Environment
Novell eDirectory 8.8 SP 7 for All Platforms
Situation
After upgrading eDirectory to version 8.8 Support Pack 7, users with
rights to change the other user's password are unable to do so.
The same users were able to change other user's password before upgrading to eDirectory 8.8 SP 7.
The following error is seen in the dstrace log,
4041316688 LDAP: [2012/06/25 9:26:00.574] (127.0.0.1:40181)(0x0002:0x66) Unable to change or set password, err = bad password (-222)
4041316688 LDAP: [2012/06/25 9:26:00.574] (127.0.0.1:40181)(0x0002:0x66) Sending operation result 53:"":"NDS error: bad password (-222)" to connection 0xec11c00
The same users were able to change other user's password before upgrading to eDirectory 8.8 SP 7.
The following error is seen in the dstrace log,
4041316688 LDAP: [2012/06/25 9:26:00.574] (127.0.0.1:40181)(0x0002:0x66) Unable to change or set password, err = bad password (-222)
4041316688 LDAP: [2012/06/25 9:26:00.574] (127.0.0.1:40181)(0x0002:0x66) Sending operation result 53:"":"NDS error: bad password (-222)" to connection 0xec11c00
Resolution
Fixed in eDirectory 8.8.7 patch 1 or later.
In case eDirectory 8.8.7 patch 1 has not yet been applied, the following manual steps can be executed to address the issue:
1) Login to iManager
2) Go to Directory Administration, Modify Object and select the password policy object
3) Go to the General Tab of password policy page
4) Select nspmPasswordACL from the "UnValued Attributes" box and click on the left arrow
5) In the Add Attribute window click on the "+" button
6) Select the User to whom the password change rights to be assigned from "Subject name"
7) Select the nspmPassword from "Property Name:" and select permission (Read for 2 grant read access and 4 for write access)
8) Click on OK
9) Click on Apply and OK button to save the changes.
In case eDirectory 8.8.7 patch 1 has not yet been applied, the following manual steps can be executed to address the issue:
1) Login to iManager
2) Go to Directory Administration, Modify Object and select the password policy object
3) Go to the General Tab of password policy page
4) Select nspmPasswordACL from the "UnValued Attributes" box and click on the left arrow
5) In the Add Attribute window click on the "+" button
6) Select the User to whom the password change rights to be assigned from "Subject name"
7) Select the nspmPassword from "Property Name:" and select permission (Read for 2 grant read access and 4 for write access)
8) Click on OK
9) Click on Apply and OK button to save the changes.
Cause
The cause of the issue are the changes done in eDirectory 8.8. SP7 where in the rights for password retrieval and password reset are computed from the values of the 'nspmPasswordACL' attribute on the password policy object.
The rights were computed from the values of 'PasswordManagement' attribute prior to eDirectory 8.8 SP7.
The rights were computed from the values of 'PasswordManagement' attribute prior to eDirectory 8.8 SP7.