whitesocks Absent Member.
Absent Member.
927 views

Have an error -632 when Change user password

Hi
I have an error is -632 when I change some part of users password.
I have repair eDirectory, But the error still lived.
Please support
Labels (1)
0 Likes
13 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password

On 03/21/2019 07:34 AM, whitesocks wrote:
>
> Hi
> I have an error is -632 when I change some part of users password.
> I have repair eDirectory, But the error still lived.
> Please support


On which version of eDirectory?

Does it happen on all boxes in the tree, or just some?

Can you duplicate this in another tree/environment?

How are you changing the password, specifically? Can the user change
their own password? Can other users' passwords be changed by themselves
or admins?

What does "some part of users password" mean? Either you change the
password or you do not, typically.

Are you using Universal Password (UP)? If so what does the user's
password policy look like (post the LDAP export here)?

When did this last work, and what changed since then?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password


> What does "some part of users password" mean? Either you change the
> password or you do not, typically.
>
> Are you using Universal Password (UP)? If so what does the user's
> password policy look like (post the LDAP export here)?


I think this is a good question. 🙂 Which password?

NDS
Simple
UP

0 Likes
whitesocks Absent Member.
Absent Member.

Re: Have an error -632 when Change user password

Sample password policy
UP
0 Likes
whitesocks Absent Member.
Absent Member.

Re: Have an error -632 when Change user password

eDirectory Version:9.0.4
I use admin change password by iManager
The user have modify some times password , Random question for this
I want to how to fix the user or fix the question
thanks for your support
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password

On 03/21/2019 05:54 PM, whitesocks wrote:
>
> eDirectory Version:9.0.4
> I use admin change password by iManager


This does not really help. I understand you are using iManager (vs.
another tool), and changing as an admin (vs. the user themselves), but
within iManager ave various ways of changing passwords. In order to
troubleshoot fully, or to reproduce issues, we need specifics.

> The user have modify some times password , Random question for this


I'm not sure I understand what you are conveying here. The user can
change their own password? They used to be able to? They can using some
tools but not others?

> I want to how to fix the user or fix the question


Being broken is an end user's job. Joking aside, perhaps we should start
by creating a new test user object and seeing if the same steps you are
trying with the broken user work with the test user.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password

ab;2497164 wrote:
On 03/21/2019 07:34 AM, whitesocks wrote:
>
> Hi
> I have an error is -632 when I change some part of users password.
> I have repair eDirectory, But the error still lived.
> Please support


On which version of eDirectory?

Does it happen on all boxes in the tree, or just some?

Can you duplicate this in another tree/environment?

How are you changing the password, specifically? Can the user change
their own password? Can other users' passwords be changed by themselves
or admins?

What does "some part of users password" mean? Either you change the
password or you do not, typically.

Are you using Universal Password (UP)? If so what does the user's
password policy look like (post the LDAP export here)?

When did this last work, and what changed since then?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


"some part of users password" may mean that for some subset of all users, when changing password, he's getting a -632 (System Failure).
0 Likes
Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password

On
>> Are you using Universal Password (UP)? If so what does the user's
>> password policy look like (post the LDAP export here)?
>>
>> When did this last work, and what changed since then?
>>
>> --
>> Good luck.
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below.
>>
>> If you want to send me a private message, please let me know in the
>> forum as I do not use the web interface often.

>
> "some part of users password" may mean that for some subset of all
> users, when changing password, he's getting a -632 (System Failure).


And he explained Simple and UP. I would suggest getting a tool like Jim
Willeke's DumpUP tool:

https://ldapwiki.com/wiki/DumpEdirectoryPasswordInformationTool

Or Console2 which shows it by default when you search a user and click
Show Info.

https://sneakycat.biz/

It would be interesting to see the output.

Something like:

Password for uid=geoffc,ou=ACTIVE,ou=users,dc=acme,dc=com probably
doesn't fullfill requirements
Effective policy: cn=Standard Password,cn=Password Policies,cn=Security
Universal password active?: true
Universal password set?: false
Universal password history full?: false
Universal password matches NDS password?: false
Universal password matches Simple password?: false
Universal password older than NDS password?: false
Simple password set?: false
Simple password cleartext?: false
Simple password matches NDS password?: false

So you can see if NDS and UP and Simple are mostly or not in sync. Very
helpful.



whitesocks Absent Member.
Absent Member.

Re: Have an error -632 when Change user password

Excute dump,the detail bellow:
Password: com.novell.security.nmas.mgmt.NMASPwdException
Password policy assigned to user: cn=default password policy,cn=Password Policies,cn=Security
Does Current password meet password policy assigned to user? NMAS Return Code (-1665)
com.novell.security.nmas.mgmt.NMASPwdExceptionNMAS Return Code (-1658)
==> Account Status <==
Is Entry Account Disabled: FALSE
Is Account Intruder Locked: FALSE
Login Time: 20190321160651Z

**** There were 1 total entries ****
Entries with valid Universal Passwords: 0
Entries Insufficient Rights to Read: 0
Entries Universal<>NDS Passwords: 0
Entries with SimplePassword: 0
Entries no Password Policy Assigned: 0
Entries Password does not meet current Policy: 0
Entries Login Disabled: 0
Entries Locked-By-Intruder: 0
Entries Login Expired: 0
Entries Expired Passwords: 0
Entries Not Yet Activated: 0
Entries Never Loggedin: 0
0 Likes
Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password

On 3/24/2019 2:14 AM, whitesocks wrote:
>
> Excute dump,the detail bellow:
> Password: com.novell.security.nmas.mgmt.NMASPwdException
> Password policy assigned to user: cn=default password
> policy,cn=Password Policies,cn=Security
> Does Current password meet password policy assigned to user? NMAS
> Return Code (-1665)
> com.novell.security.nmas.mgmt.NMASPwdExceptionNMAS Return Code
> (-1658)
> ==> Account Status <==
> Is Entry Account Disabled: FALSE
> Is Account Intruder Locked: FALSE
> Login Time: 20190321160651Z
>
> **** There were 1 total entries ****
> Entries with valid Universal Passwords: 0
> Entries Insufficient Rights to Read: 0
> Entries Universal<>NDS Passwords: 0
> Entries with SimplePassword: 0
> Entries no Password Policy Assigned: 0
> Entries Password does not meet current Policy: 0
> Entries Login Disabled: 0
> Entries Locked-By-Intruder: 0
> Entries Login Expired: 0
> Entries Expired Passwords: 0
> Entries Not Yet Activated: 0
> Entries Never Loggedin: 0


So this is Jim's DumpUP tool. Can you do it again with -E for extra
info I think it is. Check the switches, you need to see 'more'

For 1665 error there is a note about tree keys:
https://support.microfocus.com/kb/doc.php?id=3364214

But if ANYONE can change passwords, then that probably does not apply.
1658 comes up as:

-1658 0xFFFFF986 NMAS_E_MISSING_KEY The key attribute for the Login
Configuration attribute or the Login Secret attribute is missing or corrupt.

So I have a thought. Since this user is screwed in terms of Simple,
passwords, and I would suspect Secret Store, and Challenge Response
questions you could try to clear the sasLogin* attributes.

There are 4 attributes, sasLoginConfigurationKey and three more similar
attributes.

I have an LDAP browser (Java based LBE) I otherwise quite like, but if
you modify any attribute of a user with one of these attributes, it
re-writes them and corrupts them.

However, deleting the attributes means Challenge Response values are
lost, and the user will have to put them back.

So think about it, as an option.


0 Likes
whitesocks Absent Member.
Absent Member.

Re: Have an error -632 when Change user password

Hi
I have delete the sasLoginConfigurationKey attribute from the user, Then Can be change password.
I check the doc about sasLoginConfigurationKey, the attribute use simple password policy,But I have use the UP, why when I create user auto gen. the value for the sasLoginConfigurationKey.
I create user at the eDirectory 9.1,but have not this.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password

On 3/24/2019 11:04 PM, whitesocks wrote:
>
> Hi
> I have delete the sasLoginConfigurationKey attribute from the user, Then
> Can be change password.


So to confirm, that worked? Great!

> I check the doc about sasLoginConfigurationKey, the attribute use simple
> password policy,But I have use the UP, why when I create user auto gen.
> the value for the sasLoginConfigurationKey.


Ah well, the mysteries of how they actually store passwords.

To be fair, earlier you said you use Simple and UP.

Challenge Response uses this. Secret Store uses it. The rest is not
clear nor documented, really.

> I create user at the eDirectory 9.1,but have not this.


That is interesting. I do not knonw why that would be different in 9.x
vs 8.x.

But I have found this to be a recurring issue at times.

0 Likes
jwilleke Trusted Contributor.
Trusted Contributor.

Re: Have an error -632 when Change user password

Most of the NAMS Result Codes are at: https://ldapwiki.com/wiki/NMAS%20Result%20Codes
SOme of them have explanations beyond Documentation details.
-jim
0 Likes
Knowledge Partner
Knowledge Partner

Re: Have an error -632 when Change user password

On 4/2/2019 9:04 AM, jwilleke wrote:
>
> Most of the NAMS Result Codes are at:
> https://ldapwiki.com/wiki/NMAS%20Result%20Codes
> SOme of them have explanations beyond Documentation details.


I like the idea of Wiki entry where we can add personal experience with
error codes. I did something similar for User App log levels:

https://wiki.microfocus.com/index.php/User_App_Log_Levels



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.