OES client able to login with a differing case password

OES user with ID from well before Universal Password was configured, and somehow missed the push to change passwords (the client was rather soft on the change, please rather than forced)
Windows PW and eDir password are different only by the case of the first character.

All the LDAP based logins work correctly with the lowercase password, and fail with the mixed case version.  Windows local is the mixed case, and OES client works just fine with it which is my worry.

Versions, this has slid by without a problem until recently, so from the end of NetWare days, to now current OES (other parts may vary)

I am assuming a forced reset will fix this (aimed for tomorrow, once her new Laptop is otherwise ready).  But why is this working now?  I can log in with the OES client from other systems just fine with either case, which is suspect. 


An oddity found in testing. Even though I disconnected after each test logging, we still ran out of simultaneous logins.  So there is a small lag in the accounting of them for that particular limit, but at least we could change that limit for the user while we sort this out.

________________________

Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

Parents Reply Children
  • 0   in reply to   

    Universal password rules were set up, but it was late in the game before I could push them that far. And then they wouldn't force users to change passwords, only ask nicely to please change passwords.  So there are a number of users who still have their 5 lower case letter (or all number) passwords.  It is those user/passwords we have the issues with.

    I had been with the understanding that the old, simply, NetWare passwords had been case-sensitive, and it is these I am acting about. It looks like I was just missing that they were case-insensitive, and was looking for that confirmation.

    I've been testing on some older accounts that I've been begging them to change, and those I even get them logged in LDAP with varying case. 

    So is there a way to tell when a user's password was last changed, or what users have passwords that are not Universal Passwords, then we could target much more effectively.  Let's see if I can get diagpwd to help on that front.

    This client lacks a culture of security. It has been an upward battle all along, and with a conflict avoiding IT Director.  I keep pushing, but as an outside consultant, can only do so much.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.