Environment
Novell Modular Authentication Service (NMAS) version 3.1.3
Novell Modular Authentication Service (NMAS) version 3.2.0
Universal Password Policy Plug-in
Novell Modular Authentication Service (NMAS) version 3.2.0
Universal Password Policy Plug-in
Situation
UP complexity policy excludes selected attribute values
entirely where as the Microsoft policy in AD only ensures the password does not contain
three or more characters
Potential issues syncing passwords using Microsoft complexity rules.
Potential issues syncing passwords using Microsoft complexity rules.
Resolution
This issue has been resolved in NMAS v3.2.1.0 which is included with Security Services 206 (ss206)
Additional Information
Selecting "Use Microsoft Complexity Policy" in the Universal Password plug-in changes the advanced rule to match as closely as possible the Microsoft Complexity Policy included with Windows 2003. This can be seen in our documentation at https://www.novell.com/documentation/password_management32/pwm_administration/index.html?page=/documentation/password_management32/pwm_administration/data/ampxjj0.html in section 3.4.2
The issue that needs to be resolved is UP complexity policy excludes selected attribute values entirely where as the Microsoft policy in AD only ensures the password does not contain three or more characters from the user's account name.
If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high. When checking against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs, and tabs. For each token that is three or more characters long, that token is searched for in the password; if it is present, the password change is rejected. For example, the name "Erin M. Hagens" would be split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case-insensitive.
The details of the Microsoft Complexity Policy can be found here http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx#EMD The impact of this is users with short names like "Li" or "Al" who use Li or Al in their password are successful setting it in the gina but it fails to sync to edir because Li or Al have been excluded entirely as a given name or surname value.
The issue that needs to be resolved is UP complexity policy excludes selected attribute values entirely where as the Microsoft policy in AD only ensures the password does not contain three or more characters from the user's account name.
If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high. When checking against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs, and tabs. For each token that is three or more characters long, that token is searched for in the password; if it is present, the password change is rejected. For example, the name "Erin M. Hagens" would be split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case-insensitive.
The details of the Microsoft Complexity Policy can be found here http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx#EMD The impact of this is users with short names like "Li" or "Al" who use Li or Al in their password are successful setting it in the gina but it fails to sync to edir because Li or Al have been excluded entirely as a given name or surname value.