Change password with external authentication

[Ender]

I'm trying to get external authentication working in my test environment, and I've got the files to authenticate using my OS 10.3 Server's Open Directory (Workgroup users can login to the database,) but I'm stuck on how to allow/force the users to change their password. The Change Password [] script step doesn't seem to work, and neither do the Open Directory's global policies or even the Workgroup user's Open Directory password options (to change password on next login or after n days.) The Password Service Server Log says "password change required", but it doesn't prompt the user to make the change.

What am I missing here?

I'm running FM Server 8 on a Mac OS 10.4 Server.

[Steven H. Blackwell]

When using External Server Authentication, FileMaker Pro surrenders all control over Account Name and Account Password to the Directory Service. Whatever policy is in force at the Directory Service level about password aging and credential lifecycle management is the controlling element.

The Account Name and the Account password are in the Directory Service, not in FileMaker Pro. Therefore, they must be managed from the Directory Service. This actually greatly expands credential lifecycle management options.

HTH

Steven

[Ender]

Thanks Steven. So the Change Password[] script step does not work on external authenticated accounts, got it.

Now back to the other thing: I don't understand what FileMaker is supposed to do when the directory service says it time to change the password. Is FileMaker capable of handling that password change or not? If not, how do I allow/force the user change their own password?

[Wim Decorte]

FileMaker is not supposed to do anything. The basic premise behind External Authentication is that users will log in to their Workstation with an OD account and will be authenticated by the OD *before* opening a FM file. The workstation log-in will take care of pw changing requirements, lock-outs, etc.

[Ted S]

If authentication on the Mac is like that of Windows--and I think it is--then the password really doesn't come into play with FileMaker. If a user can log onto the network (domain) then the user can get into FileMaker. The user is not prompted for a password at all when opening FM yet FM knows which security groups they are a member of.

The whole process is transparent to the user. Our folks are required (by OS policy) to use strong passwords and have to change them every 90 days. This all happens without either me or the users doing anything to FM.

When we get a new user, all I do is go into Active Directory Users and Computers and assign them to one (or more) of the FileMaker security groups that I established. That's really all that is necessary to do. I do not have to create an individual user account for them in FileMaker. I actually have accounts for the users but they are not FileMaker security accounts. I created a table called USERS and each user has a record. I have fields for all of the usual stuff like FULL_NAME, FIRST_NAME, PHONE. etc. I have a field for WINDOWS_ACCT_NAME and I use this to match their Windows login name to their personal information housed in FM.

I do not rely on these made-up accounts for anything security related; I use FM and Windows security completely.

Hope this helps.

[Ender]

Unfortunately we don't use the directory service for workstation sign-on (for us, it's too much work and expense to implement and support across 12 sites.)

Thanks for the info anyways.

[Steven H. Blackwell]

You can make the External Groups and Accounts reside on the FIleMaker Server as local Accounts rather than having them as AD or OD Accounts. See the External Server Authentication Tech Brief at

http://www.filemaker.com/support/upgrade/techbriefs.html

Steven

[Ender]

You can make the External Groups and Accounts reside on the FIleMaker Server as local Accounts rather than having them as AD or OD Accounts.

How does that help with password changes?

[Wim Decorte]

In that case, you can't expect all the OD features to work for just FM. They're not designed for that. They are for workstation login primarily and FileMaker piggy-backs on that.

FM is not a directory service client, it just asks the DS to see if the credentials are Ok to be authenticated. In case of a required pw change, the DS answers "no, the user needs to change his pw". FM just listens to the "no" part and refuses access.

One way around your issue is to create a web page wich code that uses the LDAP protocol where users can input their credentials if they fail to get access to the FM file. With the LDAP code in your web page you can handle the pw change request.