15.10 Password Reset Scripts

You can use required policy templates to reset the password of the privileged accounts that are set on the supported application server. For more information about supported application server refer, Supported Applications/ Database for Managing Accounts through PAM. The password check-in process includes generating random password, resetting the password on the PAM database, and resetting password on the application. The password check-in process can either use the script to reset the password on the application and return the value to PAM database, or use Identity Manager to send the reset password on PAM database and synchronize the password with an active Identity manager application.

This section contains Perl Script for Customizing the Password Reset of Accounts in Applications.

15.10.1 LDAP Password Reset Script

Following is an example script for resetting the password of the accounts on all the LDAP directory except Active Directory. To reset Active Directory account password, you can use the script Active Directory Password Reset Script.

## PUM script to reset password of an LDAP user

## global variables
my $ldapURL = "";
my $retVal = 0;
my $ldap = "";

## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");

$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure - $secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");

## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or $userPasswd eq "") {
  $ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory - host, adminDN, adminPasswd, userDN and userPasswd are passed.");
  return 0;
}
# set default ldap port numbers
if ($port eq "") {
  if ($secure eq "" || $secure != 0) {
		$port = 636;
  } else {
		$port = 389;
  }
}

# create ldap url
if ($secure != 0) {
  $ldapURL = "ldaps://".$host.":".$port;
} else {
  $ldapURL = "ldap://".$host.":".$port;
}

# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
  my $le = $ldap->arg('err');
	$ctx->log_error("LDAP authentication failed - $le");
  return 0;
} else {
  $ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}

# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "userpassword", $userPasswd);
if ($ldap->arg('err') != 0) {
  my $le = $ldap->arg('err');
	$ctx->log_error("LDAP modify failed - $le ");
  return 0;
} else {
  $ctx->log_debug("LDAP modify successful in resetting the password of the user $userDN.");
}

# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);

$ctx->log_info("END PASSWD RESET");
return 1;

15.10.2 Active Directory Password Reset Script

Following is an example script for resetting the password of the accounts on Active Directory:

## PUM script to reset password of Microsoft ActiveDirectory LDAP user
use MIME::Base64;
use Encode qw(encode);

## global variables
my $ldapURL = "";
my $retVal = 1;
my $ldap = "";

## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $userPasswdEncoded = encode_base64(encode("UTF-16le", "\"$userPasswd\""));

$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure - $secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");

## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or $userPasswd eq "") {
	$ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory - host, adminDN, adminPasswd, userDN and userPasswd are passed.");
	return 0;
}
# set default ldap port numbers
if ($port eq "") {
	if ($secure eq "" || $secure != 0) {
    $port = 636;
	} else {
    $port = 389;
	}
}

# create ldap url
if ($secure != 0) {
	$ldapURL = "ldaps://".$host.":".$port;
} else {
	$ldapURL = "ldap://".$host.":".$port;
}

# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
	my $le = $ldap->arg('err');
  $ctx->log_error("LDAP authentication failed - $le");
	return 0;
} else {
	$ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}

# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "unicodePwd", $userPasswdEncoded);
if ($ldap->arg('err') != 0) {
	my $le = $ldap->arg('err');
  $ctx->log_error("LDAP modify failed - $le ");
	$retVal = 0;
} else {
	$ctx->log_debug("LDAP modify successful in resetting the password of the user $userDN.");
}

# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);

$ctx->log_info("END PASSWD RESET");
return $retVal;

15.10.3 AWS Password Reset Script

Following is an example script for resetting the password of the accounts on AWS:

# Sample perl script for Password Reset of a user on AWS system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $port = $args->arg("port"); 
my $secure = $args->arg("secure"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
 
$ctx->log_info("*** START AWS PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_info("AWS System input parameters : AWS Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user"); 
$ctx->log_info("Resetting the password of the AWS user $user ..."); 
 
## validate inputs 
if ($user eq "" or $admin eq "" or $adminPasswd eq "" or $userPasswd eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - admin, adminPasswd, userName and userPasswd"); 
    return 0; 
} 
 
# Set passwords as environment variables 
$ENV{AWS_ACCESS_KEY_ID} = $admin; 
$ENV{AWS_SECRET_ACCESS_KEY} = $adminPasswd; 
$ENV{NEW_PASSWORD} = $userPasswd; 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
 
    $cmd_output = `AWS_ACCESS_KEY_ID='$admin' AWS_SECRET_ACCESS_KEY='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully resetted the password of the AWS user $user ."); 
} 
 
$ctx->log_info("Command execution output as below : 
        $cmd_output "); 
 
$ctx->log_info("*** END AWS PASSWD RESET"); 
return $retVal; 

15.10.4 Openstack Password Reset Script

Following is an example script for resetting the password of the accounts on Openstack:

# Sample perl script for Password Reset of a user on Openstack system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $port = $args->arg("port"); 
my $secure = $args->arg("secure"); 
my $keystone_version = $args->arg("keystone_version"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
my $tenant = $args->arg("tenant"); 
 
# Set passwords as environment variables 
$ENV{ADMIN_PASSWORD} = $adminPasswd; 
$ENV{NEW_PASSWORD} = $userPasswd; 
 
$ctx->log_info("*** START Openstack PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_info("Openstack System input parameters : Openstack Host - $host :: Port Number - $port :: Secure - $secure :: keystone_version - $keystone_version :: admin - $admin :: user - $user :: tenant - $tenant"); 
$ctx->log_info("Resetting the password of the Openstack user $user ..."); 
 
## validate inputs 
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "" or $keystone_version eq "" or $tenant eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - Openstack host, port number, secure(1/0), keystone version, admin, adminPasswd, userName, userPasswd and tenant name."); 
    return 0; 
} 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar  $host $port $secure $keystone_version $admin $user $tenant`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
        $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
        $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
 
    $cmd_output = `ADMIN_PASSWORD='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar $host $port $secure $keystone_version $admin $user $tenant`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully reset the password of the Openstack user $user ."); 
} 
 
$ctx->log_info("Command execution output as below : $cmd_output "); 
 
$ctx->log_info("*** END Openstack PASSWD RESET"); 
return $retVal; 

15.10.5 ESXi User Password Reset Script

Following is an example script for resetting the password of the accounts on ESXi:

# Sample perl script for Password Reset of a user on ESXi system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $port = $args->arg("port"); 
my $secure = $args->arg("secure"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
 
# Set passwords as environment variables 
$ENV{ADMIN_PASSWD} = $adminPasswd; 
$ENV{USER_NEW_PASSWD} = $userPasswd; 
 
$ctx->log_info("*** START ESXi PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_debug("ESXi System input parameters : ESXi Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user "); 
$ctx->log_info("Resetting the password of the ESXi user $user ..."); 
 
## validate inputs 
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - ESXi host, port number, secure(1/0), admin, adminPasswd, userName and userPasswd."); 
    return 0; 
} 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar  $host $port $secure $admin $user`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
 
    $cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar $host $port $secure $admin $user`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully resetted the password of the ESXi user $user ."); 
} 
 
$ctx->log_debug("Command execution output as below : 
        $cmd_output "); 
 
$ctx->log_info("*** END ESXi PASSWD RESET"); 
return $retVal; 

15.10.6 SAP User Password Reset Script

Following is an example script for resetting the password of the accounts on SAP:

# Sample perl script for Password Reset of a user on SAP system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $systemNumber = $args->arg("systemNumber"); 
my $clientNumber = $args->arg("clientNumber"); 
my $lang = $args->arg("lang"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
 
# Set passwords as environment variables 
$ENV{ADMIN_PASSWD} = $adminPasswd; 
$ENV{USER_NEW_PASSWD} = $userPasswd; 
 
$ctx->log_info("*** START SAP PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_debug("SAP System input parameters : SAP Host - $host :: System Number - $systemNumber :: Client Number - $clientNumber :: Language :: $lang :: admin - $admin :: user - $user "); 
$ctx->log_info("Resetting the password of the SAP user $user ..."); 
 
## validate inputs 
if ($host eq "" or $systemNumber eq "" or $clientNumber eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - SAP host, systemNumber, clientNumber, admin, adminPasswd, userName and userPasswd."); 
    return 0; 
} 
 
# set default language 
if ($lang eq "") { 
    $lang = "EN"; 
} 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar "C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar" $host $systemNumber $clientNumber $lang $admin $user`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
    $cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar $host $systemNumber $clientNumber $lang $admin $user`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully resetted the password of the SAP user $user ."); 
} 
 
$ctx->log_debug("Command execution output as below : 
        $cmd_output "); 
 
$ctx->log_info("*** END SAP PASSWD RESET"); 
return $retVal;