ERROR: The password does not meet the password policy requirements

  • 7004481
  • 22-Sep-2009
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 2.0 SP1 (Linux Based)
Novell Open Enterprise Server 2.0 SP2 (Linux Based)
Novell Domain Services for Windows 1.x
Novell eDirectory 8.8.5
Novell iManager 2.7.3

Situation

Attempts to join a workstation to a DSfW domain are unsuccessful and return the following error message.

ERROR: The following error occurred attempting to join the domain <DOMAIN NAME>
The password does not meet the password policy requirements.
Check the minimum password lengths, password complexity and password history requirements.

Resolution

The underlying cause for this problem is that the Universal Password Policy Plugin in iManager 2.7 is automatically modifying some attributes on the Default Password Policy object, despite no changes being committed from the iManager User Interface. In other words, simply opening the Default Password policy with the iManager Passwords Plugin, selecting the Universal Password tab and pressing OK will lead to this problem. These attributes added to the Default Password Policy object prevent the addition of workstations to the domain.

To verify which password policy is assigned to the computers container run the following ldapsearch replacing the context of o=novell with your own context:
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Y EXTERNAL -b cn=computers,o=novell -s base nspmPasswordpolicyDN

Should see results similar to this
# Computers, novell
dn: cn=Computers,o=novell
nspmPasswordpolicyDN: cn=Default Password Policy,cn=Password Policies,cn=Syste
 m,o=novell

This problem has been reported to Engineering. As a workaround, delete the attributes using iManager.

1. Login to iManager
2. Goto Directory Administration,
3. Select the object: Default Password Policy.Password Policies.System.<DOMAIN ROOT CONTAINER>
4. Goto the general tab, goto other
5. Select the attributes listed below, and select delete.

- nsimPwdRuleEnforcement
- nspmLowerAsLastCharacter
- nspmLowerAsFirstCharacter
- nspmExtendedCharactersAllowed
- nspmCaseSensitive
- nspmSpecialCharactersAllowed
- nspmNumericCharactersAllowed
- passwordUniqueRequired

Starting in OES2SP3 the three DSfW default password policies will  have these attributes populated with the correct values so that viewing one of the password policies and clicking ok or apply will not affect one of these password policies.  Below is a script that can be ran to make these changes in an OES2SP1 or SP2 environment.  Name the script updated_pwd_policy.PL.  Make sure it is executable (cmod 755 updated_pwd_policy.PL)  Then run the script (./updated_pwd_policy.PL)

Before running the script do a kinit for administrator
example: kinit administrator@novell.com

Otherwise will get

Finding the password policies, Executing: SASL_PATH=/opt/novell/xad/lib64/sasl2/ /usr/bin/ldapsearch -Y GSSAPI -b 'cn=Password Policies,cn=System,DC=novell,DC=dsfw' -s one  -LLL "(objectclass=nspmPasswordPolicy)" dn  | sed " /^ / {; H; d; }; /^ /! {; x; s/\n //g; }; "

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Local error (-2)

        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)



#!/usr/bin/perl -I. -I.. -I/opt/novell/xad/lib64/perl -I/opt/novell/xad/lib/perl
#########################################################################
#
#  (C) Copyright 2010 Novell, Inc.
#   All Rights Reserved.
#
#   This program is an unpublished copyrighted work which is proprietary
#   to Novell, Inc. and contains confidential information that is not
#   to be reproduced or disclosed to any other person or entity without
#   prior written consent from Novell, Inc. in each and every instance.
#
#   WARNING:  Unauthorized reproduction of this program as well as
#   unauthorized preparation of derivative works based upon the
#   program or distribution of copies by sale, rental, lease or
#   lending are violations of federal copyright laws and state trade
#   secret laws, punishable by civil and criminal penalties.
#
#########################################################################

$ENV{'PATH'} = "/opt/novell/xad/share/dcinit:$ENV{'PATH'}";
use XAD::registry;
use File::Temp;

sub update_attribute {
    my $dn = shift;
    my $attribute = shift;
    my $value = shift;
    my $force = shift;

    my $ldapsearch = "/usr/bin/ldapsearch";
    my $lib = `/opt/novell/xad/share/dcinit/printConfigKey.pl "_Lib"`;

    chomp ($lib);
    my $command = 'SASL_PATH=/opt/novell/xad/' . $lib . '/sasl2/ ' . $ldapsearch . ' -Y GSSAPI -b \'' . $dn . '\' -s base ' . ' -LLL ' . $attribute;

    `$command 2>/dev/null | grep -q '$attribute'`; #gssapi header (2) is sent to /dev/null, the output (1) is grepped
    my $rc = $?;

    if ($rc != 0 or $force eq "TRUE") {
        print "\t Updating the value of the attribute $attribute to $value\n";

        my $ldapmodify = registry::getReg("LDAPMODIFY");
        my $tmpfile = mktemp("/tmp/tmp.XXXXXXXXXX");

        open FILE, ">$tmpfile" or die ("failed to open the file $tmpfile for write");
        print FILE "dn: $dn\n";
        print FILE "changetype: modify\n";

        if ($rc == 0) {
            print FILE "replace: $attribute\n";
        }
        else {
            print FILE "add: $attribute\n";
        }

        print FILE "$attribute: $value\n";
        close (FILE);

        `SASL_PATH=/opt/novell/xad/$lib/sasl2 $ldapmodify -Y GSSAPI -f $tmpfile 2>/dev/null 1>&2`;
        if ($?) {
            print "Failed to update the attribute $attribute to the value $value in the object $dn\n";
        }
        else {
            unlink ($tmpfile);
        }
    }
}

sub update_password_policy {

    my $policydn = shift;
    my $force = shift;
    my %listofattrs = ( nspmLowerAsLastCharacter => 'TRUE', nspmLowerAsFirstCharacter => 'TRUE',
                nspmExtendedCharactersAllowed => 'TRUE', nspmCaseSensitive => 'FALSE',
                nspmSpecialAsLastCharacter => 'TRUE', nspmSpecialAsFirstCharacter => 'TRUE',
                nspmNumericAsLastCharacter => 'TRUE', nspmNumericAsFirstCharacter => 'TRUE',
                passwordUniqueRequired => 'FALSE', nspmSpecialCharactersAllowed => 'TRUE',
                nspmNumericCharactersAllowed => 'TRUE' );

    print "Updating the policy $policydn\n";
    while( my ($key, $value) = each (%listofattrs)) {
        update_attribute ($policydn, $key, $value, $force);
    }

}

sub update_password_policies {
    my $dn = registry::getReg("Domain NC");
    my $ldapsearch = "/usr/bin/ldapsearch";
    my $lib = `/opt/novell/xad/share/dcinit/printConfigKey.pl "_Lib"`;
    my $ldap_base = "cn=Password Policies,cn=System,$dn";
    my $ldap_filter = ' | sed " /^ / {; H; d; }; /^ /! {; x; s/\n //g; }; "';

    chomp ($lib);
    my $command = 'SASL_PATH=/opt/novell/xad/' . $lib . '/sasl2/ ' . $ldapsearch . ' -Y GSSAPI -b \'' . $ldap_base . '\' -s one ' . ' -LLL "(objectclass=nspmPasswordPolicy)" dn '. $ldap_filter;

    print "Finding the password policies, Executing: $command\n";

    my @list = `$command | grep 'dn:' | awk -F 'dn: ' '{print \$2}'`;

    foreach my $policy (@list) {
        chomp ($policy);
        if ($policy =~ /^cn=Builtin Domain Password Policy,/ or $policy =~ /^cn=Default Password Policy,/) {
        update_password_policy ($policy, "TRUE"); #Force all default attribute
        }
        else {
        update_password_policy ($policy, "FALSE"); #Do not replace if any attribute already exist
        }
    }
   
}

update_password_policies ();




Additional Information

Note that the error is only reported when new workstations attempt to join the domain. Workstation removals or normal authentications with Administrator credentials for already joined workstations are not impacted.

Remove the same attributes from the Builtin Domain Password Policy also.  If they are present when adding  additional domain controllers to the domain, the operation will fail.