User password change fails after upgrading to eDirectory 8.8.7

  • 7010386
  • 05-Jul-2012
  • 29-Mar-2013


Novell eDirectory 8.8 SP 7 for All Platforms


After upgrading eDirectory to version 8.8 Support Pack 7, users with rights to change the other user's password are unable to do so.
The same users were able to change other user's password before upgrading to eDirectory 8.8 SP 7.
The following error is seen in the dstrace log,

4041316688 LDAP: [2012/06/25 9:26:00.574] ( Unable to change or set password, err = bad password (-222)
4041316688 LDAP: [2012/06/25 9:26:00.574] ( Sending operation result 53:"":"NDS error: bad password (-222)" to connection 0xec11c00


Fixed in eDirectory 8.8.7 patch 1 or later.

In case eDirectory 8.8.7 patch 1 has not yet been applied, the following manual steps can be executed to address the issue:
1) Login to iManager
2) Go to Directory Administration, Modify Object and select the password policy object
3) Go to the General Tab of password policy page 
4) Select nspmPasswordACL from the "UnValued Attributes" box and click on the left arrow 
5) In the Add Attribute window click on the "+" button 
6) Select the User to whom the password change rights to be assigned from "Subject name"
7) Select the nspmPassword from "Property Name:" and select permission (Read for 2 grant read access and 4 for write access)
8) Click on OK
9) Click on Apply and OK button to save the changes.


The cause of the issue are the changes done in eDirectory 8.8. SP7 where in the rights for password retrieval and password reset are computed from the values of  the 'nspmPasswordACL' attribute on the password policy object.
The rights were computed from the values of 'PasswordManagement' attribute prior to eDirectory 8.8 SP7.