DSfW Universal password policy gets reset every 30 minutes

  • 7005721
  • 12-Apr-2010
  • 19-Sep-2016

Environment

Novell Open Enterprise Server 11 SP1 (OES 11SP1) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 2 SP3 (OES 2SP3) Linux
Novell Open Enterprise Server 2 SP2 (OES 2SP2) Linux
Domain Services for Windows
DSFW

Situation

Created a new universal password policy and assigned it to the DSfW domain partition object, eg dc=dsfw,dc=novell,dc=com.  After 30 minutes, the Default Domain Policy is re-assigned to the domain partition object.

There are two cases here.
 
For non-name mapped setup, the variable 'XADRETAINPOLICIES' not present in the /etc/opt/novell/xad/xad.ini file and user includes the line 'XADRETAINPOLICIES = yes' manually and expects that policy on domain partition will be retained.
 
For name mapped setup, the retain existing password policies option is not selected during installation and the file /etc/opt/novell/xad/xad.ini points to 'XADRETAINPOLICIES = no' . After installation, user manually changes value to 'XADRETAINPOLICIES = yes' and expects that password policy on domain partition will be retained.

Resolution

If iManager is the desired tool to modify password policies then verify the retain existing password polices was not enabled by doing the following:

grep -i xadretain /etc/opt/novell/xad/xad.ini

XADRETAINPOLICIES = no

Edit the /etc/opt/novell/xad/xad.ini file and change

XADRETAINPOLICIES =no to

XADRETAINPOLICIES = yes

An easy way to change this setting from no to yes is with sed.  Run the following command to change from no to yes.
sed -i 's/^XADRETAINPOLICIES = no/XADRETAINPOLICIES = yes/g' /etc/opt/novell/xad/xad.ini

For OES11 edit the /etc/sysconfig/novell/xad2_oes11 file and set XAD_RETAIN_POLICIES="yes" so that future patches and upgrades will not remove or ignore the setting in the xad.ini file.For OES11SP1 the file is /etc/sysconfig/novell/xad_oes11_sp1

Here is the command to change the setting using sed on a OES11SP1 server
sed -i 's/^XAD_RETAIN_POLICIES="no"/XAD_RETAIN_POLICIES="yes"/g' /etc/sysconfig/novell/xad_oes11_sp1

If the GPO Management Tool is to be used in modifying password policies then be sure XADRETAINPOLICIES = no.


Using iManager change the password policy assignment to your desired password policy (XADRETAINPOLICIES = yes):

Verify the change.  Do the following ldapsearch, the nspmPassworpolicyDN should have a value of your newly assigned password policy

LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b dc=dsfw,dc=novell,dc=com -s base nspmPasswordpolicyDN

Run gposync.sh from the terminal and re-run the ldap search again to verify the newly assigned password policy is listed.

Using iManager or ldapsearch find the attribute xad-Domain-Flag:

For ldapsearch do:
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b dc=dsfw,dc=novell,dc=com -s base xad-Domain-Flag
 
For both non-name mapped & name mapped setup, The second bit of 'xad-Domain-Flag' should be turned on for retaining password policy.
 
For this, the xad domain flag should be 2 or 3.
 For example, the xad-domain-flag value is '1' for non-name mapped setup. After changing the setting it should hold the value 3.
 For name mapped setup the xad-domain-flag value is '0'. After doing setting xadretainpolicy to yes it should hold the value 2.

Additional Information

 If XADRETAINPOLICY = yes cosmetic errors might be seen in when gposync.sh runs.

Example:

Syncing {31B2F340-016D-11D2-945F-00C04FB984F9} Group Policy
The policy [{31B2F340-016D-11D2-945F-00C04FB984F9}] is not associated to any container.
Delete NMAS Password Policy Links

This can be ignored.  To eliminate the error edit the /opt/novell/xad/sbin/gposync.sh script and make sure it looks like this.  I'll highlight the changes in bold

# This script syncs all the password policies with NMAS
GPOTOOL="/opt/novell/xad/sbin/gpo2nmas -q -g"
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf

doma=`(ldapsearch -Y EXTERNAL -b "" -s base -LLL 2>&1) | grep -iw defaultnamingcontext | awk -F: '{print $2}' | tr -d [:space:]`
test -z "$doma" && exit
gPolicies=$(ldapsearch -Y EXTERNAL -b "cn=policies,cn=system,$doma" -s one 2>&1 | grep dn: | awk -F, '{print $1}' | awk -F= '{print $2}')
test -z "$gPolicies" && exit
echo "The list of Group Policies present in the domain $doma are:"
for s in $gPolicies; do
echo -e "\t$s"
done
echo
XADRETAIN=`grep -i xadretainpolicies /etc/opt/novell/xad/xad.ini |awk -F= '{print $2}'`
if test $XADRETAIN ==  yes;
 then
    exit 0
else
for s in $gPolicies; do
echo "Syncing $s Group Policy"
$GPOTOOL "$s"
echo -e "\n"
done
fi