Changing a users password through LDAP sporadically sets the expiration date to 1/1/1992

  • 7006737
  • 24-Oct-2013
  • 24-Oct-2013

Environment


NetIQ eDirectory 8.8.x

Situation

Customer has a custom built web tool that users access to change their passwords.   This tool makes ldap calls into eDirectory that manipulate password policy assignments and change the user's password based upon options the user selects.

Sporadically some user's passwords are expired as soon as the set them.   The password expiration time for these users is 1//1/1992.

Resolution

Make sure that your LDAP servers are using NMAS for all LDAP operations.   This can be done by setting the following environment variable.  ( It is a good idea to do this on all servers in the tree, but is a must for all the LDAP servers.)

Linux - Set in the pre_ndsd_start script (opt/novell/eDirectory/sbin).

NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST


NetWare - Set in the c:\nwserver\startup.ncf file.

env NDSD_TRY_NMASLOGIN_FIRST=true

Windows - Right-click on "My Computer" on the desktop and select Properties. In the Advanced tab click Environment Variables. Under System Variables, Add the variable and set the value to true.

Then restart eDirectory or the server for the variable to take affect.

Additional Information

How to determine if the NDSD_TRY_NMASLOGIN_FIRST=true variable is set and exported on Linux.

1.  Get the ID for ndsd
pgrep ndsd (returns some number)
2.  Go to the PID directory returned
cd /proc/PID
3. Use Strings and grep to look in the environ file in the PID directory to see if the NDSD_TRY_NMASLOGIN_FIRST variable is set and exported.
strings environ | grep NDSD

It should echo it back what it is set to.
NDSD_TRY_NMASLOGIN_FIRST=true
If it is not there, then it is not set.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.