iliadmin1 Absent Member.
Absent Member.
911 views

Question on user recreation and their Groupwise account

I have one user who is having whonky account issues. Unfortunately he's the owner of the company and is obviously not very happy right now about these issues. I am suspecting a corrupted user template, but that's another post. Long story short, things like his password expiration keep changing back to a weird time (may 15 2016), and you cannot manually set it back to where it should be and have it stick. Manually changing the password does not seem to work either. This is affecting his device connection to Groupwise Mobility mostly. Does not seem to affect his login (so far) to Groupwise. So I want to delete his eDirectory account and just recreate it from scratch.

HOWEVER, he is worried about losing all his e-mail, appointments, etc. If I don't do anything on Groupwise, just in eDirectory as far as deleting and re-creating his account, will it automatically sync/link back to his Groupwise account, OR will removing the account from eDirectory also remove it from Groupwise? (We use LDAP auth with Groupwise).

Is there a procedure for doing this so it preserves the Groupwise account? Anybody encountered this before? Pls advise. Thanks in advance!

Val

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
Labels (1)
0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: Question on user recreation and their Groupwise account

On 11/15/2018 10:04 AM, iliadmin wrote:
>
> I have one user who is having whonky account issues. Unfortunately he's
> the owner of the company and is obviously not very happy right now about
> these issues. I am suspecting a corrupted user template, but that's
> another post. Long story short, things like his password expiration
> keep changing back to a weird time (may 15 2016), and you cannot


That's an odd date to be chosen at random, and if it is always the same
time then perhaps NMAS is doing that. If your password change is not
changing the Universal Password (UP), but the login does use UP, then I
could see this happening. The fix is to have him change his password
properly so that everything is updated, not just the legacy nDS password.

> manually set it back to where it should be and have it stick. Manually
> changing the password does not seem to work either. This is affecting
> his device connection to Groupwise Mobility mostly. Does not seem to
> affect his login (so far) to Groupwise. So I want to delete his
> eDirectory account and just recreate it from scratch.


That's a bit drastic, but I guess I can understand it's desirable at some
point. Maybe something really is wrong with his object, but first how is
the password being changed, as specifically as you can describe it? How
do logins happen, with as many details as you can provide? Do you use
Identity Manager (IDM) or anything else that might be doing changes of
attributes via code?

> HOWEVER, he is worried about losing all his e-mail, appointments, etc.
> If I don't do anything on Groupwise, just in eDirectory as far as
> deleting and re-creating his account, will it automatically sync/link
> back to his Groupwise account, OR will removing the account from
> eDirectory also remove it from Groupwise? (We use LDAP auth with
> Groupwise).


Which version of GroupWise (GW)? This may be a question better-asked in
the GW forum since there are likely people there who better understand
this link. As long as GW properly points to the correct eDirectory user,
that sounds fine to me, but I worry it may store a GUID or something
which, when you delete/create the user, will necessarily change, so now
you need to set that up again, and I do not know how to do that off the
top of my head.

> Is there a procedure for doing this so it preserves the Groupwise
> account? Anybody encountered this before? Pls advise. Thanks in
> advance!


eDirectory itself does not integrate with GropuWise, and never has. The
only integration was perceived to exist because ConsoleOne (in the old
days) was used, and it would access both environments simultaneously.
Also, there is LDAP integration, but that is GW using eDirectory for basic
authentication purposes, nothing more. Even the "eDirectory
authentication" option that was seldom used was just the Novel lClient
working with the GW client, not anything magical between eDir and GW
directly. There are things like IDM which will integrate the two
directly, and that's great, but it is something you would have added
manually to automate account provisioning, deprovisioning, etc.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
iliadmin1 Absent Member.
Absent Member.

Re: Question on user recreation and their Groupwise account

Hi Andy,

you said "If your password change is not changing the Universal Password (UP), but the login does use UP,"

So.. I don't believe we are using Universal Passwords with our server.

He is a user in eDirectory since ages ago. He does not currently login to eDirectory per
se, but only to Groupwise. He VPN connects to the network then launches Groupwise
from his laptop and logs in. He has 2 mobile devices that also sync with Groupwise Mobility.

Version of Groupwise is 2018 (just migrated a couple of weeks ago). Upgraded our Mobility
yesterday and coincidentally this is when things started. Was on an SR with Micro Focus and they managed
to get things straightened out yesterday, but then I've noticed since weird issues with passwords showing
as expired when they are not for example.

Verified connectivity and sync b/w the master replica and the read/write replicas, health all seems good, so not sure
if there's a log or someplace I can look at to see if there's something not readily apparent with edirectory to be causing this.

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question on user recreation and their Groupwise account

I'd always opt for troubleshooting issues like these, nevertheless:
As you're running GW > 2012 you can easily disassociate his GW account from the eDir account (in the GW admin console) before deleting the user object in NDS. Once the object is recreated just reassociate it and you're done as for this. Wait a little after deletion until all obit processing is done. The GW account wouldn't even get deleted if you wouldn't disassociate before the deletion of the NDS object. What might happen, depending on your offset:
If you provision Mobility by LDAP (i.e. with LDAP as a user source, maybe by membership in a group) chances a high that his GMS account vanishes, so i'd remove him from GMS as the very first step and readd him as a last.
But as mentioned: i'd rather want to know how these issues are caused, and password / NMAS issues aren't to hard to analyze.
0 Likes
iliadmin1 Absent Member.
Absent Member.

Re: Question on user recreation and their Groupwise account

Didn't think of the Mobility, yes he is provisioned via an LDAP group, so this won't work 'cause he is sooooooo tied to his devices for email. Break that and I might a well get a new job!

It is not just password issues, things like expiration dates changing; accounts set to not require password changes get a password expiration and the option enabled. You can change things back, check it on the replicas and all is good. Then check it again later on and it's back to the whonky change! No reason. Not affecting everyone. (In this case I did delete the account and re-add it, it was the account being used for LDAP auth with my Mobility system.) Sometimes you find a user who has had rights to a folder and then suddenly they don't. Rights are assigned by groups. So you check the group, they are a member. So you remove them and re-add them, and things are back to normal. Stupid stuff like that. No reason for it to be happening yet there you go. Not sure if it is something that maybe was not correctly migrated when we migrated our Novell server to OES back in 2014 or what.

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question on user recreation and their Groupwise account

First of all:
Are the affected objects using UP? IDM involved?
0 Likes
iliadmin1 Absent Member.
Absent Member.

Re: Question on user recreation and their Groupwise account

No, neither is being used. Sorry for the late reply! Holidays, lots of things going on.

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.