OES client able to login with a differing case password

OES user with ID from well before Universal Password was configured, and somehow missed the push to change passwords (the client was rather soft on the change, please rather than forced)
Windows PW and eDir password are different only by the case of the first character.

All the LDAP based logins work correctly with the lowercase password, and fail with the mixed case version.  Windows local is the mixed case, and OES client works just fine with it which is my worry.

Versions, this has slid by without a problem until recently, so from the end of NetWare days, to now current OES (other parts may vary)

I am assuming a forced reset will fix this (aimed for tomorrow, once her new Laptop is otherwise ready).  But why is this working now?  I can log in with the OES client from other systems just fine with either case, which is suspect. 


An oddity found in testing. Even though I disconnected after each test logging, we still ran out of simultaneous logins.  So there is a small lag in the accounting of them for that particular limit, but at least we could change that limit for the user while we sort this out.

________________________

Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • Suggested Answer

    0  

    I'm not sure I follow all of what you said. I came across this but don't know if it is applicable.

    Enforcing Case-Sensitive Universal Passwords

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada

  • 0  

    Hello Andy,

    I want to add something to my post, I had forgotten nmas and overlooked the link from Kevin. Kevin gives the first good quick tip to investigate. But there are really other topics that correspond to what I have thrown into the room.

    yes the problem exists exactly as you described. It is an upper-case lower-case problem. I even remember that it affected some special characters. If I remember correctly it is a configuration problem of the NDS and is, if I remember correctly, due to entries in the nam.conf and something else that I really can't think of. Open a case, the backliners know immediately where to go. I'll rummage around in my head, I had this issue with a big customer and I think I wrote scripts to filter out the users who have this problem with the Universam password.

    Please look for the diagpwd tool if it is available in your OES installation.  One thing in the whole topic is also important, the replica design of your NDS on site. To explain this in one sentence is too complex, it needs a deep dive. Soory

    Further keywords are SDI Domain Key servers and SDI consistency. Unfortunately, I have no information about the OES version and eDir versions of the servers in the tree.

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

    Universal password rules were set up, but it was late in the game before I could push them that far. And then they wouldn't force users to change passwords, only ask nicely to please change passwords.  So there are a number of users who still have their 5 lower case letter (or all number) passwords.  It is those user/passwords we have the issues with.

    I had been with the understanding that the old, simply, NetWare passwords had been case-sensitive, and it is these I am acting about. It looks like I was just missing that they were case-insensitive, and was looking for that confirmation.

    I've been testing on some older accounts that I've been begging them to change, and those I even get them logged in LDAP with varying case. 

    So is there a way to tell when a user's password was last changed, or what users have passwords that are not Universal Passwords, then we could target much more effectively.  Let's see if I can get diagpwd to help on that front.

    This client lacks a culture of security. It has been an upward battle all along, and with a conflict avoiding IT Director.  I keep pushing, but as an outside consultant, can only do so much.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0   in reply to   

    I'll let  reply. This really isn't where my expertise lies.

    I encountered a similar issue and was quite surprised. I remembered reading that NDS passwords were case insensitive but never gave too much thought to it. The customer was running NetWare for the past twenty years and Universal Password was never setup. It is now on OES but I have to verify everything is working as expected.

    Thank you for bringing this issue to my attention.Thinking

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada

  • 0   in reply to   

    That tool sounds about right, but to get diagpwd to actually behave, as it is spitting errors at me from a couple of boxes that have all the partitions.

    ERROR -1 ldap_simple_bind_s
    Segmentation fault (core dumped)

    any quick ideas? I have the CA public key, freshly exported as a DER, and converted to the PEM needed. So that should be OK.  some packet captures up soon, as this is not something the client considers a high priority yet.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0   in reply to   

    Hello Kevin, thank you for your words, they strengthen me and make me feel good.

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

     Problem running diagpwd 

    There is a similar topic here. I also had the error, in my case it was a defective pem file. If I remember correctly, none of them can be used

    For me it's around 9 pm in the evening. I'll call it a day today. I hope I can write a few lines about ldap traces tomorrow, using the NDS on 636 to see if a der or pem is ok. The ndstrace is also a great tool for tracking down defects that Andy has, so I should also write a short sentence about it. You can also use this topic if the messenger doesn't want to work with GroupWise ldap or the mobility has a cough with the eDir or Groupwise when it comes to user or group add.

    George

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

    diagpwd isn't initiating a TLS connection like any other LDAP tools, so it is clearly failing on that front.

    Packet capture shows just the basic TCP handshake up and down with diagpwd.  

    I think a patching and restart of that server is part of what I'll be doing, and calling it a week. Though no OES related patches, just SLES level.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0   in reply to   

    just very briefly, there were diagpwd versions that are actually defective, the whole thing depends on the patch status of the OES server. What I also observed was that the schema was not consistently up to date for all objects in an NDS, in this NDS objects had a timestamp for the schema which was in the future. As I said, the problem on site can be solved with diligence and a drawing that also shows how, for example, the nmas login sequence processes the topic and which services are responsible for which login. VIeles is based on measurements as it has already been done here

    George

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0   in reply to   

    That these instances of diagpwd are not initiating TLS is a strong indicator of a defect in my eyes on something that must have TLS working.  And that is long before hitting other issues along the way.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.