Unable to change Universal Password for users restored with ndsbackup

  • 7016026
  • 02-Jan-2015
  • 13-Jan-2017

Environment

Novell eDirectory 8.8 for All Platforms
NetIQ eDirectory 8.8 for All Platforms

Situation

Unable to change / set the universal password for users restored into a different tree with ndsbackup.

iManager returns the following error while attempting to set the Universal Password:
Error: Password error
The Set Password request failed.

ndstrace +nmas shows:

NMAS: ERROR: -1418 GetXKeyFromValues: CCS_UnwrapKey
NMAS: ERROR: -1418 GetXKeyFromValues: CCS_UnwrapKey
NMAS: ERROR: -1658 Universal Password not support for CN=Testuser01.OU=Users.O=nts
NMAS: Successful check password for CN=Testuser01.OU=Users.O=nts

NMAS: ERROR: -1418 GetXKeyFromValues: CCS_UnwrapKey
NMAS: ERROR: -1418 GetXKeyFromValues: CCS_UnwrapKey
NMAS: ERROR: -1658 Universal Password not support for CN=Testuser01.OU=Users.O=nts
NMAS: ERROR: -1658 Failed set password for CN=Testuser01.OU=Users.O=nts

Resolution

Use the Universal Password Removal Utility to remove the Universal Password related attributes from the affected users.
Another possibility is restoring the nici keys from the source tree, prior to creating the destination tree.

The Universal Password Removal Utility for eDirectory 8.8.x can be downloaded from the link below:
https://download.novell.com/protected/Summary.jsp?buildid=8Pw85yrGgwI~

The Universal Password Removal Utility for eDirectory 9.0 can be downloaded from the link below:
https://dl.netiq.com/Download?buildid=BM1wL_pw-mc~

Alternatively dsbk can be used instead of ndsbackup, as dsbk also has the capability to backup and restore nici.
ndsbackup is not capable of backing up and restoring nici.

For more information about about backing up and restoring eDirectory refer to the eDirectory documentation:
https://www.netiq.com/documentation/edir88/edir88/data/a2n4mb6.html

Cause

The newly created destination tree has different tree keys.
The backup was taken in a different tree, and the Universal Password related attributes have been encrypted using the tree keys of the source tree.