Minimum password length UP expires LDAP account

Hi,

We are running fully patched OES2015SP1 servers.
We are busy on changing our users to stronger passwords: We created universal password policy with minimum numbers , numbers, alpha, etc ... The universal password policy is set to not verify passwords on logon.
This works fine.

Then we changed the minimum characters of a password from 5 to 11 in the policy. Since we changed the minimum characters we got the issue that some accounts got expired, expiry date is 1970, and out of graces.
As I did some investigation the users which have the issue had a password shorter then 11 characters.
The users with a microfocus client and do not use ldap applications have no issues.
The users with a microfocus client and use ldap applications have expiry problems.

Workaround:
-change the password to a password with higher then 11 characters
-set an universal policy with minimum 5 chars.

I found this: https://www.novell.com/support/kb/doc.php?id=3565677

Is this normal behaviour and what can we do about it?

Kr, Joeri
  • If you do not have the 'Verify existing password complies with policy'
    option checked, as you stated, then I do not think it should behave that
    way. That TID is really old, so I would think any issue there has long
    since been fixed. Which version of eDirecgtory and NMAS do you have on there?


    rpm -qa | grep -i -e nmas -e ndsserv


    If you can duplicate this it may be worth reporting to Micro Focus
    officially via a Service Request (SR).

    Out of curiosity, do you have the NMAS client installed AND enabled in the
    OES client? I presume so, since otherwise your setup is a bit odd, but it
    is probably worth verifying in case something about your client deployment
    is missing that, which may explain why non-LDAP folks do not have issues,
    since that may mean that they never use NMS.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • ab;2487639 wrote:
    If you do not have the 'Verify existing password complies with policy'
    option checked, as you stated, then I do not think it should behave that
    way. That TID is really old, so I would think any issue there has long
    since been fixed. Which version of eDirecgtory and NMAS do you have on there?


    rpm -qa | grep -i -e nmas -e ndsserv


    If you can duplicate this it may be worth reporting to Micro Focus
    officially via a Service Request (SR).

    Out of curiosity, do you have the NMAS client installed AND enabled in the
    OES client? I presume so, since otherwise your setup is a bit odd, but it
    is probably worth verifying in case something about your client deployment
    is missing that, which may explain why non-LDAP folks do not have issues,
    since that may mean that they never use NMS.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.


    Hi Ab,

    Yes we use the OES client and have the nmas client installed.

    rpm -qa | grep nmas
    novell-cifs-nmas-methods-1.5.0-0.28.2
    novell-nmasclient-32bit-8.8.8.10-0.6.14.3
    novell-nmasclient-8.8.8.10-0.6.14.3
    novell-nmas-libnmasext-8.8.8.10-0.6.14.5
    novell-nmas-8.8.8.11-0.21.5
    novell-nmas-methods-8.8.8.7-0.9.3
    novell-afp-nmasmethods-1.4.0-0.13.11
    novell-nmas-libnmasext-32bit-8.8.8.10-0.6.14.5
    novell-nmas-libspmclnt-32bit-8.8.8.11-0.17.1
    novell-plugin-nmas-8.8.8.10-0.6.14.11
    novell-nmas-libspmclnt-8.8.8.11-0.17.1

    rpm -qa | grep nds
    novell-edirectory-tsands-8.8.8.11-0.22.12
    novell-ndsgrepair-8.8.8.7-0.11.5
    novell-edirectory-tsands-32bit-8.8.8.11-0.22.12
    gvfs-backends-1.4.3-0.17.21.1

    I will open an official SR.

    The application that triggers the expiring account based on the minimum password length is nextcloud.

    Nextcloud is something simular to FILR and has a normal LDAP connection to the edirectory.

    Kr,

    Joeri
  • On 17.09.2018 12:04, jfeyen wrote:
    >
    > ab;2487639 Wrote:
    >> If you do not have the 'Verify existing password complies with policy'
    >> option checked, as you stated, then I do not think it should behave
    >> that
    >> way. That TID is really old, so I would think any issue there has long
    >> since been fixed. Which version of eDirecgtory and NMAS do you have on
    >> there?
    >>
    >>>

    > Code:
    > --------------------
    > > >

    > > rpm -qa | grep -i -e nmas -e ndsserv
    > >

    > --------------------
    >>>

    >>
    >> If you can duplicate this it may be worth reporting to Micro Focus
    >> officially via a Service Request (SR).
    >>
    >> Out of curiosity, do you have the NMAS client installed AND enabled in
    >> the
    >> OES client? I presume so, since otherwise your setup is a bit odd,
    >> but it
    >> is probably worth verifying in case something about your client
    >> deployment
    >> is missing that, which may explain why non-LDAP folks do not have
    >> issues,
    >> since that may mean that they never use NMS.
    >>
    >> --
    >> Good luck.
    >>
    >> If you find this post helpful and are logged into the web interface,
    >> show your appreciation and click on the star below.
    >>
    >> If you want to send me a private message, please let me know in the
    >> forum as I do not use the web interface often.

    >
    > Hi Ab,
    >
    > Yes we use the OES client and have the nmas client installed.
    >
    > rpm -qa | grep nmas
    > novell-cifs-nmas-methods-1.5.0-0.28.2
    > novell-nmasclient-32bit-8.8.8.10-0.6.14.3
    > novell-nmasclient-8.8.8.10-0.6.14.3
    > novell-nmas-libnmasext-8.8.8.10-0.6.14.5
    > novell-nmas-8.8.8.11-0.21.5
    > novell-nmas-methods-8.8.8.7-0.9.3
    > novell-afp-nmasmethods-1.4.0-0.13.11
    > novell-nmas-libnmasext-32bit-8.8.8.10-0.6.14.5
    > novell-nmas-libspmclnt-32bit-8.8.8.11-0.17.1
    > novell-plugin-nmas-8.8.8.10-0.6.14.11
    > novell-nmas-libspmclnt-8.8.8.11-0.17.1
    >
    > rpm -qa | grep nds
    > novell-edirectory-tsands-8.8.8.11-0.22.12
    > novell-ndsgrepair-8.8.8.7-0.11.5
    > novell-edirectory-tsands-32bit-8.8.8.11-0.22.12
    > gvfs-backends-1.4.3-0.17.21.1
    >
    > I will open an official SR.
    >
    > The application that triggers the expiring account based on the minimum
    > password length is nextcloud.
    >
    > Nextcloud is something simular to FILR and has a normal LDAP connection
    > to the edirectory.


    I think your problem is that your LDAP Server doesn't use/follow nmas
    and UP, but authenticates using the NDS password and rules.

    Try this:
    https://www.novell.com/support/kb/doc.php?id=3307424

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de