Problem with NWDSChangePwdEx/NWDSChangePassword and simple
passwords

A customer using my setpword program has reported that when an ordinary user
changes their universal password (the old password is required so
NWDSChangePwdEx is used), the simple password is not changed correctly - see
details below. If the user changes their own universal password using
iManager, ConsoleOne or when prompted by the client at login (on the same
workstation as setpword is run), the simple password changes correctly. When
the universal password is changed by a privileged user using setpword (in
which case NWDSGenerateKeyPairEx is used), the simple password is changed
correctly. However, NWDSChangePassword is used in place of NWDSChangePwdEx,
the problem remains.

The description provided is given below. I'm out of the office for a couple
of weeks and so have limited ability to do any testing. Can anyone shed any
light on this?

TIA, John
DevSup SysOp 24

All servers are running NW 6.5 SP4a and all have universal passwords
enabled. No synchronisation problems exist.

It will work in this scenario
use your setpword to sucessfully change universal password. But you will
need to log out and log back in again for every other passwords to
synchronize.

If you change your universal password and did not log out.  At that
moment, try to verify your simple password. In my case, I used a workstation
with no novell client and access CIFS service (which used simple password).
Once you try to authenticate with the new password.  Not only it doesn't
work,
it automatically revert to the old password which your setpword claimed that
it had successfull change to the new password.

Another word, I can't used any services that use simple password after I
changed my universal password with your setpword.  User will need to log
in using PC with netware client to log in one more time.  If they don't, and
try to access Cifs, it reverted back to the old password.  Very
annoying.

Hi

Universal password must be changed with NWDSChangePwdEx.

NWDSChangePassword does not support UP change.  This discussion actually
came up on the njcl group, See "Universal Password 1/17/2006"  At that
time
I confirmed with client engineering that the difference between the "old
client tools" that don't support UP and the "new client tools"
that do
support UP are that the latter use NWDSChangePwdEx.  This is as designed.

Thank you
Susan

"Susan Perrin" <devsup @novell.com> wrote in message 
news:dUN7g.3015$U_.2924@prv-forum2.provo.novell.com...
> Hi
>
> Universal password must be changed with NWDSChangePwdEx.
>
> NWDSChangePassword does not support UP change.  This discussion actually
> came up on the njcl group, See "Universal Password 1/17/2006"  At
that 
> time
> I confirmed with client engineering that the difference between the
"old
> client tools" that don't support UP and the "new client
tools" that do
> support UP are that the latter use NWDSChangePwdEx.  This is as designed.

Susan

Thank you for your response. My program uses NWDSChangePwdEx, but I also 
tried NWDSChangePassword to see if the behaviour changed. NWDSChangePassword 
does appear to at least partially support universal password - in those 
versions of the client supporting NWDSChangePWdEx. If you pass it a case 
sensitive password it will be set correctly, and if I recall correctly, it 
will be converted to uppercase if universal passwords are not enabled. In 
fact my program my programs use both functions. When I first updated them to 
use NWDSChangePwdEx, some customers were receiving -319 from this function. 
When that happens I call NWDSChangePassword which does not return an error 
and still sets a case sensitive password. Obviously it does not support the 
extended chars in passwords.

Any thoughts on why one customer would experience the results described in 
my post?

Thanks, John
DevSup SysOp 24 

Hi

Sorry I seem to have missed the point of your question.  It's not synching
when you change UP via ChangePwdEx.

I used eDirectory 88 sp1 beta on NW 65 SP5 and Novell client Novell Client
for Windows 4.91 SP2 build 4.91.2.20051209.

I enabled UP with

Synchronize NDS password when setting Universal Password
Synchronize Simple Password when setting Universal Password
Synchronize Distribution Password when setting Universal Password

all checked.

I set the UP and NDS password to synch by changing UP and logging in etc.  I
used diagpwd and the nmas sdk NMASSimplePwdMgr and NMASPwdMgr to read the UP
and simple password.  (the NMASSimplePwdMgr class has a bug in getPasswd
where it's truncating the simple password, but I found that's in the class
itself, not the data stored in nmas.  It's easily fixed).

I then ran

NWDSChangePwdEx(context, ".hello.testorg", PWD_RAW_C_STRING,
"newpass",
"password", ALL_PASSWORDS);

and saw this in my dstrace.log (with nmas enabled):

NMAS: [2006/05/10 17:38:47] INFO: spmAgentChangePassword success

which I don't think confirms the synch, but at least it proves nmas got
involved, which is a good thing for the client library call.

using NMASSimplePwdMgr again confirms that the simple password is synched.

I also tried with PWD_UTF8_STRING.  I also tried with
Remove the NDS password when setting Universal Password instead of synch to
ndspwd just in case.

I can't think of anything else to try, except to ask for your customers'
eDirectory version and patch level and platform, and his/her client version
and build info since the api was modified at some point to cause nmas to
kick in.

I hope this helps somewhat.



Thanks

Susan