Trying to Change AD Password from GW2014 failing

Hello,

I've got the Caledonia books by Danita and I am preparing to upgrade / move our GW2012 edirectory system to 2014, then migrating that to AD. In preparation, I have set up a test GW2014 server and set it to authenticate LDAP against AD. I was easily able to get a user to sync and login to both the 2014 client and webaccess. However, when I try to change the password for this user through either client, the attempt fails with the following error in the POA:

17:10:43 4233 Error: LDAP failure detected [D06B] User:gw2014test (gw2014test)

The closest TID I have seen on this is for GW 2012 where it says that LDAP passwords in GroupWise were designed to work with eDirectory so the function does not work in other LDAP servers?!

Any help would be much appreciated!

Thanks

  • You can change your AD password via the GW 2014 client, however, due to requirements of AD, the LDAP session must be SSL'ized to do so. So you'll have to export the CA cert that your AD LDAP process is using and import it in to the AD directory configuration in GW Admin Console. Here are the high level steps to getting the AD cert:




    •Run MMC on the Domain Controller

    •Add the “Certificates” Snap-In for the Computer account. (File | Add/Remove Snap-Ins)

    •Find the certificate issued to the domain controller in the “Personal/Certificates” folder.

    •View the certification path for the certificate, locate the CA and view itâ€Tms properties.
    Export the CA certificate as a DER or PEM file


    --Morris



    >>> davearre<davearre@no-mx.forums.novell.com> 7/31/2014 3:36 PM >>>




    Hello,

    I've got the Caledonia books by Danita and I am preparing to upgrade /
    move our GW2012 edirectory system to 2014, then migrating that to AD. In
    preparation, I have set up a test GW2014 server and set it to
    authenticate LDAP against AD. I was easily able to get a user to sync
    and login to both the 2014 client and webaccess. However, when I try to
    change the password for this user through either client, the attempt
    fails with the following error in the POA:

    17:10:43 4233 Error: LDAP failure detected [D06B] User:gw2014test
    (gw2014test)

    The closest TID I have seen on this is for GW 2012 where it says that
    LDAP passwords in GroupWise were designed to work with eDirectory so the
    function does not work in other LDAP servers?!

    Any help would be much appreciated!

    Thanks


    --
    davearre
    ------------------------------------------------------------------------
    davearre's Profile: https://forums.novell.com/member.php?userid=14696
    View this thread: https://forums.novell.com/showthread.php?t=478544
  • Hi, Morris,

    Awesome, thank you that worked!! After I posted my question I tried to do the SSL but got LDAP error 81 on the POA because I exported the DC's certificate and not the CA's. Once I followed your steps and exported the CA certificate I was able to login and change the password without error in both the client and webaccess.

    One more question, I tried to do a "user must change their password on next login", which is what we do now with eDirectory with new teachers especially in the summertime, they can change passwords from home before they arrive. With edir and an expired password, Webaccess puts up a page for them to change their password. It also does this at password expiration time. When I set the user must change password in AD, I could no longer log into webaccess at all, it acted like the password was incorrect. Is there a trick to get the change password page prompt in Webaccess or is this something not available with AD as the authentication source?

    Thanks for your quick help!


    mblackham;2327566 wrote:
    You can change your AD password via the GW 2014 client, however, due to requirements of AD, the LDAP session must be SSL'ized to do so. So you'll have to export the CA cert that your AD LDAP process is using and import it in to the AD directory configuration in GW Admin Console. Here are the high level steps to getting the AD cert:




    •Run MMC on the Domain Controller

    •Add the “Certificates” Snap-In for the Computer account. (File | Add/Remove Snap-Ins)

    •Find the certificate issued to the domain controller in the “Personal/Certificates” folder.

    •View the certification path for the certificate, locate the CA and view itâ€Tms properties.
    Export the CA certificate as a DER or PEM file


    --Morris



    >>> davearre<davearre@no-mx.forums.novell.com> 7/31/2014 3:36 PM >>>




    Hello,

    I've got the Caledonia books by Danita and I am preparing to upgrade /
    move our GW2012 edirectory system to 2014, then migrating that to AD. In
    preparation, I have set up a test GW2014 server and set it to
    authenticate LDAP against AD. I was easily able to get a user to sync
    and login to both the 2014 client and webaccess. However, when I try to
    change the password for this user through either client, the attempt
    fails with the following error in the POA:

    17:10:43 4233 Error: LDAP failure detected [D06B] User:gw2014test
    (gw2014test)

    The closest TID I have seen on this is for GW 2012 where it says that
    LDAP passwords in GroupWise were designed to work with eDirectory so the
    function does not work in other LDAP servers?!

    Any help would be much appreciated!

    Thanks


    --
    davearre
    ------------------------------------------------------------------------
    davearre's Profile: https://forums.novell.com/member.php?userid=14696
    View this thread: https://forums.novell.com/showthread.php?t=478544

  • I don't believe there is a way to check for expired pwd. I'll check with developers though.



    --Morris



    >>> davearre<davearre@no-mx.forums.novell.com> 8/1/2014 4:36 AM >>>




    Hi, Morris,

    Awesome, thank you that worked!! After I posted my question I tried to
    do the SSL but got LDAP error 81 on the POA because I exported the DC's
    certificate and not the CA's. Once I followed your steps and exported
    the CA certificate I was able to login and change the password without
    error in both the client and webaccess.

    One more question, I tried to do a "user must change their password on
    next login", which is what we do now with eDirectory with new teachers
    especially in the summertime, they can change passwords from home before
    they arrive. With edir and an expired password, Webaccess puts up a page
    for them to change their password. It also does this at password
    expiration time. When I set the user must change password in AD, I could
    no longer log into webaccess at all, it acted like the password was
    incorrect. Is there a trick to get the change password page prompt in
    Webaccess or is this something not available with AD as the
    authentication source?

    Thanks for your quick help!


    mblackham;2327566 Wrote:

    > You can change your AD password via the GW 2014 client, however, due to
    > requirements of AD, the LDAP session must be SSL'ized to do so. So
    > you'll have to export the CA cert that your AD LDAP process is using and
    > import it in to the AD directory configuration in GW Admin Console.
    > Here are the high level steps to getting the AD cert:
    >
    >
    >
    >
    > •Run MMC on the Domain Controller
    >
    > •Add the “Certificates” Snap-In for the Computer account. (File |
    > Add/Remove Snap-Ins)
    >
    > •Find the certificate issued to the domain controller in the
    > “Personal/Certificates” folder.
    >
    > •View the certification path for the certificate, locate the CA and
    > view itâ€Tms properties.
    > Export the CA certificate as a DER or PEM file
    >
    >
    > --Morris
    >
    >
    >

    > >>> davearre<davearre@no-mx.forums.novell.com> 7/31/2014 3:36 PM >>>

    >
    >
    >
    >
    > Hello,
    >
    > I've got the Caledonia books by Danita and I am preparing to upgrade /
    > move our GW2012 edirectory system to 2014, then migrating that to AD.
    > In
    > preparation, I have set up a test GW2014 server and set it to
    > authenticate LDAP against AD. I was easily able to get a user to sync
    > and login to both the 2014 client and webaccess. However, when I try to
    > change the password for this user through either client, the attempt
    > fails with the following error in the POA:
    >
    > 17:10:43 4233 Error: LDAP failure detected [D06B] User:gw2014test
    > (gw2014test)
    >
    > The closest TID I have seen on this is for GW 2012 where it says that
    > LDAP passwords in GroupWise were designed to work with eDirectory so
    > the
    > function does not work in other LDAP servers?!
    >
    > Any help would be much appreciated!
    >
    > Thanks
    >
    >
    > --
    > davearre
    > ------------------------------------------------------------------------
    > davearre's Profile: https://forums.novell.com/member.php?userid=14696
    > View this thread: https://forums.novell.com/showthread.php?t=478544



    --
    davearre
    ------------------------------------------------------------------------
    davearre's Profile: https://forums.novell.com/member.php?userid=14696
    View this thread: https://forums.novell.com/showthread.php?t=478544