Environment
Novell eDirectory 8.7.3 for All Platforms
Novell iChain 2.3
Situation
Even though the user's password has expired, he is not
redirected to iChain's password update screen.
Users' accounts are getting locked, as they can no longer
update their password.
The eDirectory server does not have a real copy of the
user.
Resolution
There is a work-around. Add all the replicas to the current
server, or configure iChain to use a server that already has a real
copy of every one.
Status
Reported to EngineeringAdditional Information
The root cause is an issue with the LDAP server. When
the server does have a real copy of the user, LDAP returns the NDS
error code indicating that the password has expired. Here's
an example from a trace log.
13:34:44 49249BB0 LDAP: (137.65.212.64:4358)(0x0001:0x60) Sending operation
result 0:"":"NDS error: password expired (-223)" to connection 0x819d098
When the server doesn't have a real copy of the user, LDAP doesn't return the NDS error code. Here's an example from a trace log.
13:34:44 49249BB0 LDAP: (137.65.212.64:4358)(0x0001:0x60) Sending operation
result 0:"":"NDS error: password expired (-223)" to connection 0x819d098
When the server doesn't have a real copy of the user, LDAP doesn't return the NDS error code. Here's an example from a trace log.
13:22:44 51421BB0 LDAP: (137.65.212.64:23528)(0x0001:0x60) Sending operation
result 0:"":"" to connection 0x81cb820