Environment
Novell eDirectory 8.8 for All Platforms
Situation
ISSUE:
ldap_bind: Invalid credentials additional info: NDS error: bad password (-222)
LocalLoginRequest. Error bad password (-222)
The environment was eDirectory 8.7.3.9 FTF3 and Security Services 204. A Universal Password Policy was in place where the minimum number of characters required in a password was 6. Later this policy was changed to require 8 characters. The administrator did not want this policy to be enforced on everyone at once. Therefore, care was taken to ensure in the policy's options that the option to " Verify whether existing passwords comply with the password policy (verification occurs on login)" was not checked. Therefore the expected behavior was that this enforcement would occur when the user's current password expiration time came.
This worked as designed as long as users logged in with a Novell NCP client using NMAS authentication. However, if the user logged in via LDAP his account would be immediately expired. Thereafter each LDAP authentication would consume a grace login. Once all grace logins were consumed the account would be prevented from logging in again. The ldap client would return, " ldap_bind: Invalid credentials additional info: NDS error: bad password (-222) ". Looking in dstrace the following could be seen " LocalLoginRequest. Error bad password (-222) ".
CAUSE:
NMAS places password restriction attributes on the policy object itself. The old way of enforcing passwords would place password restriction attributes on the user object. When moving from the legacy password policies to NMAS enforcement, many administrators were confused by iManager reading and returning the policy object's values and ConsoleOne reading and returning the user objects values. Therefore a change was made in NMAS to synch some of the policy attributes to the user object upon login. One of these attributes that is synchronized is the " Password Minimum Length ". In eDirectory 8.7.3 NMAS is not used on LDAP authentication. Therefore when a LDAP authentication occurs it makes a dclient call to eDirectory. eDirectory will evaluate the current password length with the user's existing value in his " Password Minimum Length " attribute. If it is too short the account will be immediately expired.
Resolution
Security Services SSP205 (NMAS 3.2), eDirectory 8.8 SP2 FTF2 and eDirectory 873 SP10b and higher.
The following environment variable " NDSD_TRY_NMASLOGIN_FIRST = true " can be set. Thereafter LDAP authentication will occur over NMAS and the user object's minimum password length attribute will not be read on login.
NMAS
This has been reported to NMAS Development as well. It is hoped the long term approach will be to selectively specify what attributes are synchronized from the password policy to the user object.
Additional Information
Error: -223 will be thrown in trace once the account is expired but grace logins remain. In this situation the bind thru LDAP is permitted and depending on the ldap client the user may not be notified.
Error: -222 will be thrown in trace once the account is locked altogether since no grace logins remain. The client will now see the error on most client utils.
A workaround is to modify the user's grace limit and current grace counts to 255 via an ldif file. This undocumented value indicates unlimited grace logins. (iManager will not permit this value to be set.)