Mobile devices with expired credentials consume all grace logins.

  • 7016358
  • 27-Mar-2015
  • 27-Mar-2015

Environment

Novell GroupWise 2014
GroupWise Mobile Server 2.1

Situation

You have existing GroupWise 2014 system and installed GMS server. A security setting on your Post Offices is configured with LDAP authentication. If end user does not adjust credentials on a mobile device when his eDir password expires, the device will use all remaining grace logins and locks the eDir account.

Resolution

With GroupWise 2014 we do not publish in any directory GroupWise attributes. In older GMS 2.01 version this fact caused a problem to add new users when provisioning and authentication was configured with LDAP because we searched for user objects in eDir with a specific GroupWise attribute. We advised therefore to reconfigure GMS 2.01 to use GroupWise for both, provisioning and authentication parameters and leave LDAP authentication task for POA.
 
However, with such configuration your mobile device can easily lock your eDir account.
In order to resolve LDAP search problems from GMS 2.01 version we skipped searching for any GroupWise attribute. Now it is a responsibility of GMS admin to select a correct directory user object that has also GroupWise account.
In order to preserve grace logins from being consumed by mobile devices, the only option currently available is to use GMS 2.1 and configure both provisioning and authentication to use LDAP.
There is still one point to re-check when configuring LDAP for GMS, namely LDAP user parameter that you need to specify in this configuration. You will need to make sure that the LDAP account used has all necessary rights to any user object to read expired password and grace logins information. Please, refer to older TID for setting those rights accordingly: