jfeyen
New Member.
617 views

Minimum password length UP expires LDAP account

Hi,

We are running fully patched OES2015SP1 servers.
We are busy on changing our users to stronger passwords: We created universal password policy with minimum numbers , numbers, alpha, etc ... The universal password policy is set to not verify passwords on logon.
This works fine.

Then we changed the minimum characters of a password from 5 to 11 in the policy. Since we changed the minimum characters we got the issue that some accounts got expired, expiry date is 1970, and out of graces.
As I did some investigation the users which have the issue had a password shorter then 11 characters.
The users with a microfocus client and do not use ldap applications have no issues.
The users with a microfocus client and use ldap applications have expiry problems.

Workaround:
-change the password to a password with higher then 11 characters
-set an universal policy with minimum 5 chars.

I found this: https://www.novell.com/support/kb/doc.php?id=3565677

Is this normal behaviour and what can we do about it?

Kr, Joeri
Labels (2)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Minimum password length UP expires LDAP account

If you do not have the 'Verify existing password complies with policy'
option checked, as you stated, then I do not think it should behave that
way. That TID is really old, so I would think any issue there has long
since been fixed. Which version of eDirecgtory and NMAS do you have on there?


rpm -qa | grep -i -e nmas -e ndsserv


If you can duplicate this it may be worth reporting to Micro Focus
officially via a Service Request (SR).

Out of curiosity, do you have the NMAS client installed AND enabled in the
OES client? I presume so, since otherwise your setup is a bit odd, but it
is probably worth verifying in case something about your client deployment
is missing that, which may explain why non-LDAP folks do not have issues,
since that may mean that they never use NMS.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
jfeyen
New Member.

Re: Minimum password length UP expires LDAP account

ab;2487639 wrote:
If you do not have the 'Verify existing password complies with policy'
option checked, as you stated, then I do not think it should behave that
way. That TID is really old, so I would think any issue there has long
since been fixed. Which version of eDirecgtory and NMAS do you have on there?


rpm -qa | grep -i -e nmas -e ndsserv


If you can duplicate this it may be worth reporting to Micro Focus
officially via a Service Request (SR).

Out of curiosity, do you have the NMAS client installed AND enabled in the
OES client? I presume so, since otherwise your setup is a bit odd, but it
is probably worth verifying in case something about your client deployment
is missing that, which may explain why non-LDAP folks do not have issues,
since that may mean that they never use NMS.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Hi Ab,

Yes we use the OES client and have the nmas client installed.

rpm -qa | grep nmas
novell-cifs-nmas-methods-1.5.0-0.28.2
novell-nmasclient-32bit-8.8.8.10-0.6.14.3
novell-nmasclient-8.8.8.10-0.6.14.3
novell-nmas-libnmasext-8.8.8.10-0.6.14.5
novell-nmas-8.8.8.11-0.21.5
novell-nmas-methods-8.8.8.7-0.9.3
novell-afp-nmasmethods-1.4.0-0.13.11
novell-nmas-libnmasext-32bit-8.8.8.10-0.6.14.5
novell-nmas-libspmclnt-32bit-8.8.8.11-0.17.1
novell-plugin-nmas-8.8.8.10-0.6.14.11
novell-nmas-libspmclnt-8.8.8.11-0.17.1

rpm -qa | grep nds
novell-edirectory-tsands-8.8.8.11-0.22.12
novell-ndsgrepair-8.8.8.7-0.11.5
novell-edirectory-tsands-32bit-8.8.8.11-0.22.12
gvfs-backends-1.4.3-0.17.21.1

I will open an official SR.

The application that triggers the expiring account based on the minimum password length is nextcloud.

Nextcloud is something simular to FILR and has a normal LDAP connection to the edirectory.

Kr,

Joeri
0 Likes
Knowledge Partner
Knowledge Partner

Re: Minimum password length UP expires LDAP account

On 17.09.2018 12:04, jfeyen wrote:
>
> ab;2487639 Wrote:
>> If you do not have the 'Verify existing password complies with policy'
>> option checked, as you stated, then I do not think it should behave
>> that
>> way. That TID is really old, so I would think any issue there has long
>> since been fixed. Which version of eDirecgtory and NMAS do you have on
>> there?
>>
>>>

> Code:
> --------------------
> > >

> > rpm -qa | grep -i -e nmas -e ndsserv
> >

> --------------------
>>>

>>
>> If you can duplicate this it may be worth reporting to Micro Focus
>> officially via a Service Request (SR).
>>
>> Out of curiosity, do you have the NMAS client installed AND enabled in
>> the
>> OES client? I presume so, since otherwise your setup is a bit odd,
>> but it
>> is probably worth verifying in case something about your client
>> deployment
>> is missing that, which may explain why non-LDAP folks do not have
>> issues,
>> since that may mean that they never use NMS.
>>
>> --
>> Good luck.
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below.
>>
>> If you want to send me a private message, please let me know in the
>> forum as I do not use the web interface often.

>
> Hi Ab,
>
> Yes we use the OES client and have the nmas client installed.
>
> rpm -qa | grep nmas
> novell-cifs-nmas-methods-1.5.0-0.28.2
> novell-nmasclient-32bit-8.8.8.10-0.6.14.3
> novell-nmasclient-8.8.8.10-0.6.14.3
> novell-nmas-libnmasext-8.8.8.10-0.6.14.5
> novell-nmas-8.8.8.11-0.21.5
> novell-nmas-methods-8.8.8.7-0.9.3
> novell-afp-nmasmethods-1.4.0-0.13.11
> novell-nmas-libnmasext-32bit-8.8.8.10-0.6.14.5
> novell-nmas-libspmclnt-32bit-8.8.8.11-0.17.1
> novell-plugin-nmas-8.8.8.10-0.6.14.11
> novell-nmas-libspmclnt-8.8.8.11-0.17.1
>
> rpm -qa | grep nds
> novell-edirectory-tsands-8.8.8.11-0.22.12
> novell-ndsgrepair-8.8.8.7-0.11.5
> novell-edirectory-tsands-32bit-8.8.8.11-0.22.12
> gvfs-backends-1.4.3-0.17.21.1
>
> I will open an official SR.
>
> The application that triggers the expiring account based on the minimum
> password length is nextcloud.
>
> Nextcloud is something simular to FILR and has a normal LDAP connection
> to the edirectory.


I think your problem is that your LDAP Server doesn't use/follow nmas
and UP, but authenticates using the NDS password and rules.

Try this:
https://www.novell.com/support/kb/doc.php?id=3307424

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.