Environment
Novell BorderManager 3.9 Support Pack 1
Situation
When a user authenticates to access the internet with Border Manager, over SSL, and the user has only grace logins left, the following message is displayed (if in the proxy.cfg the GraceLoginNotification is set to 1):
Grace Login Warning:
Your Password has expired.
You are in grace logins.
The number of grace logins left for you are
***** '2' *****
grace logins remaining. Please Contact Your Administrator to Change the Password.
Before the user logged in it had 6 grace logins, and after this message he still has 4 left.Your Password has expired.
You are in grace logins.
The number of grace logins left for you are
***** '2' *****
grace logins remaining. Please Contact Your Administrator to Change the Password.
Resolution
This is working as designed.
When Border Manager authenticates the user it decreases the grace logins twice. It displays the half of the remaining grace logins so if the user logs in the same ways actually it is correct he'll be able to log in only twice more.
If the user reaches the last grace login the password change is forced, but only in the case that the following lines are in the proxy.cfg file:
PwdChangeURL must be set to a url where the user can change their password. The URL is a redirect link to the software used for changing password in eDirectory. BorderManager lacks the capability to change the
password in eDirectory. For example, The software can be a Novell IDM or any similar 3rd party software.
GraceLoginText can contain any customized message for the users so they understand that they should change their password. Also in this text you could explain the users that the number shown is half of the actual grace logins left if they log into the network other ways.
When Border Manager authenticates the user it decreases the grace logins twice. It displays the half of the remaining grace logins so if the user logs in the same ways actually it is correct he'll be able to log in only twice more.
If the user reaches the last grace login the password change is forced, but only in the case that the following lines are in the proxy.cfg file:
[Extra Configuration]
GraceLoginNotification=1
PwdChangeURL="http://10.1.1.10/pwdchange.html"
GraceLoginText="some text here"
GraceLoginNotification=1
PwdChangeURL="http://10.1.1.10/pwdchange.html"
GraceLoginText="some text here"
PwdChangeURL must be set to a url where the user can change their password. The URL is a redirect link to the software used for changing password in eDirectory. BorderManager lacks the capability to change the
password in eDirectory. For example, The software can be a Novell IDM or any similar 3rd party software.
GraceLoginText can contain any customized message for the users so they understand that they should change their password. Also in this text you could explain the users that the number shown is half of the actual grace logins left if they log into the network other ways.