Admin is adjusting the Password Expiration time in ConsoleOne however Password is still expired

(Last modified: 20Aug2005)

This document (10098645) is provided subject to the disclaimer at the end of this document.

fact

Novell Modular Authentication Service (NMAS)

NMAS Client

symptom

Admin is adjusting the Password Expiration time in ConsoleOne however Password is still expired

Logins succeed when NMAS is not used and Password Expiration Time attribute is set to a future date

Universal Password Policy was applied to all users.

cause

NMAS enabled clients don't read the Password Expiration Time attribute when the Advanced Rules are enabled in its Password Policy. 

Novell Clients with an NMAS-enabled client use the Universal Password to login, if a Universal Password has been set for the user.  
Novell Clients without an NMAS Client installed, or enabled, rely on the NDS password attributes (Public/Private Key).

When a user logs in with an non aware NMAS Client, or with NMAS disabled, the password is validated against the NDS password.  The Password Expiration Time attribute is checked to verify the password is not expired.  If a correct password was supplied, along with the password not being expired,  login continues.

When Advanced Rules are enabled in the Password Policy
When a user logs in with an NMAS-enabled client, the password is validated against the Universal Password.  The Password Expiration Interval is read off of the Users Password Policy, the timestamp of the Password is compared between the current time and the Password Expiration Interval.   Notice, when using Advanced Rules in the Password Policy,  the Expiration Time attribute is not read/used.

The Expiration Time attribute, while often set when a Universal Password is changed, is set for backward compatibility.  It is also set so an administrator can see when a user's password will expire.  This does not mean that eDirectory relies on that attribute for a password to expire.  With Universal Password the expiration date is actually set based on the timestamp on the password attribute and the Expiration Interval attribute from the Universal Password Policy.  Adding the two together gives a date when the password will expire.  For this reason it may be possible for an administrator to set the Password Expiration Time into the future and have NDS password authentication work while NMAS authentication fails.  Logging in with an NMAS-aware client should reset the Password Expiration Time attribute to the Password timestamp plus the Password Expiration Interval. 

fix

The inability to extend a password's lifetime with ConsoleOne is not a bug but is a Security feature.  NMAS forcing security on users passwords should be taken into consideration before implementing a restrictive Universal Password policy into your environment. 

Rather than trying to manually extend a password's life it is recommended that one of the following practices be observed:

1.  Change the password - For most situations this is the correct course of action.  Password expirations should be implemented with security in mind and attempting to subvert that security is not a good idea.

2.  Allow longer-lived passwords in another Universal Password Policy - Create a less restrictive Universal Password Policy for users who need longer-lived passwords.  When the passwords expire, though, users should change their passwords. 

3.  Create a non-expiring Universal Password Policy - This option can be used for users whose passwords should never expire.  Having expiring passwords in your tree improves security.  However there may be users whose passwords should never expire.  As an alternative to a never-expiring password it may be a good idea to increase the complexity requirements for these users. 

Once a Universal Password Policy has been enabled for a user/container/partition/tree, all management regarding the Password should be done via iManager and the Password Plug-in.  ConsoleOne should not be used.

document

Document Title:	Admin is adjusting the Password Expiration time in ConsoleOne however Password is still expired
Document ID:	10098645
Solution ID:	NOVL103127
Creation Date:	18Aug2005
Modified Date:	20Aug2005
Novell Product Class:	Novell Directory Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.