How NMAS calculates and modifies the password expiration time when using the Universal Password

  • 7016942
  • 23-Oct-2015
  • 27-Mar-2020

Environment

NetIQ eDirectory 9
NetIQ eDirectory 8.8
NetIQ iManager 2.7
NetIQ Modular Authentication Service (NMAS)
Novell NetWare 6.5 SP3
Novell eDirectory 8.7.3 for All Platforms
Novell iManager 2.5
NMAS 2.3

Situation

Universal password has been enabled.  How NMAS calculates and writes the password expiration.

Resetting the password expiration date in ConsoleOne has no effect.

Changes made to a user's password restrictions are not being read nor saved.

The password minimum length is changed but is not being enforced on login.

Resolution

The old password restriction attributes were being modifed - not the new attributes used by NMAS when Universal Password is enabled.

These non-UP restrictions used to be placed on a user's object.  If using Universal Passwords,  these restrictions are actually on a Password Policy.  There may only be one for an entire tree.  Moreover, the attributes on this policy have a different name.  For example, if one deleted the "pswexpireinterval" attribute on a user object and that user logged in via a UP enabled client with UP turned on the client would actually be reading the "Password Expiration Interval" on the policy, ignoring any change to the previously used attribute on the user object.  Alternately, changing the old attributes in ConsoleOne will have no affect on the user as the actual Policy is not be modified.  This can create a good deal of confusion for Administrators.

The best practice is to use ConsoleOne for administrating the old restrictions if UP is not being used and use iManager to change the Password Policy restictions if UP is being used.

Novell hopes to release an enhancement in a future release of NMAS that will allow for these attributes to "synch up" so that modifying one will affect both methods.

How is the password expiration time calculated when using the NMAS Universal Password?

The determination of whether a user's NMAS UP password has expired is not totally based on using the date and time value for the password expiration attribute for a user.  It is used but is first calculated dynamically on login then compared to it. 

A. It first does its own calculation for the expiration time using the following algorithm: 
1. Lookup the user's associated password policy (identified via his nspmPasswordPolicyDN attribute) and examine the policy object's value in the policy's Password Expiration Interval attribute.
2. Examine the user's nspmPassword attribute timestamp.  NOTE:  This is the eDirectory timestamp for the value - not the value itself.
3. Add the Password Expiration Interval (in days) from the Password Policy to the nspmPassword modification timestamp on the user.
4. Is this value earlier than the value in the Password Expiration Time?  If so then the Password Expiration Time value is updated.
5. Now with this date stored compare this value to the current server time to determine if the password has expired.
Summary:  The password expiration time is only changed to the sum of the password expiration interval and the nspmPassword timestamp if the sum is earlier than the current value of the password expiration attribute.
Password Interval from Password Policy + modification timestamp of Universal Password = Password Expiration Time.  If less than current time it is expired.  If the interval on the policy is lowered we will update the the expiration time.  If it is expanded we will not update this value, instead, we will expire it when this date is reached.

Example:

User4's nspmPasswordPolicyDN points to a password policy called Universal Password Policy. 
This policy has an attribute called Password Expiration Interval with a value of 10 days. 
User4 has an attribute called nspmPassword with a modification timestamp of 05/20/1997. 
User4 also has a attribute called Password Expiration Time with a value of 12/1/2005. 
The current date of the server's clock is 11/21/2005.
When this user logs in NMAS takes the nspmPassword modification timestamp and adds the interval.  This equals 05/30/1997.  Is this earlier than the current expiration value of 12/1/2005?  Yes, so change it to 05/30/1997.  Now compare this value to the current date of 11/21/2005.  Is the expiration value earlier than our current date?  Yes.  Expire the password.

Additional Information

Note: if the password expiration is lengthened in the password policy, this will not be reflected in a user's password expiration value.  The following can be performed to update this value:
1. Modify the password policy to be a greater number of days.
2. Make sure "Verify whether existing passwords comply with the password policy (verification occurs on login)" it turned on in the password policy definition.
3. Delete the password expiration attribute off of the user object.
Upon login this value will be recreated.



Formerly known as TID# 10098342
Formerly known as TID# NOVL102785