Secure Global Desktop 4.31 Administration Guide > Users and authentication > What happens when a user's password expires?
Secure Global Desktop normally requires a user to supply passwords for:
In most circumstances, Secure Global Desktop Administrators can configure what happens when a user supplies an expired password.
Secure Global Desktop logins are controlled by login authorities. The following table shows which login authorities support aged passwords.
Login authority | Supports aged passwords? |
---|---|
Anonymous user | Not applicable. User logs in without a username or password. |
ENS | Yes, see below for details. |
NT | No. |
LDAP | Yes, see Enabling the LDAP login authority for details. |
Active Directory | Yes, see Enabling the Active Directory login authority for details. |
UNIX Group | Yes, see below for details. |
UNIX User | Yes, see below for details. |
SecurID | Yes. |
Note For web server/third party authentication, the expiry of the user's password is handled by the web server/third party authentication mechanism and is nothing to do with Secure Global Desktop.
If Secure Global Desktop can handle the expiry of the user's password, then when a user attempts to log in with an expired password, the aged password dialog displays. This dialog:
If the new password is accepted, the user is logged in to Secure Global Desktop.
Note For SecurID authentication, if the user's PIN has expired, a new PIN dialog displays instead of the aged password dialog.
If you want Secure Global Desktop to prompt ENS or UNIX users for a new password when they log in to Secure Global Desktop with an expired password, the Pluggable Authentication Module (PAM) interface must be installed on your Secure Global Desktop servers.
If the PAM interface is not installed, Secure Global Desktop will not be able to support aged passwords. An error message is logged in
/opt/tarantella/var/log/pemanagerpid_error.log
on server startup if this is the case.
When you install Secure Global Desktop, Secure Global Desktop Setup automatically creates PAM configuration entries for Secure Global Desktop by copying the current configuration for the passwd
program.
/etc/pam.conf
file./etc/pam.d/tarantella
file is created.You can use Array Manager to modify the way that Secure Global Desktop deals with expired passwords on all application servers. The Application Launch panel lets you configure what happens when a user tries to launch an application on an application server for which their password has expired. Secure Global Desktop can:
The Prompt User option may not work on some application servers. In such circumstances, you must customize the appropriate login script.
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.