gdrtx Absent Member.
Absent Member.
1467 views

Password Does Not Meet Requirements: unknown


So I have seen other threads with similar errors but after reading
through those I have not been able to solve my issue so I'm hoping for
some fresh ideas.

SSPR v3.3.1.0 b110 r38632 pointing to IDM 4.5.3 (eDir 8.8.8)

Our admin accounts can login and manage passwords through the Help Desk
modules with no problem. Non-admin users who meet the Help Desk
profiles can access the Help Desk module, search and select users, view
password history, basically do everything BUT change passwords. When
the non-admin users click the Change Password button they are allowed to
enter a new password or select a randomly generated password (which
generates fine according to the password policies) but regardless of
what password value is entered/selected the message "Password does not
meet requirements: undefined" appears in the SSPR UI and the password is
not changed.

This appears to be a rights issue of some kind in IDM for these users
(who are members of a group to meet the Help Desk profile filter) but I
am unable to figure out what rights need to be there.

I have attempted to set the groups security equal to the PWMProxy user
with no luck.

I have attempted to add the Password Management, pwmEventLog, and
pwmLastPwdUpdate rights to the groups for the Users OU (to match the
proxy user settings) with no luck.

I have even enabled the Use Proxy Account option for the Help Desk
profile with no luck (which may indicate a rights issue for my proxy
account too?).

I have seen some posts about adding various ACLs to individual users but
we are using multiple Help Desk profiles with multiple users in a large
organization (600,000+ users) so managing individual ACLs is not
something we want to do manually and inclusion into these
groups/profiles is not based on any identifiable data so automation is
not an option.

Any ideas would be greatly appreciated. Thanks in advance.


--
gdrtx
------------------------------------------------------------------------
gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=57000

0 Likes
8 Replies
gdrtx Absent Member.
Absent Member.

Re: Password Does Not Meet Requirements: unknown


After doing some additional testing I have found that the Help Desk
users are unable to change passwords through iManager. When trying to
change a password through iManager the non-admin Help Desk users get a
message "Universal Change Password has been disabled for user." Not
sure where to enable that...


--
gdrtx
------------------------------------------------------------------------
gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=57000

0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Does Not Meet Requirements: unknown

On 11/30/2016 08:06 AM, gdrtx wrote:
>
> After doing some additional testing I have found that the Help Desk
> users are unable to change passwords through iManager. When trying to
> change a password through iManager the non-admin Help Desk users get a
> message "Universal Change Password has been disabled for user." Not
> sure where to enable that...


Check the password policy assigned to the user whose password is being
changed. I think there is also some stuff under the NMAS role in iManager
that can force UP on, but I do not recall if it can force it off too, but
I doubt it ("Universal Password Enforcement" task).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
gdrtx Absent Member.
Absent Member.

Re: Password Does Not Meet Requirements: unknown


Didn't find anything in either location that jumped out at me.

In iManager under NMAS Management there is an option for "Universal
Password Enforcement" but my only option there is to "Enable/Disable NDS
Login Configuration for" and my choices are Object and Partition with
Object selected.

On the Password policy...I have a password policy assigned to my Users
OU (which both accounts in question fall under). When attempting to
change the target user's password the password policy requirements show
up fine so the policy is assigned to the user and is visable to the help
desk user. The password policy is based on Microsoft 2008 complexity
rules. The only thing in the password policy that might influence is in
the Configuration Options there is a section for Universal Password
Retrieval which is set to "Allow user to retrieve password" only. There
is an option to "Allow the following to retrieve passwords" but it will
only let me specify a user DN and not a group DN so if that is needed
then I'm in trouble.


--
gdrtx
------------------------------------------------------------------------
gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=57000

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Password Does Not Meet Requirements: unknown

[snip]
> On the Password policy...I have a password policy assigned to my Users
> OU (which both accounts in question fall under). When attempting to
[snip]
Use the password policy viewer to make sure the user(s) are actually assigned to the policy. If the users are in sub-containers below the assigned container, the policy does not automatically (with some exceptions) flow down to the subcontainer.

[snip]
>Retrieval which is set to "Allow user to retrieve password" only. There
>is an option to "Allow the following to retrieve passwords" but it will
>only let me specify a user DN and not a group DN so if that is needed
>then I'm in trouble.

Helpdesk operatores do not require rights to read user passwords.

Have you looked at the SSPR logs?

What error is shown in the logs?

Your SSPR version is a bit out of date, there are newer patches for 3.3.x as well as 4.0 is available.
0 Likes
gdrtx Absent Member.
Absent Member.

Re: Password Does Not Meet Requirements: unknown


At this point I don't think this is an SSPR issue but more of an issue
in eDir. The same user is also not able to change passwords through
iManager and is getting the "Universal Change Password disabled for
user." error. I'm hoping that if I can solve that issue within eDir
that this will work in SSPR.


--
gdrtx
------------------------------------------------------------------------
gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=57000

0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Does Not Meet Requirements: unknown

They will not have rights to change the password in imanager if not given the rights to do so. In sspr that is taken care of by the helpdesk policy.

If an admin can change the password for the user in imanager and there is no error you don't have any problem with the universal password.

I would check the SSPR log after a failed password change as well as an ldap trace of that attempted change.
0 Likes
gdrtx Absent Member.
Absent Member.

Re: Password Does Not Meet Requirements: unknown


ab;272965 Wrote:
> On 11/30/2016 08:06 AM, gdrtx wrote:
> >
> > After doing some additional testing I have found that the Help Desk
> > users are unable to change passwords through iManager. When trying

> to
> > change a password through iManager the non-admin Help Desk users get

> a
> > message "Universal Change Password has been disabled for user." Not
> > sure where to enable that...

>
> Check the password policy assigned to the user whose password is being
> changed. I think there is also some stuff under the NMAS role in
> iManager
> that can force UP on, but I do not recall if it can force it off too,
> but
> I doubt it ("Universal Password Enforcement" task).
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Was able to resolve the issue. It was just a matter of modifying the
rights of the trustees on the Users container in eDir. cn, Object
Class, Password Management, pwmEventLog, pwmLastPwdUpdate was what I
needed. Apparently this issue was solved last week when I added those
rights to my group but failed to notice that someone else took my test
user out of that group. Membership made all the difference today.


--
gdrtx
------------------------------------------------------------------------
gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=57000

0 Likes
Knowledge Partner
Knowledge Partner

Re: Password Does Not Meet Requirements: unknown

Use ndstrace to see the NMAS messages to see if anything shows up there;
also the SSPR troubleshooting bundle may be useful to share as it includes
logs. Reminder with ndstrace: it must be run on the box SSPR hits as you
do your password change test, so potentially do this on many systems at
once in case SSPR can hit one of many replicas randomly which is a normal
configuration:


ndstrace
set dstrace=nodebug
dstrace +time +tags +nmas
set dstrace=*m9999999
dstrace file on
set dstrace=*r
#perform testing here of password changes
dstrace file off
quit


The /var/opt/novell/eDirectory/log/ndstrace.log (by default) file should
be pretty interesting, and easily compressed if you want to share it via
some service. It may also be huge (up to 10 MB with the settings above)
which is hopefully big enough to capture what we're after, but may be too
big to post in the forums directly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.