Anonymous_User Absent Member.
Absent Member.
293 views

Error generateKeyPair -222 DSERR_BAD_PASSWORD


NetIQ IDM 4.0.2 AE
Novell IDM 3.5.1


We have issues with some of the users while setting a random password
from within a NULL driver SUBSCRIBER-EVENTRANSFORMATION dirxml POLICY on
the driver.

The issue happens only for few users, not all. The random password
string complies with our password policy settings. Setting the same
password using "Set Unviversal Password " from iManager works.


What is causing that???.. and how to verify the random string does
comply with the password policy from a external tool?

And is it possible to catch this error from the Dirxml policy to notify
first line about it? We are using the Dirxml Set-Password from
within Sub-Etp on the driver.

<do-set-src-password>
<arg-string>
<token-local-variable name="local.sub.etp.randomPassword"/>
</arg-string>
</do-set-src-password>


===============TRACE===================================

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.13.20090903 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify-password class-name="User" dest-dn="user" dest-entry-id=""
event-id="IDM##1#1">
<password><!-- content suppressed --></password>
<operation-data>
<entitlement-impl id="xxxxxxxxxxxxxx"
name="ENT_ADMINPasswordReset" qualified-src-dn="user" src="AF"
src-dn="user" src-entry-id="230813" state="1">{enter Entitlement param
here}</entitlement-impl>
</operation-data>
</modify-password>
</input>
</nds>
[04/02/14 10:54:32.919]:USERAPP-ENT ST: Pumping XDS to eDirectory.
[04/02/14 10:54:32.919]:USERAPP-ENT ST: Performing operation
modify-password for user.
[04/02/14 10:54:32.924]:USERAPP-ENT ST: Modifying password for entry
user.
[04/02/14 10:54:32.938]:USERAPP-ENT ST: Processing returned document.
[04/02/14 10:54:32.938]:USERAPP-ENT ST: Processing operation <status>
for .
[04/02/14 10:54:32.938]:USERAPP-ENT ST:
DirXML Log Event -------------------
Driver: \IDM\DriverSet\USERAPP-ENT
Channel: Subscriber
Status: Error
Message: Code(-9010) An exception occurred:
novell.jclient.JCException: generateKeyPair -222 DSERR_BAD_PASSWORD
[04/02/14 10:54:32.968]:USERAPP-ENT ST: Direct command from policy
result
[04/02/14 10:54:32.969]:USERAPP-ENT ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.13.20090903 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="IDM" level="error"
type="password-set-operation">Code(-9010) An exception occurred:
novell.jclient.JCException: generateKeyPair -222
DSERR_BAD_PASSWORD<operation-data>
<entitlement-impl id="***************************"
name="AdminPasswordReset" qualified-src-dn="user" src="AF" src-dn="user"
src-entry-id="230813" state="1">{enter Entitlement param
here}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>USERAPP-ENT</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>


--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=50426

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Error generateKeyPair -222 DSERR_BAD_PASSWORD

belaie wrote:

> NetIQ IDM 4.0.2 AE
> Novell IDM 3.5.1


Can you try running this null driver against the 4.0.2 server instead of the 3.5.1 server?

>
> We have issues with some of the users while setting a random password
> from within a NULL driver SUBSCRIBER-EVENTRANSFORMATION dirxml POLICY on
> the driver.
>
> The issue happens only for few users, not all. The random password
> string complies with our password policy settings. Setting the same
> password using "Set Unviversal Password " from iManager works.



Your "modify-password" event sets the NDS password.

You should change this to a modify that sets the "nspmDistributionPassword" instead as this actually sets the universal password.

There are a set of standard password policy rules that handle this, but they are designed for use on the publisher channel.

This is an example (if you change the "false" to "true", then it will check if the new password meets the password policy settings)

<rule>
<description>Set to random password</description>
<conditions>
<and/>
</conditions>
<actions>
<!-- Add modify-attr element for nspmDistributionPassword attribute -->
<do-add-src-attr-value name="nspmDistributionPassword">
<arg-value type="string">
<token-local-variable name="local.sub.etp.randomPassword"/>
</arg-value>
</do-add-src-attr-value>
<!-- Add a event-id attribute to previous modify element -->
<do-set-xml-attr expression="../modify" name="event-id">
<arg-string>
<token-text>pwd-publish</token-text>
</arg-string>
</do-set-xml-attr>
<!-- Add a validate-password attribute to previous add-attr element -->
<do-set-xml-attr expression="../modify/modify-attr[@attr-name='nspmDistributionPassword']" name="enforce-password-policy">
<arg-string>
<token-text xml:space="preserve">false</token-text>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
>
>
> And is it possible to catch this error from the Dirxml policy to notify
> first line about it? We are using the Dirxml Set-Password from
> within Sub-Etp on the driver.


Not possible on IDM 3.5.1 but yes on IDM 4.0

See this thread: https://forums.netiq.com/showthread.php?8785-Detect-error-when-updating-source-attribute&p=41297#post41297


Alternatively, convert this null driver to a Loopback driver and do the processing on the publisher channel. That way you can take advantage of the standard password policy rules (available as a package in IDM 4.x)
Also you can more easily detect errors and act on them.

When customers have asked for this type of facility - we've solved it with a workflow + entity activity + loopback driver.



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error generateKeyPair -222 DSERR_BAD_PASSWORD


Hello


Do you mean <do-add-src-attr-value name="nspmDistributionPassword"> not
Set ???


Regards,
M.


--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=50426

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error generateKeyPair -222 DSERR_BAD_PASSWORD

belaie wrote:

>
> Hello
>
>
> Do you mean <do-add-src-attr-value name="nspmDistributionPassword"> not
> Set ???


I just copied that code from the standard password policies (the only change I made was to switch from do-add-dest-attr-value to do-add-src-attr-value).
This code is used in most of the shipping driver configs that support password sync version 2.0 so should work just fine.

Don't actually think set vs add makes a lot of difference as this is a special attribute in eDirectory.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error generateKeyPair -222 DSERR_BAD_PASSWORD


I tried the rules setting distribution password. The result were
actually password expiration date on the user changed to 90 days in
future.

When settings nds password the password expiration time didn't changed,
so if user didn't changed the password within 4 hours we had a
possiblity to deactivate his account. But now its settings 90 days in
future, which opens
the security concerns.

But the first question was, why setting NDS password on some users
caused Error generateKeyPair -222 DSERR_BAD_PASSWORD actually?? : how
to find the reason for it?

alexmchugh;242890 Wrote:
> belaie wrote:
>
> >
> > Hello
> >
> >
> > Do you mean <do-add-src-attr-value name="nspmDistributionPassword">

> not
> > Set ???

>
> I just copied that code from the standard password policies (the only
> change I made was to switch from do-add-dest-attr-value to
> do-add-src-attr-value).
> This code is used in most of the shipping driver configs that support
> password sync version 2.0 so should work just fine.
>
> Don't actually think set vs add makes a lot of difference as this is a
> special attribute in eDirectory.
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...



--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=50426

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error generateKeyPair -222 DSERR_BAD_PASSWORD

belaie wrote:

> I tried the rules setting distribution password. The result were
> actually password expiration date on the user changed to 90 days in
> future.
>
> When settings nds password the password expiration time didn't changed,
> so if user didn't changed the password within 4 hours we had a
> possiblity to deactivate his account. But now its settings 90 days in
> future, which opens
> the security concerns.


Do you have "do not expire the user's password when the administrator sets the password" set in your password policy's advanced password rules?

Did you set enforce-password-policy to false or true?
Are you trying this on the IDM 3.5.1 box or the IDM 4 box? What version of eDirectory are you running?

> But the first question was, why setting NDS password on some users
> caused Error generateKeyPair -222 DSERR_BAD_PASSWORD actually?? : how
> to find the reason for it?


I'm not sure, the error message indicates that this is related to "a password that was already expired and had used up all their grace logons" - could these users have been in that situation?
Unless you are only syncing passwords to/from eDirectory, you're likely best off moving away from NDS password to universal password.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.