Users get error -1665 attempting to change their Universal Password.

  • 3364214
  • 24-Jan-2007
  • 16-Mar-2012


Universal Password Enabled
Novell Modular Authentication Service version 2.3


Installed and enabled Universal Password
Users get error -1665 attempting to change their Universal Password.


Fixed in NMAS version - apply the most current version of NMAS in order to obtain this and the latest fixes for NMAS.

Additional Information

Universal Password includes several new attributes that are ultimately encrypted using the SDI tree key. If the Security Domain is not functioning properly, these attributes will not be correctly generated, and then it will be impossible for the user to change their password.

In one case, there were two eDirectory trees linked via DirXML. All users were synchronized bidirectionally between the two trees. Users are required to change their passwords in the "Workforce" tree, and those changes would sync to the other tree. The Tree keys weren't present on all servers in the "Workforce" tree, and the others only had 56-bit keys. Universal password needs the 168-bit keys for proper operation.

See Using SDIDiag to gather specific SDKey information from serversfor instructions on how to tell if your Security Domain Infrastructure is properly synchronized and operating. Note particularly in the process.txt output that every server has the same key, and that it is a 168 bit key. If you need to generate new keys for your tree, see Using SDIDiag - Switches and Options, and look particularly at the SD command with the -G option.

Often, even once the Tree keys have been properly generated or synchronized, users will continue to experience the same error, because their existing universal password data was corrupted by using the previously bad tree key. In this case, if it is not too much trouble, you can just delete and re-create the affected user objects. In the above case, there were user objects present in two trees, and only one tree had bad tree keys, so you could delete the user object from that tree and allow it to resynchronize from the other tree.

If the universal password is enabled and unique passwords are required and the universal password is older than the NDS password then a password set/change will fail with the NMAS_E_LOGIN_ATTRIBUTE_NOT_FOUND (-1665) error. This should not happen.
So, the password policy agent (ppa.c) needs to be changed to not return an error from the password history check if the attempt to read the current password returns NMAS_E_LOGIN_ATTRIBUTE_NOT_FOUND (-1665).

Formerly known as TID# 10093969