Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Universal Password change failed: -1681

251 views
Skip to first unread message

nico

unread,
Jan 4, 2010, 12:42:56 PM1/4/10
to
I started some tests with universal password on NW65SP7 plus post SP7
and eDir 8.7.3.10 .
First i created an easy low secure policy and assigned some testusers.
The configuration worked well until i started to set the universal
password. i get "Password change failed: -1681" in IE8 and FF 3.0.16.
SDIDIAG, PKIDIAG and DSREPAIR don't show errors.

IManager-Plugins :

Archive Versioning 3.2.0.20070914
Case Sensitive Password 2.5.20081001
Cluster Services 3.3.0.20070913
DHCP Management for NetWare 1.0.20070917
DNS Management 1.0.20070917
eDirectory88 Plugins 2.7.20081023
eDirectory Backup and Restore 2.7.20081023
eDirectory Extended Native Libraries 2.6.20081001
eDirectory Import Convert Export (ICE) 2.7.20081001
eDirectory Merge 2.5.20081023
eDirectory Repair and Logfile 2.7.20081023
eDirectory Service Management 2.7.20081022
Encrypted Attributes 2.7.20081001
Encrypted Replication 2.7.20081001
File Manager Plugin 2.7.0.20070913
FTP 1.1.20070910
iFolder Module 3.1.0.20070417
iManager Base Content 2.7.0.20070918
iManager Framework Content 2.7.0.20070918
Indexes 2.7.20081007
iPrint NetWare Management Plug-in 2.7.0.20070824
LDAP Management 2.7.20081001
LinuxUserManagement Module 2.2.020070907
NetStorage Management 3.4.0.27
NFS 1.1.20070914
NMAS Plug-ins for iManager 3.200.20070905
Novell Certificate Server Plug-ins for iManager 3.300.20070830
Novell Filtered Replica Management Plug-ins 2.7.20081001
Novell Identity Manager - eMail Notification Con 10.4.20070926 Novell
Identity Manager - Password Management 10.4.20070926
Novell Security Services 2.0.5 - PasswordManagement Plug-ins
Novell iManager Content - Shared Content V1 10.4.20070926
Novell iManager Password Management 10.4.20071106
Novell Kerberos Plugin 2.7.20081023
Novell Licensing Services Plugins 1.0.1.20070710
NTPTimeSync 1.1.0.20070914
Priority Sync 2.7.20081001
QuickFinder Server Management 1.1.20070307
Samba Management 1.0.0.20070911
SMS Module 2.3.0.20070912
SNMP 2.7.20081001
Storage Management 3.3.0.20070913
Storage Shared 3.3.0.20070913
WAN Traffic 2.7.20081007

Which troubleshooting should i try ?

a...@novell.com

unread,
Jan 4, 2010, 1:21:45 PM1/4/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Typically in iManager a similar error ('NMAS/LDAP Transport Error') is
shown directly in text form in the web browser. I imagine this is what
you are seeing so search for the following on http://support.novell.com/
and see if the TIDs returned work for you:

nmas ldap transport error

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLQjG5AAoJEF+XTK08PnB5S0sP/iPhP33G/tDg8ZkqxSI/kv6s
8ADvB3G8EEquxGQkxN6lFRl0s+dbccALSS7ESXbjc8YMg1OO35boa0kZjaHdWMQh
S37JwcmEVC2m6Mr2AtUiE90Pk7a1gPNRf7eOI+OLiDHLiX5oAI/u/wOHL+C98n8+
DncbG13cQnASGek4hcS5OeF4e6duca8bhQdltEElvGedKSgfGQiDo4vVxmA5lroW
bSsZQ1+NuQ4Ky/vuK7COiq7bXZTHNHNxH8XZ9EOk/Tuo7AeZThxIu8C65vp0rOUO
3Z+e/YEa5iP3O0/yW7hwXu4hUFZ0JFzY0in1R+NWt3sbPB+g3s0cgubx59aLhv5j
2fGu7O9UpoPXSAqI2nOrLhJwWgonPrTazIt3NiRI6ybjeAd0/hnJJyesC5+Wa+Ox
wd6FstbtNfx/kEEYapEsPbJ5m07I9MDU86XkK5viQ5n3w4ap9jjuxzTj/8sLkbu+
gTF7Y7co8EQHoqrXFKJFAlFYeU7WMWZ6bEFsymWj7as17PPHfzlS2gpZRzBp2Ev8
BbjJ4FoIUD4T6d05yoMd3/CsWNZ0XWax2OINPufFHhZs2EMajYdLvnsKMF/5QXRe
ZtAaNaOOc44l0288bEDkYyeUFsRj2yQrrWLZi5TY1++gAfLaYJoKB6oi90bXmYKv
P4eDGLupTMSH1jnx3mSU
=by6x
-----END PGP SIGNATURE-----

nico

unread,
Jan 7, 2010, 8:50:35 AM1/7/10
to
I read a lot of TID'S and did an LDAP-Trace were i get an -1690 error :

14:27:38 8AAE13C0 LDAP: (172.16.0.54:11734)(0x0003:0x77) DoExtended on
connection 0x8a28ac40
14:27:38 8AAE13C0 LDAP: (172.16.0.54:11734)(0x0003:0x77) DoExtended:
Extension Request OID: 2.16.840.1.113719.1.39.42.100.17
14:27:38 8AAE13C0 LDAP: (172.16.0.54:11734)(0x0003:0x77) Sending
operation result 80:"":"SSL connection required" to connection 0x8a28ac40
14:27:38 8AAE13C0 LDAP: (172.16.0.54:11734)(0x0003:0x77) Operation
0x3:0x77 on connection 0x8a28ac40 completed in 0 seconds
14:27:38 8AAE13C0 LDAP: (172.16.0.54:11734)(0x0003:0x77) Sending
operation result 80:"":"NDS error: -1690 (0xfffff966)" to connection
0x8a28ac40
14:27:38 8AAE13C0 LDAP: (172.16.0.54:11734)(0x0003:0x77) Operation
0x3:0x77 on connection 0x8a28ac40 completed in 0 seconds
14:27:38 8AAE13C0 LDAP: (172.16.0.54:11732)(0x0004:0x42) DoUnbind on
connection 0x8a28ab60
14:27:38 8A641500 LDAP: (172.16.0.54:11733)(0x0004:0x42) DoUnbind on
connection 0x8a28aa80

The strange thing is that the error changed :

Error Error: Invalid Password
Password change failed: -1681

AFAIK if i set the NDS-password in C1 it will be synchronized to UP.I
validated this by testing passwords which do not apply to the UP policy.
I got always a deny until i entered a password which is compliant.
The problem seems to be the connection of iManager to LDAP. Is an SSL
connection mandatory or optional ?

a...@novell.com

unread,
Jan 7, 2010, 12:09:08 PM1/7/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, I imagine SSL is required for anything like this as this is a fairly
important operation and involves a password being sent over the wire.
LDAPS should work within eDirectory out of the box and if not that is
something to track down for sure. Can you connect with an LDAP Browser
such as 'LDAP Browser/Editor 2.8.1' or Apache Directory Studio using port 636?

Good luck.

iQIcBAEBAgAGBQJLRhU0AAoJEF+XTK08PnB5M3IQAJM9q9sdxyHLzlKN7APpgbJd
Vo9tkXzo8Wk269o0CgfV+OSqIPa4u1umwJJQMgDdrYr+HCSy9r3l78amK3XmuEaf
F80mvYGGJgaR8mf5R6/6gTo3ZLbnCgCZ7TheZ46Msr+MKHJKEhnM1RaKuejjDuHS
dqjPZH9qp58yGKCnrGGvbOrF+p9XyWFwsS90CXiNRTdIrcSbkx6t8js3d0MasjKs
A5TTUJci27UK0WCtulcl7IGosdTWMpBz49l4I8Q1DTyFQXAF+0FtCudckg2yanyu
RkKZfHyDaVN5QrSisR1Uo72eQnFm8x5kW3wT76r3RSS9OmCU9Mo+9iCPpKJnHhru
uDPj6MYFUu5YEXpWnRPxH2Wj3hiYPe18ZlwUZoYQZc8C+JjIc+8ujeMbnZL1AmBz
7nggQ7pAe6a8Jil9dgj4xQw2W3CcQ5IoN9eNfzO/84+LAhRsIG4m9b9Plm6NgRP2
4Vrh14TVuKaT4Tu90ImHUHAhZ6E5WKQ8MojqaWzJ3HX68jWI61iTOtZiqb+LasZC
VoI2XUHX7PQIbVhZJqtMhnyZb01gbhJtCkxH/dZQ08Hz1wVsNkPYRfcYN9/K3HV4
pm4gj+jbIPYF+W/3Vo2VupaYA/uyHDil59gfXQZA4lAUEqQ/+aUfl6mf0NqQvRHe
djYeJ6NpuuNVr789dDqH
=PJDt
-----END PGP SIGNATURE-----

nico

unread,
Jan 25, 2010, 10:38:21 AM1/25/10
to
I tested LDAP Browser v.2.8.2 as described in TID 10075010 and it worked
with SSL authenticated as admin user.

a...@novell.com

unread,
Jan 25, 2010, 11:33:05 AM1/25/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Search support.novell.com with the following keywords and see what comes back:

nmas ldap transport

Good luck.

iQIcBAEBAgAGBQJLXcfBAAoJEF+XTK08PnB5BTkP/2AGEvC2DTEIzc9ugBO39bJ/
B6yO3rZ+J4l25c70y+DY/uj1Srysh8zSN50o7ZAaur5+eeIr63P0dFLrq0mafFRv
uV+Dgw+WT4PrMw9IQmt0rT2yMYTKbaigjl7/POaLD7qn/6uP6SA710+2bhPbc50f
psIIIm9YxJvKztCk2wW3cCJP6NDRg1tacRY/wSX9nP3opniedz8FSdQPo/9L0TuZ
bGcrsP/SD6CyNQBbt5giZ/9/jvqYqBITzIrVtS4vW9cZoJ1AKBF4eQzXJZ9cVzCm
UdYKQG9mMPgo442mT/0ZAimxHqffEtpkTEbNWIbIBlG6aOK3ShVdW6sCPvejIwzl
OxzMCSNsgytysSOM7b6CSppzH+NQ4qvcnZX/DB37NIMyM0Lnlj9ZAZmr5kCPQdZj
ew5Dp+x2iahp/Z/9/hVrZShGpj8fqIhOqpqShk9ftMpEPxsmQIaxAQdnvG0IvRMy
qLZpVOHgLbAkbdpb0LPA2t64AKZFmpM3mDuwtexYkvZgAYRhYIVfUB+wi/XebadX
si8eAA39So8BB5+Jqa1l8o9h25uSjvFhk2SApRY0a9/5DH2tncEr3GICoJkqFnSg
cZWNeIQxyeeU+sFhTF5pHHSdJdDT7is6yBvLPvKzeC3S863d4xy0MwFWBH/t5dZz
6GHy9tiKkEVVcZ+IzFUp
=URlO
-----END PGP SIGNATURE-----

nico

unread,
Jan 28, 2010, 11:39:15 AM1/28/10
to
i checked a lot of TID's and did some repairs :

- deleted iMKS - File and restarted tomcat
- PKIDIAG : recreated certs
- checked port 636 in TCPCON
- accessed the LDAP server via port 636 with LDAP browser
- run DSREPAIR

iMAnager shows

Error: Server Configuration Error
NMAS LDAP Transport Error

iMonitor and DSTRACE shows no errors.

HOW can i check the communication between NMAS and LDAP ?

a...@novell.com

unread,
Jan 28, 2010, 12:04:42 PM1/28/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is no need for dsrepair; do not use it unless you think it should
fix your issue (not at all related to this issue).

Which TIDs did you find? You should have probably found one talking about
adding some extensionInfo value to the LDAP Server object.

Good luck.

iQIcBAEBAgAGBQJLYcOpAAoJEF+XTK08PnB52qAP/REPKUuxGVCfYYcQYe/P+xP/
OHOdAJz2bYBWRJPi/Ca2AYShOBMi/VxTXjvpq/wPbFNEHvu5gtyiycbBYjEUXrip
6jR2TM++oL7/e+SZBtyTVoEZVE7KgHokDYSqJEAPOJxU3S/kcfmswHT2IErYlGQM
1U9gvqlv3ISZxjOlkvWvHYHOAvwPeN3ReD5U5TBCv5YEcpmOHKUbFqC6wICXGFq8
rG2HynPrSfARKPzxpJnMZGyk/kTA7IGXcnYEXgRq2XpSbN/NUG5qg2//ecy3mFHj
SCvfjiT0KaQXo8kS8ifR+jfY9GkjB04kJZ/FbksWuS2Gr6Un3mwpaYOkPFyKSlMx
1A9KKJQWjxI+1z9W/hxXjJR19pU/ZxQfRcjLUFFKSduw2Hm4FHuTU9+QMKuMVj81
Q8JH5wVB1KlP9mOCmgiwbngmx1vyka6I4MVEDSHfQykfCDrcAkLancVxF6HW4T6c
UqtfA9VLrb3clOQmgFkpFROLgPl300L+a2zSQQpHrO2UAKc94BidE0/O1syOYNDY
FFsSwk+6yoqQW74jVxbEO8OXIYd4HKIN+ZGE6RM1LGPCOnCdJDZ11ze0ME486ePe
qjxDcqVIlyqTlii6iYEnXUTLBoCH8N8rlV08wapjqQLkJWnetEroTT7P/IFxJDMB
4+onwcS3x2NeNitbWiLt
=IYta
-----END PGP SIGNATURE-----

nico

unread,
Jan 29, 2010, 3:42:12 AM1/29/10
to
Yes,
do you mean TID 3947462 ?
The number of nmasldap extensions on this server is 28. The TID tells me
that i need at least 13. Is it possible that i have too much ?
Another server in the tree which works corrctly has exactlyy 13 extension.

a...@novell.com

unread,
Jan 29, 2010, 10:45:46 AM1/29/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The actual count is irrelevant; if you have the correct extension it will
work and if you do not then it will not. Go through and make sure your
broken server has all of them that the working server does.

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLYwKqAAoJEF+XTK08PnB5eggQAIpHt0epa2l8kOewh4DMU6PF
6JZQMKMdvv1NFAygrd2AtVXjfWcXc5YW0IIlrbfRlXCYZLPFfEeZ/5oBgBWqbYm8
Yt2zXH6qFTrUGWFIctCeLwsMtk0bFKeSrKu564MDU3OmdaELk0xyDheaG9gPJpuv
sebuCaf8zqridiE21QdwBVFKF/sYcXvt5LmAG3oxZzrwdD9Ya3CFgHIdQLPA/wU+
M2eWjQB8QIWaOIhNhMW0AxPlVl0e1orzdsLigkY/HhVVUboErbSpQ+2PEc6GszqL
7wuvrwEZNJHdwtK0IXTzNOa30eM9XeFF8GEXQr0rm7xOtKs/+8plySfqydDjxb/Y
oqTCP9BtVDc1u+3R4bDm7LjPobqnsWTkAnWDMqmivnDcfCu66zurB7MT3JkBG0sb
vBasVDbia+6le3zVyL1jqMdxo/K/9fFr6cqcxs7U5gFrnF8afuU5s36L1B7lGY1f
2D0U9SLcqtf5gVmXd5CVFnn1dlv4LGu76FxxBIu34kE035dBYbmtO2EVOIaWHH8n
wQabGdqDrsbJLe9jTsYorwF1LYlvIavAfEtkmCJIWIUcmajUN6T7SMT6ELxuiur5
GGE7pjTwQV/Jrfn9LPi8D3NyyJkFtZdXOCGkiG8RWoXZ3bSy8Lkr6cHN3aZxWtbd
lxhYoyVSOM/QDbv5tRqs
=8lLo
-----END PGP SIGNATURE-----

nico

unread,
Feb 7, 2010, 7:08:27 PM2/7/10
to
I updated to SP8 and the error went away. UP can be set now.

a...@novell.com

unread,
Feb 8, 2010, 8:33:41 AM2/8/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sounds good. Thank-you for posting back.

Good luck.

iQIcBAEBAgAGBQJLcBK1AAoJEF+XTK08PnB5nh4P/04Spd/FOyfw0Va14Zvb+/4S
+Jw5ncUxHhDEVl9lh2WkjRkqOg34kLPHgWvPRPr1AavjvK+qRHyG7MAwjTvyFoFg
KLBo8wQxqKmfGXSToPJS9hmYwAfHUaA0n0SkyzUDvAdoEz4vyjAKoiU5oULXaaTd
YKdmtJS5uhWQfsKHMCxJbvTg3jClZswRwc7gUlI7zzEC3moU4rbXKXbLCDmwYc4A
rllrtea4dFuGLLjiBVQsh17pSe6bgPdKeqzw+kd8zGFX3bEwGVlvf2lf9rsMvbqy
DvflwGGwAw6faoSHaq4wnz3r3H40lRumiKMQy8m/Lqzuqu+HucLBODnF4ru4GKaW
v/qtX2PnYcp3VTW9KFpHJsP29WP0e5ugcdNtX01w19n9zcQ9xLklnLk6ATJ0/pB/
eqjIl/PeWWzSXG4R4Tpw5Kf4DiYcqKOtuZsMsfgTb8GeWDa99FuCwtdz9WMS9y51
fOGMh8NgA5prekN2NpHkNpN5vrFPDt6ASwm3Ges4OR4ifoBY5CorXW98a+m/Fgu7
42zgypMtxzuG8HoZE90K/s1SUDrrO5ywn2aKq1C/YUB1PmogE6f8UPCVNhUEtR/a
sHnmNyONtIxUnZ/5trRS2TLnlvPeOUNdKgj+0CAF1h9tzUx7kjmbgKgazgOvAsfQ
utrTMmHC7nlnsP5DGfWW
=tFUN
-----END PGP SIGNATURE-----

0 new messages