Highlighted
Absent Member.
Absent Member.
5984 views

No password expiration warning

We're cropping up with a large number of users (possibly all) failing to get a notification when their passwords are about to expire. Typically this is less than 5 per week, but it's getting annoying that it's happening at all.

We're running eDir 8.8 sp4, and using Univeral Password. The client version is 4.91 sp5.

Anyone have any ideas on where to start troubleshooting this? The helpdesk has been squawking about it a while, but I've been ignoring them. 🙂

Thanks,
Bill
Labels (1)
0 Likes
10 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: No password expiration warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How do the notifications happen? Is this being checked from eDirectory?
Do the users have attributes that correctly show their expiration time in
ConsoleOne or iManager? Can you reproduce this by manually setting the
expiration of a user to two days from now and then firing off the request
to get a notification however you do that?

Good luck.





rand68 wrote:
> We're cropping up with a large number of users (possibly all) failing to
> get a notification when their passwords are about to expire. Typically
> this is less than 5 per week, but it's getting annoying that it's
> happening at all.
>
> We're running eDir 8.8 sp4, and using Univeral Password. The client
> version is 4.91 sp5.
>
> Anyone have any ideas on where to start troubleshooting this? The
> helpdesk has been squawking about it a while, but I've been ignoring
> them. 🙂
>
> Thanks,
> Bill
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKCJTMAAoJEF+XTK08PnB52sIQAK+nK2BB+oJuGFMwQfi089cP
vNPVOQAoBZ/IKme0/uIkRLAOeIsKpkXMdnxrFTPFV0x+5LZ1Q+x20O0J8gmB04mF
Vo8Xl2wH+/pYyFMpOuSa4Cp8AjU4XSZ9ulDItzM3bUMBAe8nCvUQt5vSplC90muS
9VBYX+GIeQtjr10c5SDlyZXoyXdqegug1AJOLpE5pb5uuPYig5O1Ebui6MyWaEVe
DsJS1zgkc0DmkrTkVfPDld/uNPFBwndrHEG4zU85+Ty9G07VeUJbFzy1QM0SGzjg
Epty9ToCddZyyQ8u8erqHBqiFslDBHSw1mjBbpTQH7kI2aGJz/cs9TYy7MWPsrZl
na6dr6Cfna25l+jtnx+k1917qn7zEmo3tKMiCWAzabduL/ud0yuib4tAoD1HhBUa
YCesVT9AGU5Eh5pSYorNdOcyD7goi0mLPzMEJFC5Rn+bQaKZluDiNEfzyHBQ11Z7
HmRLk/AsGvOvyeZHGFBlHUamkCuj05VYWBKdP0lagGC2NGGo+9AAyQifhv+3Xr3S
v060tA7DmVoZEleTeaRq5RSIDnJI7EFEowiOFgRYwHwRI53uZpEBsyo7rvAzyxou
RFsTxpGPONqItHEOkP1uLkcAet9dvx+BHT28EwuNPrkAFqmT5vJ1nMeo2noaD2++
o0evnCUIucul02AM4suc
=rjkT
-----END PGP SIGNATURE-----
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: No password expiration warning

ab@novell.com;1789480 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How do the notifications happen? Is this being checked from eDirectory?
Do the users have attributes that correctly show their expiration time in
ConsoleOne or iManager? Can you reproduce this by manually setting the
expiration of a user to two days from now and then firing off the request
to get a notification however you do that?

Good luck.





Well maybe I'm too old school, but isn't the client supposed to notify the user when they login? The expiration date/time shows in their user object correctly. If you change their password as admin, and they login with the temporary password it correctly pops up and says "this password is expired, please change it"
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: No password expiration warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, it tells you when it's expired, but I don't think it's ever told you
ahead of time. There are ways to set that up (nightly job that checks the
expiration attributes and sends e-mail to the users as appropriate) but
this isn't a default feature of the client I don't think. Writing a tool
to do this is trivial and there are a couple on the CoolSolutions site to
do it. If you have Novell Identity Manager (IDM) it's also available as a
preconfig in there now too.

Good luck.





rand68 wrote:
> ab@novell.com;1789480 Wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> How do the notifications happen? Is this being checked from
>> eDirectory?
>> Do the users have attributes that correctly show their expiration time
>> in
>> ConsoleOne or iManager? Can you reproduce this by manually setting
>> the
>> expiration of a user to two days from now and then firing off the
>> request
>> to get a notification however you do that?
>>
>> Good luck.
>>
>>
>>

>
>
> Well maybe I'm too old school, but isn't the client supposed to notify
> the user when they login? The expiration date/time shows in their user
> object correctly. If you change their password as admin, and they login
> with the temporary password it correctly pops up and says "this password
> is expired, please change it"
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKCJ9OAAoJEF+XTK08PnB592AP/jeyYQOKE6k4D30nNjOzy7Oz
G3lp44qpcR/A6hSqD+0J45K7FexFpdP+Fi+RtgcPnsuQmzdmnU+rfb7Ws6z2Mblk
1H6X2UCMDyTLzUF6I4LPXP4xSPUCtMeU3ZR9zPRBuLcJrPu4YqM7E9B2zpCY/uMM
B01UPaSWPUf9L5RpbO2PllollivA/oylX+t1Nv1/QMN7BqR1uUHv+P3NVH81edJO
U63vve3Ua5muL6KUe6roh9t+GQVlzmwnmwd6iS1qDedidGCMCQEFep6BIHPIga4d
Bp9mHDQ6bJ/QJww3oRPFN0eGGVcxm1QG+kWh+oKGRbSpb6YXNUyJxeZsoZSmYyU7
QvY+wGW8bUtpwkoamiJSbydX5cGMySXv7WhRQQlrG6d8S3T2qNI9w4rn14RwPeJT
WwELt81c9lnZk5TqUupHzxpVxstSxQStiJK8a0n7OuQC7c8TuGKeg0RpXm+Nt2Kq
vWPYe0cNtM/sEW5EDiANoAI+mh+SobH3CPM9ADDEI2vTAUHRFV6hcYmMltDYwl7L
QbTnE7mp6XWBePU331NytZ6tLK0xm66MNwwy4fu7zi+X5hXbQHL3R1I+OMvW+byR
qpk3tEQ7zZ6Xa6NP6r1jSCqKRTkq3V/PS5VSCMivpU+A5VsWprp2C5tSeJD6uc7h
ogh72/RfbrcTodTD1jQF
=VVKg
-----END PGP SIGNATURE-----
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: No password expiration warning

You can add something in the login script to check and warn users of it
ahead of time.


--


Peter
eDirectory Rules!
http://www.DreamLAN.com
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: No password expiration warning

ab@novell.com;1789513 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, it tells you when it's expired, but I don't think it's ever told you
ahead of time. There are ways to set that up (nightly job that checks the
expiration attributes and sends e-mail to the users as appropriate) but
this isn't a default feature of the client I don't think. Writing a tool
to do this is trivial and there are a couple on the CoolSolutions site to
do it. If you have Novell Identity Manager (IDM) it's also available as a
preconfig in there now too.

Good luck.




Ok, maybe I wasn't completely clear, so I'll restate.

When a user's password expires normally, in that it's not changed by an admin, they are not being prompted that their password has expired. We also have the client set to not allow them to cancel the change password prompt when they are on their last grace login, but since they're never being prompted to change it, that's not kicking in either.

I do want to get advance notification working but at the moment that's on my "to do" list.

Bill
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: No password expiration warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do they have grace logins when this occurs? If they do they should be
prompted that the password is (not will be) expired and should get that
opportunity but if they have no grace logins they're just out o fluck
since the password is expired.

Good luck.





rand68 wrote:
> ab@novell.com;1789513 Wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Yes, it tells you when it's expired, but I don't think it's ever told
>> you
>> ahead of time. There are ways to set that up (nightly job that checks
>> the
>> expiration attributes and sends e-mail to the users as appropriate)
>> but
>> this isn't a default feature of the client I don't think. Writing a
>> tool
>> to do this is trivial and there are a couple on the CoolSolutions site
>> to
>> do it. If you have Novell Identity Manager (IDM) it's also available
>> as a
>> preconfig in there now too.
>>
>> Good luck.
>>
>>
>>

>
> Ok, maybe I wasn't completely clear, so I'll restate.
>
> When a user's password expires normally, in that it's not changed by an
> admin, they are not being prompted that their password has expired. We
> also have the client set to not allow them to cancel the change password
> prompt when they are on their last grace login, but since they're never
> being prompted to change it, that's not kicking in either.
>
> I do want to get advance notification working but at the moment that's
> on my "to do" list.
>
> Bill
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKCYJSAAoJEF+XTK08PnB5TWIP/2w6XT7bPKWrYlLEbDA8CUtk
mNCu4htbuLihZG85cnN4NtcKybnr904R4BfMRbRhgz7v1TOTczeCkObW3sDWZ2wa
zyfofmFidy0TF+p7edtSIvisIN3B1wcSjyEA/rJQJtDMW/tDE+llOqTdKl7QuuLJ
Lay98hgbtOM+M+m5F2cqpK6U/+bPxTWtUgrFAk+Zf36g2McvI8Ur4/WJgd3LU1/3
dtPWMAtP5gBZLCZ5VuYah7rjIt8c3Xlry3P7HFM313cXunQag8Lq4azWEaN2hwq/
xUaEqlmuiLnzckAjQcaqLv8xPyKIL5yzxBfVhN4VIB0yAg3UiMLEz0rnmjxkPQUX
8dum3BVkT1m4VSctatcRN/K1VsYmv8sg5NzKSRDXRURdxcbUsO+FSmMF7oqen+wS
4sVpEuUdccUHbRQkqU/DTy4V9q1BjQyveshDgx70DYXthLcwbRkdM2V9dvMU2YDW
4X1pLXVY56l+cnmYMzV3/FXODcRfpLgly9TkdhydFvHZdJ2UYvVitHBor41c6V0Y
1nl6wHP/GX2W/BueayK+8q7nSWUylNxLkuFoJ2g5IpQkQSnOG9bfXCjCOC8XKbhZ
i1zhl8KOs+7BUltGwtwAaVWoJa/nOmIQAILxpLp5KRjpuGTVIYBJxNPeshr89i2H
eDf8EFWr3pkenqaIJq0y
=CUXu
-----END PGP SIGNATURE-----
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: No password expiration warning

ab@novell.com;1789810 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do they have grace logins when this occurs? If they do they should be
prompted that the password is (not will be) expired and should get that
opportunity but if they have no grace logins they're just out o fluck
since the password is expired.



By the password policy everyone gets 3 grace logins.

Now kind of thinking through this, I think I may have stumbled upon the answer.

Ok, so suppose that user A logs in at 9:15 on the day that their password expires. Their password expires at 2:00. That afternoon, they lock and unlock their computer 3 or 4 times (we have a 15 minute idle lockout on the workstations). These unlocks would presumably use up their grace logins since it's checking credentials, but since it's not a fresh login the client wouldn't check for expiration. Then the next day they have no grace logins, and their password is expired with no "warning."

Does that scenario fit your understanding of how the client/authentication works? If so I can bump the grace logins and we should be good.

Thanks,
Bill
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: No password expiration warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes that sounds right, though another fix would be to have the warning
sent ahead of time so the users are not caught unaware. Increasing grace
logins will work for now assuming they only unlock the box one time less
than they have grace logins. You could also use an IDM driver to detect
changes to password expirations and move them back to the start of the day
so a password set to expire at 1400 can be moved back to 0000 (same
timezone) and then they won't get in this situation unless they keep odd
hours.

Good luck.






rand68 wrote:
> ab@novell.com;1789810 Wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Do they have grace logins when this occurs? If they do they should be
>> prompted that the password is (not will be) expired and should get
>> that
>> opportunity but if they have no grace logins they're just out o fluck
>> since the password is expired.
>>
>>

>
> By the password policy everyone gets 3 grace logins.
>
> Now kind of thinking through this, I think I may have stumbled upon the
> answer.
>
> Ok, so suppose that user A logs in at 9:15 on the day that their
> password expires. Their password expires at 2:00. That afternoon, they
> lock and unlock their computer 3 or 4 times (we have a 15 minute idle
> lockout on the workstations). These unlocks would presumably use up
> their grace logins since it's checking credentials, but since it's not a
> fresh login the client wouldn't check for expiration. Then the next day
> they have no grace logins, and their password is expired with no
> "warning."
>
> Does that scenario fit your understanding of how the
> client/authentication works? If so I can bump the grace logins and we
> should be good.
>
> Thanks,
> Bill
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKCZW1AAoJEF+XTK08PnB5j1UP/il4iIxk5/rQCByTNlB/vo0A
+5l4P6XVlPAFuWHYws1FBlEYHF30ZD3C5JLtOuTm7OuDZQ9Pvx0w6gJ/aurTcQph
LNNmZ1uThqXxA9uKNYfpJdsfU4JP7vXXpZnrnyvM3odkVGYzCc1CfNoDN1b0LILX
dSuhI4eLTGXdVKTwEKaQGHg/ma+5eHiw1t+kIP+peA3a1Z4UoBC5+yRUKdmaVqfP
bKdoStToTlHA5azysL7pnZBtsvg3iXLJ9B0JVPY8LRmRM50kwd/NWQNU/p5aG0bv
WTDwLNXzSBoMhEcHCUAxffA87uKWOS/sJcqMajFiKEkuEcl4BHkEpUkG0+hbDF6j
NpKkEY2ccV4K9l1UbYUNs4NpaiddA1Qb+sjBK/fYovtPymutUBdbgNZZO0JIvQpo
w/xMWzd+wNcSGEiPEy3eyis4I4/JYHxp4vgnMVPfD6IhYkwJZfiAv2xhUcmbPu2K
ElHZmQjr8ei/g8URUmBd4XrWapizqoYg+o9GqY3HzH9EpfSWSQrFppnP1UsV9/Vs
6Vn541azzLIC2HRmgviD1QepxO7tYzrRCqVht3hRoeAA/atH/wM9IFpnF3yrqZPb
RuNIXJoFv/fmdH3pR3wNJT5m9pPX26eW/f3nGf1A5mv+KI+bdjmZhs08VgaY7xAj
AJ+f4yhMcvxQvyHg2VcN
=12wz
-----END PGP SIGNATURE-----
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: No password expiration warning

rand68;1789846 wrote:
By the password policy everyone gets 3 grace logins.

Now kind of thinking through this, I think I may have stumbled upon the answer.

Ok, so suppose that user A logs in at 9:15 on the day that their password expires. Their password expires at 2:00. That afternoon, they lock and unlock their computer 3 or 4 times (we have a 15 minute idle lockout on the workstations). These unlocks would presumably use up their grace logins since it's checking credentials, but since it's not a fresh login the client wouldn't check for expiration. Then the next day they have no grace logins, and their password is expired with no "warning."

Does that scenario fit your understanding of how the client/authentication works? If so I can bump the grace logins and we should be good.

Thanks,
Bill



I had a very similar issue when syncing a users password expiration to our ldap directory. Users would be able to log into their workstation without being prompted for a password change because they logged in a couple hours before their password expired. Later that day, after the password expired, the would begin using up grace logins when logging into their ldap applications. The users would end up using up all of their grace logins in ldap; locking them out of their applications. To resolve the situation, I modified my IDM driver from our NOS tree to our ldap environment to reset the password expiration time to 1:00 am each morning. I reformatted the password expiration attribute that syncs to our ldap and wrote the value back to our NOS tree as well. By doing this, if a user changed their password at say 10:00am one month, their password expiration time would be re-written to 1:00am instead of 10. That way, if they logged in at 9:00 am on the next day their password expires, they will still be prompted to change their password. This could also be accomplished with a loopback driver.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: No password expiration warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Other workarounds that many have implemented (including Novell) are
accomplished by sending e-mails to users before the password changes (by
days/weeks) so the password is actually changed before it expires. This
works really well. Identity Manager 3.6.x has a default job configuration
that is supported to do this notification. There are also simple configs
(Lothar has one often-discussed in the IDM list) that do the same thing
with a lot of functionality. There are also CoolSolutions that can do the
dredging of eDirectory easily and send e-mails appropriately. This also
helps when passwords expire before somebody is logged in for multiple days
(weekend) since you can get notifications days/weeks ahead of time
(configurable).

Good luck.





bbarnes wrote:
> rand68;1789846 Wrote:
>> By the password policy everyone gets 3 grace logins.
>>
>> Now kind of thinking through this, I think I may have stumbled upon the
>> answer.
>>
>> Ok, so suppose that user A logs in at 9:15 on the day that their
>> password expires. Their password expires at 2:00. That afternoon, they
>> lock and unlock their computer 3 or 4 times (we have a 15 minute idle
>> lockout on the workstations). These unlocks would presumably use up
>> their grace logins since it's checking credentials, but since it's not a
>> fresh login the client wouldn't check for expiration. Then the next day
>> they have no grace logins, and their password is expired with no
>> "warning."
>>
>> Does that scenario fit your understanding of how the
>> client/authentication works? If so I can bump the grace logins and we
>> should be good.
>>
>> Thanks,
>> Bill

>
>
> I had a very similar issue when syncing a users password expiration to
> our ldap directory. Users would be able to log into their workstation
> without being prompted for a password change because they logged in a
> couple hours before their password expired. Later that day, after the
> password expired, the would begin using up grace logins when logging
> into their ldap applications. The users would end up using up all of
> their grace logins in ldap; locking them out of their applications. To
> resolve the situation, I modified my IDM driver from our NOS tree to our
> ldap environment to reset the password expiration time to 1:00 am each
> morning. I reformatted the password expiration attribute that syncs to
> our ldap and wrote the value back to our NOS tree as well. By doing
> this, if a user changed their password at say 10:00am one month, their
> password expiration time would be re-written to 1:00am instead of 10.
> That way, if they logged in at 9:00 am on the next day their password
> expires, they will still be prompted to change their password. This
> could also be accomplished with a loopback driver.
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLFobYAAoJEF+XTK08PnB5mLYP/0UusoJXKADv+DVmtFEdp/6p
KiIVKgVDCXP+D63e2apx9WfvZjLhirPonhcFU9brNXWxfk3/1HgBfw3t+MbwioV2
ZNYteDMGzDIwJs/gollgAt5s65mkGRhv9uomh3DgWrud9XvCghn9+mO57tZ7EJPr
OalDSClyA6jB4liEZCRSQihRKxuTYpv/fg2WOwGkmSbiprfmWjmaZrKdogRPHUpg
ucX1d8VoWdH3Qk2gM9ifZF0J9Vfksm7ziSd0e4d1bg0OPddzp2Bl0xFKO1L77FV9
Jp98/Wwi9ZaqoJFBwLDQE480ibzffQwFggjL7oC6g1UnFlMC9NGupHsWmK6Ch4Gy
hQx1qRMrPQ4sG/Q4SBUoV9vDWVWaP8dv4US0x80G+8JXu/Wm3ltbRQjssZrQV2Qe
YSnE+B5fMf3UGvnMsRj49WqbCqWOHo56CbTCuTrH+wB5tTSOJ75F2OWF567S75yN
lH343PKmShbzYNozSElZq9zxLrErhpNxuKwdrtbdT1ECSYg8anfH4EfQKkPArgR2
nE8nyjfLzN9hO7wlBLiNFxim7VVJiCD2bRma9vBfcBWUTOZCHPtMc6UYHVtpSg5P
PaDTNQEtgI1hC4NIBwRkIcluV6egUKElUlG4gV7D3qPPXJEIf1l8hydbVwmlbaPl
8MekvbWh1qvfaoAgoMDO
=ZjAF
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.