DSfW: Applying the Jan 2013 Maint Patch reverts password policy back to domain policy

  • Document ID:7011786
  • Creation Date:14-Feb-2013
  • Modified Date:14-Feb-2013
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 11 SP1 (OES 11SP1)
Domain Services for Windows
DSfW

Situation

Applying the Jan 2013 Maint Patch reverts password policy back to domain policy
The existing password policy is set to be retained and to not use the GPO created password policy.

Resolution

If the XAD_RETAIN_POLICIES is blank or set to no, the upgrade will read that setting and change the password policy to that in the gpo.

Modify the setting in the sysconfig file to XAD_RETAIN_POLICIES="yes"

For OES11 edit the /etc/sysconfig/novell/xad2_oes11 file  and set XAD_RETAIN_POLICIES="yes"
For OES11SP1 the file is /etc/sysconfig/novell/xad_oes11_sp1.

Check the setting of the password policy assigned to the domain or any other container in the domain.  Do the following ldapsearch to return all objects with a password policy assigned. 
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf /usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(nspmPasswordPolicyDN=*)'dn:  nspmPasswordPolicyDN

Do the following search to show what the password policy thinks is assigned.
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf /usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(objectclass=nspmpasswordpolicy)'  dn: nspmpasswordpolicy

The password policy might think it is assigned to a container, but if the nspmPasswordpolicyDN attribute does not correlate with the nspmpasswordpolicy attribute on the password the setting on the Password policy will not take affect.  NMAS uses the nspmPasswordpolicyDN to determine what policy should be applied for a user.

If the policy has been changed to the domain policy or gpo created policy, but it should be a policy created in iManager then change the policy using iManager or Console One.

Using iManager change the password policy assignment to your desired password policy.  The nspmPasswordpolicyDN might need to be removed from the container before being reassigned.
Verify the change.  Do the following ldapsearch, the nspmPassworpolicyDN should have a value of your newly assigned password policy

LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Y EXTERNAL -b dc=dsfw,dc=novell,dc=com -s base nspmPasswordpolicyDN

Run gposync.sh from the terminal and re-run the ldap search again to verify the newly assigned password policy is listed.

Cause

The /etc/opt/novell/xad/xad.ini is set to retain the policy. That setting is XADRETAINPOLICIES = yes 
The sysconfig file does reflect the same setting.