Universal Password policy compliance not being enforced when using LDAP

  • 3442146
  • 23-Dec-2007
  • 26-Apr-2012

Environment

Novell NetWare 6.5 Support Pack 8
Suse Linux Enterprise Server 9 (SLES9)
Suse Linux Enterprise Server 10 (SLES10)
Open Enterprise Server 2
eDirectory 8.8 SP2
Security Services 205 (ss205)
NMAS 3.2.0.0
NDSD_TRY_NMASLOGIN_FIRST=true variable set in ndsd script
Using LDAP client to login to eDirectory
Universal Password enabled


Situation

Problem:
Universal Password policy compliance not being enforced when using LDAP.

Symptom:
Password expiration time does not get set to current time when logging in through LDAP when the users' password does not comply with password policy ("Verify whether existing passwords comply with the password policy" is enabled). This is necessary to enforce a change of password that will comply with the password policy associated with this user.

Resolution

This has been resolved with NMAS version 3.2.0.1 and has been released as a post ss205 patch and with recent patches of eDirectory 8.8.5.

Additional Information

To ensure that Universal Password policy compliance is enforced during LDAP logins the following steps need to be followed:

1.Use NMAS version 3.2.0.1 or later.  If the version of eDirectory is 8.7.3.x then the latest NMAS can be obtained from https://download.novell.com/patch/finder/ and in the Product drop down box, choose "Security Services" -> Choose the latest version available.  If eDirectory is version 8.8.x patch to 8.8.5 or 8.8.6 to obtain the latest patches for NMAS.

NOTICE- 8.8.4 was not mentioned here for a reason, if the box is OES linux, the latest patch is included in the update channel, so please update all patches from the channel if on OES Linux!  Also, if eDirectory is already at 8.8.5, then it is recommended to update to the latest eDirectory patch for 8.8.5.  To do this use the link, https://download.novell.com/patch/finder/ and in the Product drop down box, choose eDirectory and in the version box, choose 8.8.5 -> Just choose the latest released patch for 8.8.5.

2. Need to ensure that the following lines are run in the /opt/novell/eDirectory/bin/pre_ndsd_start (formerly the /etc/init.d/pre_ndsd_start) script:

NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST

3. The password policy needs to have the following variables active:
  1. An expiration setting, ie. Number of days before password expires.
  2. "Verify whether existing passwords comply with the password policy" needs to be enabled.
  3. A set number of grace logins. If there is not a set number of grace logins, you will be able to continually log in even if the password is expired.

Change Log

2011-03-07 AB: Correct grammar, formatting, and multiple errors in where the fix can be applied (stated adding environment variables to /etc/init.d/ndsd which is NEVER correct as that file is owned by a package and will be replaced with subsequent patches, losing the desired changes).

Feedback service temporarily unavailable. For content questions or problems, please contact Support.