Environment
Novell Modular Authentication Service (NMAS) version 3.1
Situation
When trying to view a user's password policy via iManager or trying
to set the Universal Password (UP) via iManager, the client, or
Identity Manager an error shows up on the screen or in
dstrace. The error states there is a missing attribute.
Resolution
A password policy is linked to all of its assignments and each
object that is assigned is also linked back to the password policy
itself. The policy-side attribute (nsimAssignments) is not
currently required for proper functionality and is there to prevent
querying the entire tree for assignments each time a policy is
modified. The assigned-object-side attribute
(nspmPasswordPolicyDN) is required for NMAS to work properly.
The eDirectory tools which manage policy assignments currently
create both attributes properly and do not allow doing one without
the other.
It is possible that an administrative error could cause one of these attributes to be populated without the other. As long as nspmPasswordPolicyDN is populated everything should work properly but if nsimAssignments is the only attribute populated a -16049 error will appear because the attribute which
is sought cannot be found. Removing the association between the password policy and re-adding it will resolve this. This could also be done to many objects in bulk with LDAP or a similar protocol.
It is possible that an administrative error could cause one of these attributes to be populated without the other. As long as nspmPasswordPolicyDN is populated everything should work properly but if nsimAssignments is the only attribute populated a -16049 error will appear because the attribute which
is sought cannot be found. Removing the association between the password policy and re-adding it will resolve this. This could also be done to many objects in bulk with LDAP or a similar protocol.