Change Password in Proxy Authentication - Oct. 3, 2001

If you are using proxy authentication for reverse HTTP acceleration of an internal web server, and your users do not get a chance to log into the LAN, you will face the issue of your users' passwords expiring. While I do not know of any way to give the users notice that the password will expire in 'x' days, you should at least be able to give them a way to change the password through the proxy authentication login.

When the HTML login screen pops up, have the users enter their old and new passwords using this syntax in the password field :

<oldpsw>\<newpsw>\<newpsw>

(Do not use the '<' and '>" characters, but use the back slashes "\".)

This should work on BorderManager 3.5.

One of the Sysops (Jim Michaels) has come up with a way of displaying the password expiration date and the number of grace logins remaining, and we are working on documenting the technique. In case you are halfway there, here is the script he used:

<%@page import="java.sql.*"%>
<%@page import="java.io.*"%>
<%
String uid = request.getParameter("uid");
String ctx = request.getParameter("ctx");
String strSQL = "SELECT cn, passwordExpirationTime, loginGraceRemaining" +
" FROM inetOrgPerson"+
" WHERE cn ='" + uid +"'";
String strURL = "jdbc:LDAP://cityhall.chesterfield.mo.us" +
";user=cn=xxxxx,o=xxxxx" +
";password=xxxxx" +
";baseDN=" + ctx +
";useCleartext=true";

Class.forName("com.novell.sql.LDAPDriver");
Connection conn = java.sql.DriverManager.getConnection(strURL);
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(strSQL);
rs.next();
%>

<br>
Your CN is: <%=rs.getString(1)%><BR>
Your password expires on: <%=rs.getString(2)%><br>
You have <%=rs.getString(3)%> grace logins left.

<%
rs.close();
stmt.close();
conn.close();
%>

Jim's comments on this:

"Getting the backend stuff to work, while not impossible (obviously if I can do it, anyone can!), is also not trivial. The basic ingredients needed are:

1) A web server that has a Java Application Server running on it and functioning properly. This can be WebSphere, Allaire JRun, Jetty, etc, or the freebie Tomcat (though this is by far the worst performer of the bunch). Aside from WebSphere, Novell doesn't have a good solution for running JSPs, and while you *can* get Tomcat, JRun or Jetty to run on NetWare, you have to pretty much be a Java guru to do it.

2) Novell's JDBC Driver for NDS, as well as the LDAP Service Provider for JNDI, available here: http://developer.novell.com/ndk/downloadaz.htm

Installation of these components into the java app server is pretty straightforward... you basically unzip them, copy the files to where you want them, and add that directory to the CLASSPATH.

3) Once the JDBC driver and JNDI provider are functioning, use code similar to what I showed to access NDS."

And some further comments:

"We're running Allaire JRun 3.0 on RedHat7/Apache (the server running ccnet is a PII450 w/384MB). It runs equally well on IIS (I had that set up for a few weeks just to see how it worked, then went back to a real web server). I like JRun because:

- Its got excellent support (did you hear Allaire & Macromedia are merging? That is *good* news, because DreamWeaver is a superior web development environment to just about anything). JRun ships with "connectors" for about 10 mainstream web servers, and with a little help from tech support you can usually get it to run on anything.

- Its reasonably priced ($900-ish for a single-CPU unlimited connection license)

- It is no where *near* the memory hog that WebSphere is... it runs fine on a 128MB Linux box (though I'm sure NT would barf trying to run it with that)

- It is exceedingly stable. I have not had one crash with the software, even with it running Novell's *early access* JDBC driver.

- It performs very well on relatively tame hardware.

The bottom line is that Java is really turning out to fulfill the "write once, run anywhere" dream... its just happening at the server and not the client. If the app server is compliant, your java code will run on any platform, so I don't see why *anyone* would continue to do ASP development."

Oct. 3, 2001 - Martin Flexman emailed me this bit of code, with the following explanation:

"Test it first and make sure it is actually useful. It creates a popup box that lets a user change their password in eDir. It is based on some code cribbed from Novell's site. It is not pretty or neat so may need some tidying or explanation.

I run this with the web server set to 100 concurrent connection and 5000+ users work with it at that setting."



Return to the Main Page