Novell eDirectory 8.7.3
Novell eDirectory 8.6 for All Platforms
Novell eDirectory 8.5 for All Platforms
Novell NetWare 5.1
Novell NetWare 5.0
Novell Directory Services RecMan Database
Novell Directory Services FLAIM Database
Sun Solaris 9 LDAP client
Formerly KB 295344
A user does not have sufficient rights to change their password. The LDAP Server returns the error message - "insufficient access".
A user is not able to change their own password using standard LDAP calls to a NLDAP server
How a user can change their password in LDAP
In Novell eDirectory 8.5 and higher, a user can change their password using the following LDIF file. This file will work with any Novell eDirectory Server.
The user must have the write privilege set on her ACL attribute (or try the fix above using the Password Management property), in order for this to succeed. The settings in Console1 that specify whether a user can change their password are not used by the LDAP server. If the user has the "Allow user to change password" option not checked, they could still change their password via LDAP assuming the user has the correct privileges set.
A request has been submitted to Novell Engineering to specify access controls directly on the userpassword attribute. Once a user has the write privilege on her ACL attribute, the user could potentially change any of their attributes.
The following section only applies to Novell Directory Services 8. The current fix will work ONLY for a NetWare 5 server running NDS 8 Update 1 or higher. (DS.NLM 8.17+) NLDAP 3.12. It has not been ported back to NetWare 5, legacy NDS.Please note that it is enough to use the LDAP attribute userpassword, no mappings are required.
The example LDIF file attached will work on a NetWare NLDAP server. Novell is working on a LDAP proposal in order to accomplish this with one LDAP call.
The following section only applies to Novell Directory Services 8. The problem is that only admin can change someone's password without providing the existing password. The user cannot change their own password without providing their current password *and* the new password. In NetWare 5 and NDS 8, this problem doesn't allow a user to change their own password through LDAP (while admin can). In NDS8 Update 1, an LDAP modify request with a delete of the userpassword attribute (providing the current value) *and* an add of the userpassword attribute with the new value will allow a user to change their own password. Very Important to notice is that actually the Novell LDAP implementation has a higher security than the Netscape implementation. For a Netscape Directory server one is not required to know the original password - only for the bind. This however means that anybody can walk to an unattended workstation and change the password. Actually the userpassword is not stored as such in NDS. It is stored as an RSA public/private keypair in order to guarantee the highest security possible.
Formerly known as TID# 10053195
Formerly known as TID# NOVL11670