gdrtx Absent Member.
Absent Member.
1022 views

pwdChangedTime vs pwmLastPwdUpdate

I have SSPR 3.3.16 (yes, I know it's old but can't upgrade until this summer) and I'm seeing some odd behavior. We have some users who are changing passwords in SSPR but it does not show up in the SSPR history. When I look in eDirectory, the pwmLastPwdUpdate value has not been updated but the pwdChangedTime shows the correct timestamp. This does no seem to be consistent and appears to be a sporadic issue but I'm having difficulties narrowing down possible sources/causes. Most of my testing attempts to replicate the issue have not succeeded in causing the issue. From what I can tell, the pwmLastPwdUpdate attribute is part of the SSPR schema in eDir and that attribute gets updated first and then the pwdChangedTime is an eDir system attribute that gets updated next. If users are changing passwords in SSPR, how would the pwdChangedTime update but not the pwmLastPwdUpdate? Is this a random bug in SSPR 3.3.16 that we never noticed until the last week or two? Is there a setting in SSPR that I can check to validate that these attributes are being written to correctly? We do have a clustered SSPR environment so it could be that one server has a different configuration setting than the other but I just don't know where to look. Any help would be greatly appreciated.
0 Likes
3 Replies
gdrtx Absent Member.
Absent Member.

Re: pwdChangedTime vs pwmLastPwdUpdate

So I think I solved part of the problem. Both attributes seem to be updated when a user changes their own password through SSPR but if an administrator/help desk user does it then only the pwdChangedTime gets updated. SSPR does not update the pwmLastPwdUpdate when someone other than the user changes a password on that account. However, that doesn't explain why some users are saying that the password history in SSPR is not reflecting recent password changes both by the user or help desk. Again, I haven't been able to duplicate it but that's what I'm being told by end-users.
0 Likes
booktrunk1 Absent Member.
Absent Member.

Re: pwdChangedTime vs pwmLastPwdUpdate

Is it in anyway similar to this https://www.netiq.com/documentation/sspr3/adminguide/data/b14gnfe6.html#b15bfa44

Do you need to give the proxy user access to pwmLastPwdUpdate ?
0 Likes
gdrtx Absent Member.
Absent Member.

Re: pwdChangedTime vs pwmLastPwdUpdate

booktrunk;2479049 wrote:
Is it in anyway similar to this https://www.netiq.com/documentation/sspr3/adminguide/data/b14gnfe6.html#b15bfa44

Do you need to give the proxy user access to pwmLastPwdUpdate ?


We haven't had any issues in the past so unless a patch changed our permissions then it shouldn't be an issue but certainly something worth checking again.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.