Error 'The Old Password entered was invalid' when changing passwords

  • 3604162
  • 08-Dec-2006
  • 26-Apr-2012

Environment

Novell Identity Manager Password Synchronization
Novell Identity Manager Identity Manager 3.0
Novell Identity Manager Driver- Active Directory Driver
Novell Identity Manager Driver- NT Domain Driver
Nsure Identity Manager 2.0
Novell NT Domain Driver
DirXML Password Synchronization
Novell Client 4.9 SP2 for Windows NT/2000/XP

Situation

User changes both the NT Domain and eDirectory passwords using the Novell Client. Upon logging into NT, the user gets the error "The Old Password entered was invalid".

When changing both the NT Domain and eDirectory password at the same time using the Novell Client version 4.90 SP2 or later on an NT or Active Directory workstation, a dialog appears stating that the NT Domain password was not synchronized because the old password was invalid. However, the password was changed on the NT Domain. Upon rebooting the workstation, the user can log in without any errors.

Resolution

There are several solutions to resolve this problem:

Solution #1

Since passwords are synchronized between eDirectory and the NT Domain via password sync, don't select both providers in the client password change dialogue. Select either to change the eDirectory password or the NT Domain password.

Solution #2 (only for IDM 2)

Create a policy on the Subscriber's Event Transformation (SET) that delays synchronization of passwords so that the NT Domain password is updated before password sync synchronizes the password from eDirectory to the NT Domain. The following is the XML representation of the policy:

<?xml version="1.0" encoding="UTF-8"?>
<policy>
<rule>
<description>Delay when modification of nspmDistributionPassword</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-operation op="equal">modify</if-operation><if-op-attr name="nspmDistributionPassword" op="changing"/>
</and>
</conditions>
<actions>
<do-trace-message level="1">
<arg-string><token-text xml:space="preserve">Waiting 2 seconds....</token-text></arg-string>
</do-trace-message>
<do-set-local-variable name="DUMMY_VARIABLE">
<arg-string>
<token-xpath expression="javaThread:sleep(2000)"/></arg-string>
</do-set-local-variable>
<do-trace-message level="1">
<arg-string><token-text xml:space="preserve">Done waiting!</token-text></arg-string>
</do-trace-message>
</actions>
</rule>
</policy>

To add this policy to the driver:

  • View the driver's overview
  • Click on the Subscriber's Event Transformation policy
  • Click 'Insert'
  • Enter a value for the 'Enter the name that will be used to for the new policy. ' field
  • Click 'OK'
  • Click 'Edit XML'
  • Click 'Enable XML editing'
  • Copy and paste the policy above into the 'XML Editor' (replacing what is currently there).
  • Click 'OK'
  • Click 'Close' (You may be prompted to restart the driver. Do so if you have already.)

Solution #3 (for IDM 3 or for the Active Directory Driver) - This solution adds a namespace declaration that is needed if you get errors with Solution #2

Create a style sheet on the Subscriber's Event Transformation (SET) that delays synchronization of passwords so that the NT Domain password is updated before password sync synchronizes the password from eDirectory to the NT Domain. To create the style sheet do the following:

  • View the driver's overview
  • Click on the Subscriber's Event Transformation policy
  • Click 'Insert'
  • Enter a value for the 'Enter the name that will be used to for the new policy. ' field
  • Click on 'XSLT'
  • Click 'OK'
  • Click 'Enable XML editing'
  • Add the following namespace to the namespace declarations:
    xmlns:wait="https://www.novell.com/nxsl/java/java.lang.Thread"
  • Copy and paste the following template element beneath the line that states <!-- add your custom templates here -->:

    <xsl:template match="modify-attr[@attr-name='nspmDistributionPassword']"><xsl:copy><xsl:message>Matched a modification of
    nspmDistributionPassword. Sleeping for 2 seconds...</xsl:message><xsl:variable name="threadSleeper"
    select="wait:sleep(2000)"/><xsl:message>done sleeping!</xsl:message><xsl:apply-templates select="@*|node()"/></xsl:copy></xsl:template>
  • Click 'OK'
  • Click 'Close' (You may be prompted to restart the driver. Do so if you have already.)
.


Additional Information

This dialog appears when the new password is synchronized from eDirectory to NT before the client changes the NT Domain password directly. When the client attempts to change the NT Domain password directly, it validates the previous password first. Since the previous password no longer exists, because it was changed by password sync, the validation fails.

Formerly known as TID# 10095435