3.8 Troubleshooting Password Policies

3.8.1 iManager Self-Service Login Requires Full DN

If you have to type a full DN at the login prompt, the user object probably does not reside under the container specified during iManager or Portal configuration. You need to run the Portal Servlet Configuration Wizard (http://your_iManager_server/nps/servlet/), and specify additional login containers for the contextless login. The Forgotten Password feature also uses this setting to resolve a user's DN.

3.8.2 Errors Indicate a Password Policy Is Not Assigned to a User

If you see an error saying that a password policy is not assigned to a user from the Set Universal Password task, and you know that the user does have a password policy assigned, SSL might be the issue. To diagnose and resolve SSL issues, perform the following tasks:

  • To help confirm that SSL configuration is the problem, use the View Policy Assignment task to check the policy for that user. If the View Policy Assignment task displays an NMAS Transport error, this can be an indicator that SSL is not configured properly.

  • Make sure that SSL is configured correctly between the Web server running iManager and the primary eDirectory tree. Confirm that you have a certificate configured between the Web server and eDirectory.

    This can be a problem if you are running iManager on Windows 2000 machine with IIS as the Web server, because the iManager installation does not automatically configure the certificate for you in that scenario.

  • If you are not requiring TLS for simple bind, you must make sure you indicate the correct LDAP SSL port, as explained in the note in Step 7.

3.8.3 Using Challenge Response Questions

Make sure that you are using a supported browser for iManager.

3.8.4 Giving Access to Users in New Containers

When you set up iManager or one of Novell's portal products, such as Novell’s UserApp™, you specify the portal users container. Usually you specify a container at a high level in the tree, so that all users in the tree can access portal features. If all your users are below that container, then all users have access to Forgotten Password and Reset Password Self-Service.

If you later create a container with users outside the portal users' container, and these users can't access Forgotten Password and Reset Password features, you'll need to specifically assign rights to the following gadgets for that new container: Challenge Response Setup, Change Universal Password, and Hint Setup.

For instructions on adding new users to the portal users' container, see “Portal User” in the Novell exteNd documentation http://www.novell.com/documentation/extend5/.

3.8.5 NMAS LDAP Transport Error

If you are installing Identity Manager in a multiserver environment and use some of the Password Management plug-ins in iManager, you might see an error that begins with NMAS LDAP Transport Error.

One common cause of this error is that the PortalServlet.properties file is pointing to an LDAP server that does not have the NMAS extensions that are needed for Identity Manager. Open the PortalServlet.properties file and make sure the address for the LDAP server is the same server where you installed Identity Manager.

Other possible causes:

  • The LDAP server is not running.

  • SSL is not configured for LDAP between the iManager server running the plug-ins and the LDAP server.

  • When logging in to other trees with iManager to manage remote Identity Manager DirXML servers, you might encounter errors if you use the server name instead of the IP address for the remote server.

  • The trusted root certificate of the tree you authenticate to must be imported as a trusted certificate onto the Web server. You can use keytool.exe to export the certificate to the Web server. If you install eGuide, the certificate is exported to the Web server during the configuration process.