Environment
NetIQ eDirectory 8.8.x
Situation
When when using the forgotten password portal a message is received that the challenge response questions have not been setup. However, they have previously been populated.
Enabling a LDAP / NMAS trace showed the following -1660 NMAS error on the Challenge Response login sequence.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence Challenge Response not valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence NDS is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence Simple Password is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence DIGEST-MD5 is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence GSSAPI is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence cifslinlsm is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: ERROR: -1660 Client can not do requested login sequence "Challenge Response"
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: ERROR: -1660 CanDo
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Password Failure Time Attribute value count: 1
1494079232 LDAP: [2014/08/28 19:24:18.203] DoBind on connection 0x19bb2e00
1494079232 LDAP: [2014/08/28 19:24:18.203] Bind (cont) name:NULL, version:3, authentication:NMAS_LOGIN
1145546496 NMAS: [2014/08/28 19:24:18.209] 19923014: Failed login delay 3 seconds
1081337600 LDAP: [2014/08/28 19:24:18.733] DoUnbind on connection 0x19732000
1138943744 LDAP: [2014/08/28 19:24:18.734] Monitor 0x43e2e700 found connection 0x19732000 ending TLS session
The Challenge Response Login Method and Sequence was present under the Security container.
Search: 1660
Enabling a LDAP / NMAS trace showed the following -1660 NMAS error on the Challenge Response login sequence.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence Challenge Response not valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence NDS is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence Simple Password is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence DIGEST-MD5 is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence GSSAPI is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Login Sequence cifslinlsm is valid.
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: ERROR: -1660 Client can not do requested login sequence "Challenge Response"
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: ERROR: -1660 CanDo
1145546496 NMAS: [2014/08/28 19:24:18.203] 19923014: Password Failure Time Attribute value count: 1
1494079232 LDAP: [2014/08/28 19:24:18.203] DoBind on connection 0x19bb2e00
1494079232 LDAP: [2014/08/28 19:24:18.203] Bind (cont) name:NULL, version:3, authentication:NMAS_LOGIN
1145546496 NMAS: [2014/08/28 19:24:18.209] 19923014: Failed login delay 3 seconds
1081337600 LDAP: [2014/08/28 19:24:18.733] DoUnbind on connection 0x19732000
1138943744 LDAP: [2014/08/28 19:24:18.734] Monitor 0x43e2e700 found connection 0x19732000 ending TLS session
The Challenge Response Login Method and Sequence was present under the Security container.
Search: 1660
Resolution
Deleting the Challenge Response Login Sequence and Challenge Response Login Method and recreating them resolved the issue.
1. Delete the Challenge Response Login Sequence and Challenge Response Login Method
2. Reinstall with iManager | NMAS | NMAS Login Methods. Select NEW, then choose the ChallengeResponse.zip file from the eDirectory installation media. (dl.netiq.com) (...eDirectory/nmas/NmasMethods/Novell/ChallengeResponse.zip), accept the terms and click Finish. Leave the checkbox checked to Create the Login Sequence
1. Delete the Challenge Response Login Sequence and Challenge Response Login Method
2. Reinstall with iManager | NMAS | NMAS Login Methods. Select NEW, then choose the ChallengeResponse.zip file from the eDirectory installation media. (dl.netiq.com) (...eDirectory/nmas/NmasMethods/Novell/ChallengeResponse.zip), accept the terms and click Finish. Leave the checkbox checked to Create the Login Sequence
Cause
Corrupted Challenge Response Login Sequence was causing a failure to retrieve the current challenge reponse questions from eDirectory.