Environment
Novell eDirectory 8.7.3.8 for All Platforms
Novell Modular Authentication Service (NMAS) version
2.40
Novell Modular Authentication Service (NMAS) version
3.1.0
Novell eDirectory 8.8 for All Platforms
Situation
The Universal Password (UP) policy in the tree is set to 365
days. It later is changed to 90 days to reflect a new
corporate standard. However, when users login after this
change their password expiration time still shows 300 days or more.
Resolution
When Universal Passwords are enabled a users's password
expiration time is calculated as follows:
1. Take the days shown in the UP password policy.
2. Add this to the modification timestamp of the nspmpassword
(UP) attribute on the user.
3. Take the sum of 1 and 2 and place this value into the
user's expiration time attribute.
4. Compare this time to the server's time to determine if the
password has expired.
However, when the policy's interval has been changed the
following must be applied for this change to be reflected in each
user authenticating thru the policy:
1. Apply NMAS 3.1 to each NMAS server authenticating
users.
2. Make sure in iManager that the following is checked: Verify
whether existing passwords comply with the password policy.
This can be found via the Passwords Role - Password Policies Task -
Select Policy - Universal Password Tab - Configuration Options -
Authentication section.
3. Have the user login via a NMAS aware client such as the
NetWare client.
The password expiration interval will be updated to reflect
the new password interval settings.
Additional Information
NOTE:
1. The user's interval will only be updated if it is
larger than the policy's interval.
2. If the user logs in via a non-NMAS client such as an LDAP
client this interval will need to be manually changed by a method
such as a ldif modification.
3. If eDirectory 8.8 is installed as well on the NMAS server,
then LDAP can be foreced to authenticate over NMAS and this
value will not need to be manually changed for these clients.