ahidalgo1 Absent Member.
Absent Member.
1485 views

SSPR upgrade from 3.3.1.6 to 4.1.0.1


Doing an upgrade from 3.3.1.6 to 4.1.0.1 on a SLES 12 server, after
importing my SSPRConfiguration.xml I get this error:

I can login but the password for configuration is not working.

Error:
Setting LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨
eDirectory Settings ⇨ Read User Passwords is enabled, however
unable to read test user LDAP ⇨ LDAP Directories ⇨ default
⇨ Connection ⇨ LDAP Test User password due to error error
reading nmas password: error -1659; check eDirectory proxy user LDAP
permissions and eDirectory password policy configurations​.

The eDir server that it's pointed to is 8.8 SP8.

Thanks,

Al Hidalgo
UNMH Hospitals


--
ahidalgo
------------------------------------------------------------------------
ahidalgo's Profile: https://forums.netiq.com/member.php?userid=10766
View this thread: https://forums.netiq.com/showthread.php?t=57536


0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1

The error means exactly what it says, specifically a lack of rights. I
cannot imagine why that would change with ONLY an SSPR upgrade, but
perhaps something else happened to happen at a similar time, or perhaps
SSPR happened to check a different replica holder on an older version of
eDirectory that had different interpretation of ACLs (those change
sometimes, usually for security reasons, specifically in this context).

One thing you could try is using the SSPR proxy user against your various
LDAP servers (as configured in SSPR) to see if you can use Jim Willeke's
Dump Password Information tool to retrieve passwords for, for example, the
test user. If it works against all boxes, then we need to troubleshoot
more, but I would guess that maybe one or more servers are on older
patches of eDirectory, while some are on newer patches and apply things
like the 'Read' ability to 'Password Management' differently. This used
to be enough to do things like retrieve password data, but that changed
with one of the 8.8 SP8 patches, as I recall. The readme/TID of changes
should have the exact version.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
ahidalgo1 Absent Member.
Absent Member.

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1


I have not applied the latest hotfixes and I have not tried pointing to
our new 9x edir server.

Thanks,

Al


--
ahidalgo
------------------------------------------------------------------------
ahidalgo's Profile: https://forums.netiq.com/member.php?userid=10766
View this thread: https://forums.netiq.com/showthread.php?t=57536


0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1

It wasn't a hotfix, and it is not 9.x that changes, but one of the Patches
for 8.8 SP8 (as I recall). If all of your boxes are identical, then
nevermind, but be sure they really are identical. If they are, then you
still have a rights problem, or so the error indicates, so I would
troubleshoot from the eDir side with ndstrace and +NMAS +LDAP to see what
shows up. Keep in mind SSPR may hit many servesr for checks, so trace
them all simultaneously

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
rdenys Absent Member.
Absent Member.

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1

Did anybody end up finding a resolution to this error?

I'm currently experiencing the same issue whereby the Configuration Editor password changes (or at least I can't login) after upgrading from SSPR 3.3.1.x => 4.1.0.1. As per the original issue, after the upgrade I can login with all users. It's just access to the Configuration Editor that changes.

I'm assuming the password for the Configuration Editor is stored in the Local DB as well?
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1

The configuration password is stored in the SSPRConfiguration.xml file.

Have you tried just restarting the application service (Tomcat presumably)?


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
rdenys Absent Member.
Absent Member.

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1

Cheers for the response ab.

I've restarted the "SSPR-Service" service, which I would assume restarts Tomcat as well. I did find this text document hiding in the backup folder:

Action Needed!!!

During the SSPR upgrade, we were NOT able to upgrade the localDB. However during the upgrade we
made a backup of the current localDB.

* You need to manually import (restore) the localDB.
* The upgrade backup (localdb.upgrd) of the localDB is located in the backup directory.
default location: C:\Program Files\NetIQ Self Service Password Reset\backup\localdb.upgrd
-- If you installed to a custom location, modify the file paths accordingly

Option 1
a) Stop the SSPR-Service (may require a reboot)
b) Run the Repair option of the installer by either
1) Re-run the installer and select "Repair" option or
2) From "Programs and Features", Double click: "Self Service Password Reset" and select
"Repair" option

Option 2
a) Stop the SSPR-Service (may require a reboot)
b) As administrator open a cmd.exe window
c) cd C:\Program Files\NetIQ Self Service Password Reset\apache-tomcat-8\bin
d) run importLocalDB.bat

Option 3)
a) Open a browser and point it to https://localhost:8443/sspr/private/config/manager/localdb
b) login as an Administrator
c) Import the localDB upgrade backup file
(ex: C:\Program Files\NetIQ Self Service Password Reset\backup\localdb.upgrd)
d) Rename the localDB upgrade backup file
From: C:\Program Files\NetIQ Self Service Password Reset\backup\localdb.upgrd
To C:\Program Files\NetIQ Self Service Password Reset\backup\localdb.up1


Option 1 - Repairs the install, replaces the above text file with the same text file. I assume its failing at upgrading the database again
Option 2 - Runs a script, still unable to login, therefore the script must fail at upgrading the database
Option 3 - I have "Force Update Profile" switched on, and I can't bypass this screen, which i'm assuming the password to the LDAP Proxy User is also different.

I'll keep investigating whilst I can. Any further help would be appreciated.
0 Likes
rdenys Absent Member.
Absent Member.

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1

Just following on from my previous post, I changed the configIsEditable to true, restarted the SSPR-Service and attempted to login. This time I actually received an error message:

Password incorrect. Please try again. { 5089 ERROR_PASSWORD_ONLY_BAD }

I'm unsure why this value (or that mechanism to decrypt the value) would be changed during the upgrade process of the application.
0 Likes
rdenys Absent Member.
Absent Member.

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1

OK, so I found a slight workaround with this. I went into the SSPRConfiguration.xml file and removed the value from the following tag:

<property key="configPasswordHash" modifyTime="2017-03-22T10:45:02Z"></property>


I then restarted the SSPR application and was able to access the configuration editor. From there, I could reset the password back to what it was. All fixed.
0 Likes
ahidalgo1 Absent Member.
Absent Member.

Re: SSPR upgrade from 3.3.1.6 to 4.1.0.1


rdenys;276044 Wrote:
> Just following on from my previous post, I changed the
> -configIsEditable- to -true-, restarted the SSPR-Service and attempted
> to login. This time I actually received an error message:
>
> PASSWORD INCORRECT. PLEASE TRY AGAIN. { 5089
> ERROR_PASSWORD_ONLY_BAD }
>
> I'm unsure why this value (or that mechanism to decrypt the value)
> would
> be changed during the upgrade process of the application.
>
>
> --
> rdenys
> ------------------------------------------------------------------------
> rdenys's Profile: https://forums.novell.com/member.php?userid=159383
> View this thread: https://forums.novell.com/showthread.php?t=502834


There is an update that resolves this, "Self Service Password Reset
4.1.0.2". I still get the warning about my test user but everything
seems to function.

Al


--
ahidalgo
------------------------------------------------------------------------
ahidalgo's Profile: https://forums.netiq.com/member.php?userid=10766
View this thread: https://forums.netiq.com/showthread.php?t=57536


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.