Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: UP Policy - require password?

3 views
Skip to first unread message

a...@novell.com

unread,
Jan 6, 2010, 12:45:49 PM1/6/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How are you logging in? Which version of eDirectory and NMAS? Which
client are you using and if it is a Novell Client do you have the NMAS
client installed as well as enabled?

Good luck.

kjhurni wrote:
> I have an O=whatever that has a setting of "no expiration" of
> passwords.
>
> that works fine.
>
> I create a brand new user, in that new O. I assigned it a password at
> time of creation (created via iMangler).
>
> I can login just fine.
>
> Now, I assign a password policy to that specific user that DOES require
> a password and DOES expire it.
>
> However, when I login, I am not prompted to change the password.
>
> I have to actually go into consoleone/iManager and set a password
> expiration date.
>
> Is this working as designed?
>
> It's probably something I did wrong, but not sure how to fix it other
> than to manually edit each user.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLRMxNAAoJEF+XTK08PnB5sJsP+wbY0q4t0XkSdth+hfG7kARB
9m6X3BV71NnoKjFtZ0BVwRqncjLeWkRR5KfvEjmyUe+MKBxVa5wRh23zoeyCHhVN
e3qo5rEkb4BRgFHcCOqmcCqLxZqF9dL7RDd0YvAT3Nyq4k8Z6X3Q7lHb+k5K9ih6
umjfiCUP6pyZXVMTQoz/0dLrP81+ck2lb+MucOnFxiUv9cqAm6Yzl5EcSKbjl/7B
KWyqdveTZ4q+enVIx3VrFde1VfGDvH0WWxcofRoMJSuxSkcVbaNf7fpC75K5kR5w
gtB+FM1pMcxNek3z9MGPVuWPfSLGTs0hQJmiHziMGxA8HnQLv0kys8HaRfmcLS3N
ou97iZkRHSGB1+lryi0wX7Kvz6bqbPf6nMCGCXhNuaE1gr4d/5OiZc6Pszdi/SHj
jED0J4ogoI0i/RKdG8u6w7/iTLBTQT+z2Tn0Md6NFPhWB9F48t28QEj3+zIcnNGe
9wGZH91b+AN9DBtlmNyOAvQ2YG3KAuo3xwv0eD0chPyHbuhPF/6RjbfFOMl/65/j
qss1kejOHBUKfn70YpxwsAz3fAJGtSKR42r2ADDvYv0haLki+EWoaogwdGoJlr/C
DRZ4lryrmjAbPvQ2KY0XvW3MPHA059G4lk2Yc29KrKVRezPIXtc6jhr0QUv37zCQ
lZyXGMCLb777zo24NyS9
=D6+L
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Jan 6, 2010, 2:26:20 PM1/6/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try using diagpwd (from Novell) or DumpPasswordInformation (a utility from
the Novell Communities site developed by Jim Willeke) to see if the UP
stuff is set. Assuming it is then this is probably still normal. The
password should be expired if you administratively set the password AFTER
you enable UP, but before... maybe not.

Good luck.

kjhurni wrote:
> eDir 8.8.5 FTF1 on OES2 SP1 Linux
>
> I login to NAM 3.1.1 IR2, so technically it's the IDP that's logging me
> into eDir via LDAP.
>
> However, when I look at the user object in iManager 2.7.3 it shows no
> expiration date unless I actually check the box and set the date. Even
> after assigning it to the UP AND logging in through NAM to the IDM 3.6.1
> UserApp


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLROPcAAoJEF+XTK08PnB5K7UP/10cC8TrBGU67+Nd/YA5ZlJE
vPG2YmsqcY77LLIGzLZzBlH1sr0TbEfkZanf6ndlAYNqoMAP73+E0APqtI4lTN8s
CWUgge9vugRHWIzK7SQGfp73+qLyG6nI3EifiIwgZUW90Di9pxUBkX0CSP25+Q4j
I7FYOSm7bk1gazLoNl6jXk8HFZFARyTOomf4s7ZYq8MX+7O6cMl9t5BHsYl4frAR
2Aur+tJjo2OgPfRibWfiI/MuPzg3/QYdWkAjUAvYQwcYGkRfvFNrsc71qxof+CSn
5IdkQA8dkvvTzPTfWvCXu3V3tlChRp+lWXCbi0U8VEZmJImAziGE2uQCmy7aGBg3
0ROQYL1Jy5qx6HSLsnoM/3AWKFmI830zH9Kz/9E8pYsIvaN300oHWvy1FVWTowpq
RKDiwgo/d9N7/64jyXcH2wPOi3aBQ0l6Bw0Z3KBfd2vzFs7i21lX/xeh/4vPG21Q
t4zgl1Qc9w8qoPUyTONSOI8mGEPeTxBXUd2fG2LRr80iq5glfSoG7Jer1Y+0+kcU
B8FsoO78pBcTze/+TEz1jlWTVWEfn4KJQ87WFmWcOsczGzMcuWH9Kb53pzdaiPgt
USiP2US+VQrcjVxilGa4YNYRBJ3acwLyUunU4vZSiRtvrC6yEkjSUOSgVU1lHxHc
3xyRpUf6M27kJO2rMkh0
=LmIQ
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Jan 6, 2010, 4:09:11 PM1/6/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Assuming your login is going via UP I believe that is the case as well
though the tests I mentioned earlier will verify that NMAS is setting
passwords during the login as it should.

Good luck.

kjhurni wrote:
> I'll have to play more, but I though the UP was enforced upon login (if
> checked, and it is), so I would've expected it put an expiration date in
> the password rather than leave it blank still.


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLRPv3AAoJEF+XTK08PnB5nTsP/0WCBasFyTUW96AiN20K2P+Q
1l0wsUb2aHy14TEOqFeDsV4uE4oDvpXKoCu8cLlhfeCz4x4YDWO0Flo+37f2ttz9
9Pd6QiNWJJYCVQ4KNYQatsMNlxIdjWnG4n53WEVdW6P6ym9183crhvshbPzGxBRy
4cvz4Fm+HxKtdKkmKOr9JwiwjpWK5e1xgirSCcf62OWCVhUWNT6Nin3cwzf7f6jY
3FCfV/F5gLg4E+FMLASrmw7GaEudRxTe7xM672e5+kaXw+sK1IgLiFkJR7V45b8K
4N7tCXLzb2JVUumxfrz8QAuLbV0dUEkBSia4czglWFxto0QImRFVJGWSN1XuzsSm
4XxeOmycW8MLCfH5BkpIpv04yb/zOLTh7lX2LQgVScyA9bI3sIb9LCYTszHHEMZK
WgfhFwajqFlImUZrvqosQB7CHmrsqFkDBuqWJYvumiWjFmI67UteuRftBL8u2gMQ
DYwPuK0YNRKBtAcOlOJyxOUV8X83O+OX7wb+FrqfsYyW0q3BoRqJ8c5C6GkYazq6
AzwolSowRYaa6jI07RNGyBGSKr2wAC09em6daSf8Z7WTNaPOX9rSZhOKmwPSuePq
UpiePbb3EB2rsvWHEd6W7sWYyGXzrSeDlCjV6rl8uD+g/fOcs0zLh9KpXDRglPq7
GeLWUvpiSm53jAu/VWLL
=vUaX
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Jan 6, 2010, 4:51:32 PM1/6/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

diagpwd connects over the wire so running it from windows and then hitting
an eDir box (any platform) should be fine. DumpPasswordInformation.jar is
also cross-platform as it is Java-based.

Good luck.

kjhurni wrote:
> I'll check, but it seems to enforce all the other UP stuff, just that it
> doesn't actually set the expiration date.
>
> In other words, if it's in the "no expire" policy, none of the boxes in
> the restrictions are checked. When I assign it to the "new" policy and
> login, it checks all the boxes and settings accordingly, it just doesn't
> seem to do anything with the expiration date though. (even though it
> says, every 120 days, it shows "blank" for the actual expiration date),
> so it's definitely getting the new policy, just not quite applying it
> the way I think it should be.
>
> I'll have to see if diagpwd is available on Linux, since that's where
> the replicas of the login security policy are at.


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLRQXjAAoJEF+XTK08PnB5w/MP/3xPiz8C8s+8wfu3NCU2vgFM
oUf6hnmgu66f+3ifXHg41aFBlQ6Q4VjnpWslrnzdo2cq5WkV1kNQ1zsZoXH98Csk
ozM87mHM4qfYnW4t9Zm48ZtoHlisUNC700LCKl1jTeNqSmV14mPi/m20AozJKCgy
8Px+0Gd2Yxp3aNw0/NfbLcSl5Gv/WIewfy1g/11ZX2L2KDLvNOpDkjMYjhX2uc75
NSL7EDReyzjmE+0wmy5zyEV8S6i7n6oEIwFUfxOgr4hNLFwtFiLFEQGFna1uamv/
Pm8xtQsLWQ2nYUWLnCpJr7Rpq5fz5YPaaUdD4eMqz3gQh9HN2TCepDXNKBu4ekjC
gbUXuV83mIHEHDrVojNnMkXERJ1QCyREQItIXFsJdSJE1ewOgDYHx+Yd/mURGK3P
BnecwbL9NnSI3ZrQYr64Ya2BT5o3PRqK5aqgAuIYWdrmR2dq/SW+O/OHLQn0Iv8T
bghRPuhkXdQVW89tcNyJZrjCmDq55nyvwz/yuZMw3pjtzCpU5OsIMCgp84jH836o
g2A80lx6TnRo6WT6+7+z+dNfjlPAu96Na6+mEviHEBuzbBvwbbdvnL7x+Njkb6Eu
UO5UgqHsF04QOUk8SqewktAjGpNr0FwPjcsjTbUi32RbrgBrxanVh8/ruco1D4xW
mmG1DbSsJ6hn2Dr+EEwW
=mXIf
-----END PGP SIGNATURE-----

0 new messages