DSfW: You do not have rights to change your password.

Document ID:7014824
Creation Date:31-Mar-2014
Modified Date:01-Apr-2014
- Micro Focus Products:
  eDirectory
  Open Enterprise Server
- SUSE Products:
  SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11 Support Pack 2 (OES11SP2)
Novell Open Enterprise Server 11 Support Pack 1 (OES11SP1)
Domain Services for Windows
DSfW
Novell Client

Situation

Your windows password will expire in <number> day(s).
You do not have rights to change your password. Contact your System Administrator.

The Novell Client is installed on the workstation joined to the DSfW domain

Resolution

The issue is a combination of having the Novell Client on the workstation joined to the DSfW domain and with the UserAccountControl (UAC) default setting of 512 (NORMAL_ACCOUNT property flag)

Either disable UAC or add DONT_EXPIRE_PASSWORD property flag to the userAccountControl attribute.

The value should be 66048

The value has to be set with an ldif using the EXTERNAL method

Example of an ldif for cn=user1,dc=dsfw,dc=lan

dn: cn=user1,dc=dsfw,dc=lan

changetype: modify

replace: userAccountControl

userAccountControl: 66048

To apply the ldif first export the LDAPCONF then use ldapmodify to apply the ldif with <modify.ldif> being the name of the ldif file. Exclude the <>.

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf

/usr/bin/ldapmodify -Y EXTERNAL -f <modify.ldif>

Additional Information

How to come up with the proper value is to add decimal values of desired property flags

512 + 65536 = 66048

See How to use the UserAccountControl flags to manipulate user account properties for other property flags.

Adding the DONT_EXPIRE_PASSWORD property flag does not affect password policy settings for user's password expiration. This only affect the way the workstation with a Novell Client interacts with the DSfW Domain.