Skip to Content
avatar image
Former Member

Identity Management and password length problem

Hi All,

we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem? Is it possible with a workaround to set a new password that is equal to the old? We have already solved the problem of passwords history that is we haven't any history.

Thanks and regards

Bob

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Jul 29, 2008 at 08:53 AM

    Hi Bob,

    Try to change the length of the password with the parameter login/min_password_lng

    later on when the 4.6c version is upgraded you can set the parameter login/password_change_for_SSO (Handling of password change enforcements in Single Sign-On situations

    ) to check if the users need to change the password.

    Additionally check other login/* parameters.

    Regards,

    Srihari

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      A last little note from me: The 2nd sentence in Tim's 2nd post is true in my experience. If you look in the FAQ sticky thread at the top of the forum page, you will find a link in the SSO category which will help you further.

      Cheers,

      Julius

  • Jul 29, 2008 at 08:17 AM

    Bob,

    I think you will find that max password length is not configurable.

    Perhaps you should consider implementing a Single SignOn solution, so that you can use passwords that are managed outside of SAP (e.g. in Active Directory), and then you won't have to reduce the SAP system security by removing password history etc. In this case, the passwords in SAP systems are deactived, and not used.

    An identity management product is not designed for SSO, and should be used as well as a Secure SSO solution.

    If you need any help with this, please let me know.

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

    • Bob,

      If you aim is to implement SSO in medium/long term, and you are looking for a workaround I suggest you tell your users to use passwords which are no longer than 10 characters.

      I also suggest you start to look into SSO solutions as it might not be as expensive as you think it might be. I have worked with many companies who have been surprised how easy it is to impelement such a solution, and they are surpsied at the low license costs.

      Regards,

      Tim

  • Jul 30, 2008 at 06:46 AM

    >

    > Hi All,

    > we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem?

    Hi Bob,

    as you only need a workaround until your 46C-system is upgraded, i strongly recommend not to play around with direct DB-access-actions or so.

    I suggest, to limit the password length until all your systems accept longer passwords to the old length of 8 with the parameter login/password_downwards_compatibility=5 in your 7.00-systems.

    So you avoid all the mentioned problems as in your landscape only passwords with length=8 are valid.

    After you upgraded, you can easyli switch then to the 'new' longer passwords.

    b.rgds, Bernhard

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Bernhard,

      what you described is exactly the temporary solution that we have implemented.

      Cheers,

      Bob

  • Jul 30, 2008 at 09:14 AM

    >

    > Hi All,

    > we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem? Is it possible with a workaround to set a new password that is equal to the old? We have already solved the problem of passwords history that is we haven't any history.

    > Thanks and regards

    > Bob

    Reading this I get the impression that you are (attempting to) synchronize passwords.

    Kindly have a look on [SAP Note 376856|https://service.sap.com/sap/support/notes/376856] which provides you some good reasons why such an approach is subject of failure (by its nature). I agree with Tim: SSO is the recommended solution.

    Add comment
    10|10000 characters needed characters exceeded