Anonymous_User Absent Member.
Absent Member.
1142 views

SSPR Helpdesk Rights in Details?


NetIQ IDM 4.0.2 AE /
SSPR 3.2

eDirectory 8.8.8 SP7
Binary Version: 20701.48
Root Most Entry Depth: 0
Product Version: eDirectory for Linux x86_64 v8.8 SP7 [DS]


We have followed the guide for SSPR, and setup successfully "Forgotten
Password" solution. but now we want to enable "HelpDesk" modue. We have
setup the eDirectoty rights for the Helpdesk "Group" as we did it for
"Proxy User". But when we test
we get the following error: *"New password does not meet rule
requirements"*

If i add "admin" user in the Helpdesk group, then it works, so I guess
there is some permission issues.

while doing it as admin, i see the operation DoExtended: Extension
Request OID: 2.16.840.1.113719.1.39.42.100.17 has a outcome in the
logs, but while performing the same operation with a normal user which
is member of
Helpdesk group the this Extension request oid operation does not have
more outcome in the logs.


I was wondering, does anyone have a detailed rights description for the
Helpdesk module to work, as its descried for proxy user in the SSPR
documentation?

====================


SSPR Log:
passwordCheckInfo string:
{"version":2,"strength":44,"match":"NO_MATCH","message":"New password
does not meet rule requirements","passed":false,"errorCode":4006}


Ldap log:
1535747840 LDAP: [2014/11/28 12:21:23.264]
(10.7.50.3:53393)(0x0023:0x77) DoExtended: Extension Request OID:
2.16.840.1.113719.1.39.42.100.17
153574784 LDAP: [2014/11/28 12:21:23.267] (10.7.50.3:53393)(0x0023:0x77)
Sending operation result 0:"":"" to connection 0xf0a6000


--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=52313

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SSPR Helpdesk Rights in Details?

Have you gone through this part of the documentation already?

https://www.netiq.com/documentation/sspr3/adminguide/data/b14knz85.html

I presume that you are not using the last checkbox there ("Use Proxy
Connection (Advanced)") since you mentioned granting rights to the
helpdesk group itself.

It sounds like a rights problem at this point. The OID to which you refer
is used by NMAS to do some kind of password policy check, so the users
would need access to read the policies and may even need some kind of
permission to verify that the current password matches with that policy.
If your helpdesk generally has rights to something like dc=user,dc=org in
your system, but not to the cn=security container at the top of the tree
perhaps that's the problem. Knowing exactly which rights were granted to
the helpdesk, and where in the tree, would help.

You could also try using the proxy user setting to see if that works; if
you setup permissions the same way for that user as the helpdesk group, I
expect both of those will fail. The 'admin' user, of course, has total
rights, and no problems there.

Grabbing ndstrace output with +TIME +TAGS +LDAP during the time of your
test could likely help a lot too. It sounds like you're already looking
at that, so making sure your debugging is turned up and then posting the
results here could help us help you.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSPR Helpdesk Rights in Details?


Hello..

I actually tried giving one of my HelpDesk users following permissions
and then it Worked.

https://www.novell.com/support/kb/doc.php?id=7010386

In case eDirectory 8.8.7 patch 1 has not yet been applied, the following
manual steps can be executed to address the issue:
1) Login to iManager
2) Go to Directory Administration, Modify Object and select the password
policy object
3) Go to the General Tab of password policy page
4) Select nspmPasswordACL from the "UnValued Attributes" box and click
on the left arrow
5) In the Add Attribute window click on the "+" button
6) Select the User to whom the password change rights to be assigned
from "Subject name"
7) Select the nspmPassword from "Property Name:" and select permission
(Read for 2 grant read access and 4 for write access)
😎 Click on OK
9) Click on Apply and OK button to save the changes.

But problem is that , I cannot add Group object in the in the Subject
Name *step 6*, but only User Object!!!, I would like to add HelpDesk
group here, How would do this, with using Proxy Account stuff?

Regards,
bElaie.

ab;251677 Wrote:
> Have you gone through this part of the documentation already?
>
> http://tinyurl.com/kwjuatq
>
> I presume that you are not using the last checkbox there ("Use Proxy
> Connection (Advanced)") since you mentioned granting rights to the
> helpdesk group itself.
>
> It sounds like a rights problem at this point. The OID to which you
> refer
> is used by NMAS to do some kind of password policy check, so the users
> would need access to read the policies and may even need some kind of
> permission to verify that the current password matches with that
> policy.
> If your helpdesk generally has rights to something like dc=user,dc=org
> in
> your system, but not to the cn=security container at the top of the
> tree
> perhaps that's the problem. Knowing exactly which rights were granted
> to
> the helpdesk, and where in the tree, would help.
>
> You could also try using the proxy user setting to see if that works;
> if
> you setup permissions the same way for that user as the helpdesk group,
> I
> expect both of those will fail. The 'admin' user, of course, has total
> rights, and no problems there.
>
> Grabbing ndstrace output with +TIME +TAGS +LDAP during the time of your
> test could likely help a lot too. It sounds like you're already
> looking
> at that, so making sure your debugging is turned up and then posting
> the
> results here could help us help you.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...



--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=52313

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSPR Helpdesk Rights in Details?

1. One way is with the proxy account stuff; give the proxy rights, then
choose to use that account.

2. Another way is to give all users in that group their own value in the
nspmPasswordACL attribute; not a big deal to script this, but ongoing
maintenance (as new people come/go) is annoying, and possibly the job for
something like Identity Manager (IDM).

3. Finally, you could give the group more rights to (for example) write
the ACL attribute. Note that doing so makes anybody who is security
equivalent to that group (helpdesk folks) insanely powerful in the tree,
so I'd probably go with the second (#2) option above first.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
e110019 Absent Member.
Absent Member.

Re: SSPR Helpdesk Rights in Details?


Belaie,

We are going through similar things here and we looked at the PWMProxy
account for it's privileges and associated those to our HelpDesk group.
So we added Compare/Read/Write permissions for the following:


- Permissions
- Locked By Intruder
- Login Intruder Address
- Login Intruder Reset Time
- Password Management
- pwmEventLog
- pwmLastPwdUpdate


We are also currently looking into options now for how best to audit
their activity, which users did they reset in particular.

Hope you had luck with your setup and if you have any suggestions on
auditing within SSPR that would be appreciated, I'm currently reviewing
the following:

http://tinyurl.com/l4jleuy

Thanks!


--
e110019
------------------------------------------------------------------------
e110019's Profile: https://forums.netiq.com/member.php?userid=7435
View this thread: https://forums.netiq.com/showthread.php?t=52313

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.