been given access (db_add_user) to more than one LLDB within the database system.

Common Usage

The following shows how lpchgpass is typically used:

lpchgpass config-file env-name user-name security-admin

where:

config-file - $TOPDIR/etc/host_v99x_rt.msirc, where:
- $TOPDIR - is the top directory of the LeasePak instance
- host - is the name of the application host as given during installation in response to the SETUP prompt Name of the LeasePak Application Host [**].
- release - is the current LeasePak version, v76a
env-name - the name of the environment in the database system here the user has LLDB access
user-name - the login name of the user whose password is to be changed
security admin - the database system login name of a user who has been granted database system Security Authority. This is usually $SRVADM, the database server administrator, but other users can also be granted this authority. See Granting Security Authority.
Other inputs: The operator will be prompted for:
- the user's new client string password
- the password of the Security Authority

The utility will then update the database system and the OS with the passwords generated from the client string password.

lpchgpass Worksheet

Note the following values for running lpchgpass:

Name	Description	Your Value	Notes
`config-file`	run-time configuration script	`$TOPDIR/etc/host_lpvnna_rt.msirc`	`$TOPDIR/etc/host_v99x_rt.msirc`
`env-name`	environment name		where the user has database access
user-name	user whose password is being changed
Security Authority	a user who holds Security Authority		usually `$SRVADM`, but can be any user who has Security Authority. See Granting Security Authority.
new-password	new password of user		6-8 characters
Security Authority's password	password of user with Security Authority		usually `$SRVADM`, but can be any user who has Security Authority.

Running lpchgpass

Log on the application host as root (the System Administrator)

Run lpchgpass with the common usage described above.

# cd /opt/nst/v65a/env/prod
# . etc/.lpprofile
# exe/lpchgpass $CFGDIR/$MSI_RT_CFG prod jstettner $SRVADM

The command will produce a display similar to the screen print below. Enter when prompted:

the user's new password
confirm the user's new password
$SRVADM's password

   # cd /opt/nst/v65a/env/prod
	   # . etc/.lpprofile
	   # exe/lpchgpass $CFGDIR/$MSI_RT_CFG prod jstettner $SRVADM
	   Enter new password for user: user's password
	   Confirm new password for user: user's password
	   Enter password of the SSO role: SSO's password
	   Password set correctly
	   #

Locked Accounts

Unlocking Accounts

Topics

Hosts

application host

LeasePak

SETUP
LeasePak Internet services

leasepakd service
mPowerd service

General

environment variable
signals flags semaphores

semaphore file

Users and Roles

super-user
System Administrator
OS login account

$HOME directory

user lockout

$LEASEPAKD_LOCKOUT

If LeasePak has been configured to lockout users from the system after a certain number of consecutive failed login attempts (SETUP prompt Max bad logins before lockout (0=disabled) [0], stored in environment variable $LEASEPAKD_LOCKOUT, then the administrator will periodically need to unlock these accounts.

This lockout capability is available only on client logins through leasepakd or mPowerd.

The account is locked by creation of a semaphore file in the user's home directory with the name .lpdlogin-lck.

Unlocking An Account

A LeasePak user with the proper authority and rights can do this through Change Password. The following server-side procedure for unlocking an account should be used only if the account cannot be unlocked through Change Password.

Log onto the application host as root (the System Administrator)

For a dedicated user who is locked, execute:

rm -f home-path/user-name/.lpdlogin-lck

where:

home-path - the directory where user home directories are placed, usually /home
user-name - name of the user whose account is to be unlocked

For a hosted user who is locked, execute:

rm -f home-path/proxy-user/lphome/user-name/.lpdlogin–lck

where:

home-path - the directory where user home directories are placed, usually /home
proxy-user - the name of the proxy server user
user-name - name of the user whose account is to be unlocked