Error: -632 -16060 when changing the Universal Password after upgrading to eDirectory 9.2

  • 7024695
  • 23-Jun-2020
  • 20-May-2021

Environment

eDirectory 9.2.2
eDirectory 8.8 SP8

Situation

After upgrading from eDirectory 8.8 SP8 to eDirectory 9.2 users' Universal Passwords cannot be changed.

In iManager the attempt returns Error: -632.

A ndstrace with the NMAS flag turned on shows: ERROR: -16060 Failed set password

Attempting to change the password using LDAP reports:
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: NDS error: system failure (-632)

IDM drivers cannot change passwords in the tree.


Resolution

The problem is that the tree key is still an old DES key with a size of only 56 bits.  Therefore, users using UP have 56 bit single DES user keys and, hence, 56 bit wrapped passwords.  This low strength algorithm is not allowed for writing new secrets in a FIPS environment.

To verify if 56 bit keys are in use sdidiag can be used.  This is not intrusive.  Consult the following on its use.  It can be found in the eDirextory 9's patches tab on our download page.

Another, perhaps easier way,  is to have two shells open to any one server.  In one shell ndstrace will be running with the +nici flag.  On the other type:
ndstrace -c "unload niciext" 
ndstrace -c "load niciext"
The ndstrace output will show the strength of the tree key(s) held by this and all other servers.

The tree key must be upgraded to 3DES and synchronized to all servers. Then the users' key must be upgraded in order to re-encrypt their secrets. 

NOTE: If a user has a NMAS policy with the UP disabled one must use SCRAM following the instructions at the bottom of this TID.

Additional Information

Short Term Workaround:

Turn off FIPS. 

Linux:
At a shell type the following then restart NDSD: ndsconfig set n4u.server.fips_tls=0
This will update the respective line in the /etc/opt/novell/eDirectory/conf/nds.conf file.

Windows:
Using regedit change the HKLM\SOFTWARE\Novell\NDS\FipsMode registry value to 0 and restart dhost.

This should allow for 56 bit based UP to be changed using the usual methods.


Solution:

In a mixed tree make sure there is at least one 9.x server in the tree that is at a minimum version of  9.2.2.  A new tree key will be created on a 8.8 SP8 server.  Lastly, a new 3DES key will be created for each user on the 9.2.2 server.  This will be used to re-wrap all their secrets.  The steps are below.  If all servers are at version 9.x just enable the AES tree key as described in the Admin Guide.

1. Disable FIPS as shown above.

2. Generate new tree key.  Pull down and install Sdidiag from the 8.8 SP8 patches download site. 
NOTE:
- To generate a new 3DES tree key an 8.8 SP8 server holding a copy of root must be used. If it does not hold root the server must have write rights to the W0 object for both entry and all attributes.
- If all servers in the tree are at version 9 then consult the documentation on how to generate an AES tree key: https://www.netiq.com/documentation/edirectory-92/nici_admin_guide/data/b1h9zf72.html#b1h9zf72

When installed:
type sdidiag -g from the command line or type SD -G once in the utility's command line then quit to exit.
(NOTE: use only one of these methods and enter no other commands.  DO NOT revoke any keys already present.)

3. Synchronize the new key to ALL servers in the tree.  There are three ways to acheive this:
a. Restart niciext as show above on each server in the tree. 
b. NDSD or dhost can be restarted on every server.
c. Entering the sdidiag utility and typing SD then quitting out of it.

4.  Re-encrypt the users' keys and passwords using diagpwd
The eDirectory 9.22 installation lays down but does not install <path to installation>/eDirectory/setup/novell-nmas-ldap-ext-client-9.2.1-0.x86_64.rpm.  Install this rpm then run the utility against a user container or all users in the tree.

The syntax is: diagpwd LDAP_SERVER_ADDR TLS_PORT CA_CERT_FILE SEARCH_BASE SEARCH_SCOPE BIND_DN [BIND_PWD] -t

Example: diagpwd 192.168.1.1 636 /var/opt/novell/eDirectory/data/SSCert.pem ou=users,o=netiq sub cn=admin,o=netiq -t
This will login as admin.netiq and re-encrypt the passwords and secrets with the new key for all users under the organizational unit of netiq and all containers under it.

5. Turn FIPS mode back on and restart NDSD or dhost.

Password and driver password changes should now be working with the new 3DES or AES keys and their wrapped passwords.
(NOTE: re-encrypting a user's password will result in an IDM password change so modify the drivers accordingly.)


NOTE: If a user has a policy and UP is disabled the new SCRAM method must be used.  More information is in the Admin Guide.  If this method is not installed and in the policy the following will be seen when running diagpwd on the user.

ERROR: -16049 Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060 Failed to decrypt password history value

ERROR: -16060 Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

 -16049 0xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does not exist on the specified object.

 -16060 0xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2 from any previous version and the tree has any users with Universal Password encrypted with DES tree key, then for such users login or password change might fail with this error.



NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key.  eDirectory 9.x's sdidiag will only generate AES tree keys.  However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c "unload niciext"

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and  /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it's rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c "load niciext". 

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created.  Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again.  Now load niciext on the other servers holding root.  At this point the old 56 bit and the new 3DES key will be synch'd across the servers.