Environment
Novell eDirectory 8.8.6 for All Platforms
Novell Identity Manager 3.6.1
Novell Identity Manager 4.0.1
Novell Modular Authentication Service (NMAS) version 3.3.3.0
Situation
After upgrade to NMAS version 3.3.3.0, the version included with eDirectory 8.8.6, an IDM driver that generated a random password with the verb token-generate-password started using special characters, even though the policy explicitly stated that special characters should not be used.
The problem will only occur if the password policy has a particular combination of attributes. In particular this attribute is the one that corresponds to the option to enable/disable special characters:
nspmSpecialCharactersAllowed:FALSE
In the case that the policy also has these attributes (which will be there by default if the policy had the option of having special characters enabled at some point):
nspmSpecialAsFirstCharacter:TRUE
nspmSpecialAsLastCharacter:TRUE
then the problem appears.
When trying to set the password with these extra characters, the password will fail to be set with this error:
Message: Code(-9010) An exception occurred: novell.jclient.JCException: generateKeyPair -16010 UNKNOWN ERROR
Error -16010 corresponds to NMAS_E_PASSWORD_SPECIAL_DISALLOWED
The problem will only occur if the password policy has a particular combination of attributes. In particular this attribute is the one that corresponds to the option to enable/disable special characters:
nspmSpecialCharactersAllowed:FALSE
In the case that the policy also has these attributes (which will be there by default if the policy had the option of having special characters enabled at some point):
nspmSpecialAsFirstCharacter:TRUE
nspmSpecialAsLastCharacter:TRUE
then the problem appears.
When trying to set the password with these extra characters, the password will fail to be set with this error:
Message: Code(-9010) An exception occurred: novell.jclient.JCException: generateKeyPair -16010 UNKNOWN ERROR
Error -16010 corresponds to NMAS_E_PASSWORD_SPECIAL_DISALLOWED
Resolution
This behavior is a design choice taken when implementing a fix that shipped with NMAS 3.3.3.0. The logic applied to it is that the presence of either of these attributes:
nspmSpecialAsFirstCharacter:TRUE
nspmSpecialAsLastCharacter:TRUE
implies that nspmSpecialCharactersAllowed is set to TRUE and will override its explicit value. As the attempt to modify the password shows it, the logic is applied only to password generation but not when setting the password.
In order to fix this problem, perform the following steps:
1 - Log in to iManager and go to the Passwords Role
2 - Select the Password Policies Task
3 - Edit the Password policy used by the driver
4 - Click on the Universal Password tab, Advanced Password Rules
5 - Scroll down to the Non-alphanumeric Characters section and enable temporarily the option "Allow non-alphanumeric characters in the password"
6 - Apply the changes
7 - Click on the options "Disallow non-alphanumeric character as first character" and "Disallow non-alphanumeric character as last character". This will set the problem values to FALSE.
8 - Disable the option "Allow non-alphanumeric characters in the password"
9 - Apply the changes.
After these changes have been made, the policy should create the passwords properly.
nspmSpecialAsFirstCharacter:TRUE
nspmSpecialAsLastCharacter:TRUE
implies that nspmSpecialCharactersAllowed is set to TRUE and will override its explicit value. As the attempt to modify the password shows it, the logic is applied only to password generation but not when setting the password.
In order to fix this problem, perform the following steps:
1 - Log in to iManager and go to the Passwords Role
2 - Select the Password Policies Task
3 - Edit the Password policy used by the driver
4 - Click on the Universal Password tab, Advanced Password Rules
5 - Scroll down to the Non-alphanumeric Characters section and enable temporarily the option "Allow non-alphanumeric characters in the password"
6 - Apply the changes
7 - Click on the options "Disallow non-alphanumeric character as first character" and "Disallow non-alphanumeric character as last character". This will set the problem values to FALSE.
8 - Disable the option "Allow non-alphanumeric characters in the password"
9 - Apply the changes.
After these changes have been made, the policy should create the passwords properly.