Detecting Soon to Expire Password

General discussion on PHP
jord1322
Posts: 36
Joined: Mon Nov 03, 2014 3:49 pm
Location: Concord, North Carolina

Detecting Soon to Expire Password

Post by jord1322 » Thu Apr 21, 2016 3:44 pm

I'm trying to find out how to detect that a user's password is soon to expire once they successfully login, and if it is expired force a password change. I believe I have the part regarding changing the password, but I seem to be having trouble finding information about detecting the expiration date.

For instance, say I want to warn the user if their password is expiring in five days. What do I need to do to accomplish this using a PHP web interface?

Thanks in advance for your help!
Thanks,
Jordon Greene
PHP Full Stack Developer
SHOE SHOW, Inc.

scottgcampbell
Posts: 187
Joined: Wed Apr 22, 2009 2:29 pm
Location: Edmonton, AB, Canada

Re: Detecting Soon to Expire Password

Post by scottgcampbell » Thu Apr 21, 2016 3:54 pm

You would need to know the dates the users password will expire and the current date and compare them.
You don't mention how you are authenticating "users" so it is impossible to say how you might determine when the users password will expire.

jord1322
Posts: 36
Joined: Mon Nov 03, 2014 3:49 pm
Location: Concord, North Carolina

Re: Detecting Soon to Expire Password

Post by jord1322 » Thu Apr 21, 2016 4:07 pm

Yes, I know that I need to compare the date, what I'm missing is how to obtain the date the user's password will expire.

We are authenticating by making a connection to the database with the user's User ID and User Password for their User Profile. If that authentication here fails the user is not logged in, otherwise they are provided access (we also have a Role Based Access system in place for further access control).
Thanks,
Jordon Greene
PHP Full Stack Developer
SHOE SHOW, Inc.

scottgcampbell
Posts: 187
Joined: Wed Apr 22, 2009 2:29 pm
Location: Edmonton, AB, Canada

Re: Detecting Soon to Expire Password

Post by scottgcampbell » Thu Apr 21, 2016 4:21 pm

You would need to provide more details for anyone to help.
There are a lot of different types databases so depending on the type of database involved the answer will likely change, and be more helpful and accurate.

Scott

jord1322
Posts: 36
Joined: Mon Nov 03, 2014 3:49 pm
Location: Concord, North Carolina

Re: Detecting Soon to Expire Password

Post by jord1322 » Fri Apr 22, 2016 2:57 pm

We are running Zend Server 8.5 on an IBM i V7.1. The Database is DB2, Version 7, Release 1, Mod Level 0.
Thanks,
Jordon Greene
PHP Full Stack Developer
SHOE SHOW, Inc.

scottgcampbell
Posts: 187
Joined: Wed Apr 22, 2009 2:29 pm
Location: Edmonton, AB, Canada

Re: Detecting Soon to Expire Password

Post by scottgcampbell » Fri Apr 22, 2016 5:16 pm

Thankfully I can help with that one :)
(I'd feel pretty bad if I couldn't after that)

I usually use this to check invalid attempts to prevent people from *DISABLING them selves, but it will work for what you want to do:

Replace USERPROFILEHERE with a valid user profile.

Code: Select all

<?php

require 'ToolkitService.php';


/*===============================
 *  QSYRUSRI - USRI0100
 * 0 0 BINARY(4) Bytes returned
 * 4 4 BINARY(4) Bytes available
 * 8 8 CHAR(10) User profile name
 * 18 12 CHAR(13) Previous sign-on date and time
 * 31 1F CHAR(1) Reserved
 * 32 20 BINARY(4) Sign-on attempts not valid
 * 36 24 CHAR(10) Status
 * 46 2E CHAR(8) Password change date
 * 54 36 CHAR(1) No password indicator
 * 55 37 CHAR(1) Reserved
 * 56 38 BINARY(4) Password expiration interval
 * 60 3C CHAR(8) Date password expires
 * 68 44 BINARY(4) Days until password expires
 * 72 48 CHAR(1) Set password to expire
 * 73 49 CHAR(10) Display sign-on information
 *
 */

$xml = '<?xml version="1.0" encoding="ISO-8859-1"?>
<script><pgm lib="QSYS" name="QSYRUSRI">
		<parm comment="">
		<ds var="USER">
			<data var="BytesReturn" type="10i0"/>
			<data var="BytesAvail" type="10i0"/>
			<data var="UserName" type="10a"/>
			<data var="PrevSignon" type="13a"/>
			<data var="Reserved" type="1a"/>
			<data var="InvldAtmpt" type="10i0"/>
			<data var="Status" type="10a"/>
			<data var="PWDDate" type="8a"/>
			<data var="NOPWD" type="1a"/>
			<data var="Reserved1" type="1a"/>
			<data var="ExpInterval" type="10i0"/>
			<data var="DatePWDExp" type="8a"/>
			<data var="DaysPWDExp" type="10i0"/>
			<data var="SetPWDExp" type="1a"/>
			<data var="DSPSignon" type="10a"/>
			<data var="LocalPWD" type="1a"/>
		</ds>
		</parm>
		<parm comment="LENGTH" io="in">
			<data var="LENGTH" type="10i0">84</data>
		</parm>
		<parm comment="FORMAT" io="in">
			<data var="FORMAT" type="8a">USRI0100</data>
		</parm>
		<parm comment="USERNAME" io="in">
			<data var="USERNAME" type="10a">USERPROFILEHERE</data>
		</parm>
		<parm comment="">
		<ds var="ERRDS">
			<data var="provided" type="10i0"/>
			<data var="available" type="10i0"/>
			<data var="Exception" type="7a"/>
			<data var="reserved" type="1a"/>
			<data var="data" type="10a"/>
		</ds>
	</parm>
</pgm></script>';
$conn = db2_pconnect ( '*LOCAL', 'someone', 'password' );
$xmlstring = ToolkitService::getInstance ( $conn )->ExecuteProgram ( $xml );
echo "<pre>";
// returned XML
var_dump ( htmlspecialchars ( $xmlstring ) );
// Remove non-printables
$xmlstring = preg_replace('/[[:^print:]]/', '', $xmlstring);
// Load it ignoring CDATA
$xml = simplexml_load_string ( ( string ) $xmlstring, 'SimpleXMLElement', LIBXML_NOCDATA );
// Convert to json
$json = json_encode ( $xml );
// Back to an array
$usr_chk = json_decode ( $json, TRUE );
// Crappy way to have to get to it
var_dump($usr_chk['pgm']['parm'][0]['ds']['data'][12]);

https://www.ibm.com/support/knowledgece ... yrusri.htm has the datastructures you can use (if you want more/different info.
https://www.ibm.com/support/knowledgece ... #HDRSRIRA5 has the field descriptions, this is the one you are interested in is

Days until password expires. The number of days until the password will expire.
This field contains one of the following values:
0 The password is expired.
1-7 The number of days until the password expires.
-1 The password will not expire in the next 7 days.

So you only get 7 days warning, unless you can get the DatePWDExp field to work, but I've given up on trying since it looks like it is returning either garbage or ebcidic or I"m calling with the wrong data type.

If you have any questions or you can get the DatePWDExp fixed let me know.

Scott

jord1322
Posts: 36
Joined: Mon Nov 03, 2014 3:49 pm
Location: Concord, North Carolina

Re: Detecting Soon to Expire Password

Post by jord1322 » Fri Apr 22, 2016 6:49 pm

That worked perfectly! Thanks so much!

I'll admit I've never used the Toolkit in that format, using straight XML. I've always used the PgmCall() method and passed an array of parameters. I think I like the XML setup though.

Thanks so much. Now I just have to figure out how to change and user's password, and from what I can tell I cannot use the QSYRUPWD for security reasons. This could be fun.

Again, thanks so much!
Thanks,
Jordon Greene
PHP Full Stack Developer
SHOE SHOW, Inc.

scottgcampbell
Posts: 187
Joined: Wed Apr 22, 2009 2:29 pm
Location: Edmonton, AB, Canada

Re: Detecting Soon to Expire Password

Post by scottgcampbell » Fri Apr 22, 2016 7:31 pm

We do password reset/change using QSYCHGPW in an RPGLE program called from PHP, but to do a reset (*NOPWD for the current password) you first have to switch to a user profile with *SECADM.

Scott

jord1322
Posts: 36
Joined: Mon Nov 03, 2014 3:49 pm
Location: Concord, North Carolina

Re: Detecting Soon to Expire Password

Post by jord1322 » Fri Apr 22, 2016 8:00 pm

I just sent that to my boss and he agrees that is what we need to use as well. I'm looking at the setup for it now. Where it has * for the lengths in CHAR(*) on your previous example those were both data structures I believe, but I don't know what they are for the Current and New Password parameters in the QSYCHGPW call. Could you possibly give me an example of doing that one?
Thanks,
Jordon Greene
PHP Full Stack Developer
SHOE SHOW, Inc.

scottgcampbell
Posts: 187
Joined: Wed Apr 22, 2009 2:29 pm
Location: Edmonton, AB, Canada

Re: Detecting Soon to Expire Password

Post by scottgcampbell » Fri Apr 22, 2016 8:31 pm

Sorry, don't do that from PHP, I just call an RPG program that checks a few things and then calls it. In the RPG though I have them defined as 10a

Code: Select all

D CHGPWD          PR                  EXTPGM('QSYCHGPW') 
D   USER                        10                       
D   OLDP                        10                       
D   NEWP                        10                       
D   ERRDS                       15                       
D   CurrPwdSiz                  10I 0                    
D   PWDCCSID                    10I 0                    
D   NewPwdSiz                   10I 0                    
D   NWPDCCSID                   10I 0                    
So those sizes might work from PHP, haven't tested it though.

Scott

Post Reply