Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
394 views

Negative number of remaining grace logins


After a user's password expires, we have recently been experiencing a
problem where the remaining grace logins eventually ends up being a
negative number. The "biggest" we have seen so far is -16, but more
commonly we see -2, etc. This has happened to a significant number of
users.

An associated problem is that the remaining grace logins sometimes drops
by several increments all at once, without any obvious cause.

Any idea what might be going on?

The primary version of eDirectory we are running is v8.8 SP7, 20703.00.
A few servers are also running v8.8 SP6, 20608.00, and we have a few
instances of eDirectory running on old NetWare servers, v8.8 SP5,
20506.07. The site which is most frequently experiencing the problem is
running v8.8 SP7 on an OES 11 SP1 server.

Rick P


--
RPummel
------------------------------------------------------------------------
RPummel's Profile: https://forums.netiq.com/member.php?userid=4769
View this thread: https://forums.netiq.com/showthread.php?t=47503

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Negative number of remaining grace logins

On Mon, 08 Apr 2013 22:44:02 +0000, RPummel wrote:

> Any idea what might be going on?


Are there any warnings about sync delta (or anything else) in an iMonitor
health check?

Jim
--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Negative number of remaining grace logins


I am not sure where to look for a sync delta warning, etc. I brought up
iMonitor and ran a report, asking it to only show me servers with
errors. One of the times I ran the report, it showed server wa1, which
is the server that hosts the users who have been experiencing the
problem regularly. However, I ran the report again, and the server did
not show up. I did a lot of looking through the report that showed wa1,
and I was unable to find any errors. So, I am confused.

Any suggestions on where to look in iManager and what I should be
looking for?

Rick P

hendersj;228326 Wrote:
> On Mon, 08 Apr 2013 22:44:02 +0000, RPummel wrote:
>
> Are there any warnings about sync delta (or anything else) in an
> iMonitor
> health check?
>
> Jim
> --
> Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
> Novell Knowledge Partner



--
RPummel
------------------------------------------------------------------------
RPummel's Profile: https://forums.netiq.com/member.php?userid=4769
View this thread: https://forums.netiq.com/showthread.php?t=47503

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Negative number of remaining grace logins

On Wed, 10 Apr 2013 18:34:02 +0000, RPummel wrote:

> I am not sure where to look for a sync delta warning, etc. I brought up
> iMonitor and ran a report, asking it to only show me servers with
> errors.
> One of the times I ran the report, it showed server wa1, which is the
> server that hosts the users who have been experiencing the problem
> regularly. However, I ran the report again, and the server did not show
> up. I did a lot of looking through the report that showed wa1, and I was
> unable to find any errors. So, I am confused.
>
> Any suggestions on where to look in iManager and what I should be
> looking for?


iMonitor is the right place to look. Go to "Agent health" and see what
the status is. Then go to "Known Servers" (best from a server with a
copy of [root]) and iterate through the "agent health" link on each
server listed to see what each server's health is.

Note any issues reported.

That's the better way to do a health check (and faster), after looking at
each server's health, go back one page and pick the next server in the
list.

Jim

--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Negative number of remaining grace logins

On Mon, 08 Apr 2013 22:44:02 +0000, RPummel wrote:

> After a user's password expires, we have recently been experiencing a
> problem where the remaining grace logins eventually ends up being a
> negative number.


I've seen that occasionally if there are replica sync problems. Each
replica decrements the counter by one, underflowing zero. It's been a
while since I've seen it happen, though.

Are you using NDS passwords or Universal Password?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Negative number of remaining grace logins


As far as I know, we are using NDS passwords, but I suppose it is
possible that we are using Universal Passwords. How can I find out?

I am not sure how to identify replica sync errors, if they are
occurring. Suggestions?

We have a mix of OES Linux and NetWare servers. I have been nervous
about the possibility of sync errors since the NetWare servers are
running eDirectory 8.8 SP5 while the Linux servers are using a mix of
v8.8 SP6 and v8.8 SP7. However, I have not had anything concrete to base
my nervousness on.

Rick P

dgersic;228335 Wrote:
>
>
> I've seen that occasionally if there are replica sync problems. Each
> replica decrements the counter by one, underflowing zero. It's been a
> while since I've seen it happen, though.
>
> Are you using NDS passwords or Universal Password?



--
RPummel
------------------------------------------------------------------------
RPummel's Profile: https://forums.netiq.com/member.php?userid=4769
View this thread: https://forums.netiq.com/showthread.php?t=47503

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Negative number of remaining grace logins

On Wed, 10 Apr 2013 18:44:02 +0000, RPummel wrote:

> As far as I know, we are using NDS passwords, but I suppose it is
> possible that we are using Universal Passwords. How can I find out?


The default, if you've done nothing, is to use NDS passwords.

The better answer, is to use Universal Password, which uses NMAS. To
enable this, you'd create a password policy in your Security container,
then assign it (tree wide = the "login policy" object in the Security
container). You'll find more on this in the eDirectory docs.


> I am not sure how to identify replica sync errors, if they are
> occurring. Suggestions?


iMonitor. The first page you see shows a chart of Replicas by type,
Partitions (count) and Errors.


> We have a mix of OES Linux and NetWare servers. I have been nervous
> about the possibility of sync errors since the NetWare servers are
> running eDirectory 8.8 SP5 while the Linux servers are using a mix of
> v8.8 SP6 and v8.8 SP7. However, I have not had anything concrete to base
> my nervousness on.


That's fine. Personally, I'd bring all of them up to the latest version
available, but those are recent enough that I wouldn't worry too much
about it.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.