Intruder Detection settings are not retained with DSfW

  • 7007273
  • 30-Nov-2010
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 2 SP2 (OES 2SP2)
Novell Open Enterprise Server 2 SP3 (OES 2SP3)
Domain Services for Windows
DSFW

Situation

An existing password policy is used for the DSfW domain.  This can be checked by looking at /etc/opt/novell/xad/xad.ini and verifying “XADRETAINPOLICIES = yes”.An eDirectory password policy is assigned to the domain container.  This can be checked with either iManager looking at the other tab or ldapsearch filtering on nspmPassworPolicy.Ldapsearch example where domain container is o=novell: LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Y EXTERNAL -b o=novell nspmPasswordPolicy -s baseIn iManager go to the properties of the domain container.  
Enable the "Detect Intruders" on a domain container and set "Incorrect login attempts" to a value of 3.
Run gposync.sh from a DSfW server terminal.Look at the Detect Intruders on the container add see the setting has been removed.

Password policys assigned to directly to containers within the domain container are not affected.

Resolution

This has been resolved in the OES2SP2 -Jan-2011-Scheduled-Maintenance-7295-1 patch

and OES2SP3 -Jan-2011-Scheduled-Maintenance-7297-1 patch

If unable to patch, possible workarounds are:

1) Edit the /opt/novell/xad/sbin/gposync.sh and change the line
GPOTOOL="/opt/novell/xad/sbin/gpo2nmas -f gpo -g to
GPOTOOL="/opt/novell/xad/sbin/gpo2nmas -f nmas -g

2) Assign the password policy to the login policy object located in the security container.


3) Instead of using an eDirectory Password policy, create a GPO and use the GPO as the password policy.  This would require a change in the /etc/opt/novell/xad/xad.ini with XADRETAINPOLICIES = no.

Additional Information

If XADRETAINPOLICIES set to “no” then the GPO is used for password policies and intruder detection needs to be configured in the GPO | Conputer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout threshold.
If the nspmPasswordPolicy has a GPO listed as a value instead of an eDirectory password policy, intruder detection will be enabled, but set to -1 (default) or what ever value has been assigned in the GPO.If the nspmPasswordPolicy is not populated, the intruder detection settings will beretained.  This would be the case if "XADRETAINPOLICIES =  yes" and the existing eDirectory password policy is assigned to the login policy object.