NetWare FTP anonymous login failures after update by Support Pack, eDir, NMAS, or Security Services

This is typically because Universal Password Policies are in use.  In NetWare 6.5 SP5 and below, the libraries FTP used for logging users in made use of older legacy methods to authenticate to eDirectory.  In newer updates, those underlying libraries now have the ability to send the logins through NMAS.  Therefore, new behaviors and restrictions can apply, for example, Universal Passwords and their Policies.

 

Usage of Universal Passwords or their Policies appear to be giving problems to the FTP anonymous user, which is a normal eDirectory user object, except that it has no password assigned.  The lack of the password may conflict with some aspects of Universal Passwords or their policies.

 

The recommended sequence to make sure anonymous user objects are protected from these policies is as follows.

 

1.  Identify the context which holds the anonymous user for the particular FTP server in question.  FTP choses it's context for the anonymous user in the following manner:

   A.  If sys:/etc/ftpserv.cfg has DEFAULT_FTP_CONTEXT specified, that context will be used.

   B.  If 'A' is not set, then if the NetWare server has bindery context(s) set, the first bindery context will be used.  Use the console command "CONFIG" (not "LOAD CONFIG) to see the bindery context in effect.

   C.  If 'A' and 'B' are not set, then the context of the regular Server Object will be used.

 

2.  Disassociate (unassign) the Universal Password Policy in effect for the container identified in step #1.

 

3.  Delete the anonymous user from the container specified in step #1.

 

4.  Unload NWFTPD.

 

5.  Load NWFTPD -A

Follow the prompts to login as the admin.  This will create a new anonymous user, set the anonymous home directory, etc.  The new anonymous user should appear in the same context where the previous one what deleted.

 

6.  Create a new Universal Password Policy where "Enable Universal Password" is set to FALSE.  Assign this policy to the anonymous user object created in step #5.

 

7.  Reassign the Universal Password policy to the container, which was unassigned in step #2.  The existence of the newer policy assigned directly to the anonymous user will prevent the container level policy from taking effect on that user.

 

8.  LOAD NWFTPD as you normally would.