6 Replies Latest reply: Sep 17, 2013 8:34 AM by uzanatta RSS

    Password expired on AD/LDAP accounts

    uzanatta

      Hi,

       

      did you experience an issue with password expired with external login accounts?

       

      It seems that is following the Standard account policy and not the AD/LDAP server policies.

       

      Once you logon, the form for changing password appears, obviously you can't change password but you can't logon anymore.

       

      Any feedback is appreciated.

       

      Thank you.

        • 1. Re: Password expired on AD/LDAP accounts
          acommons

          We had a similar experience where the local password complexity policy was applied to AD/LDAP accounts. This caused the ESM to try and force a password change at login because the entered password did not meet the requirements (we made the local policy very stringent). We had to change the password policy to match the AD/LDAP policy to get it sane again.

           

          cheers,

          Andrew

          • 2. Re: Password expired on AD/LDAP accounts
            uzanatta

            Hi Andrew,

             

            when you talk about local policy, do you mean local policy of Active Directory? Sorry but I didn't understand.

             

            Could you tell me how do you change/setup the policy in order to get the ESM working?

             

            Thank you very much.

             

            Rgds,

            • 3. Re: Password expired on AD/LDAP accounts
              acommons

              We used the supplied default ESM account  - we renamed it and I can't remember what the original names was, it's a super user - to set the policy on the ESM to be the same as the AD/LDAP policy. We didn't try and change passwords and complete the login when prompted by ESM we just aborted the login and fixed what we thought was the problem. We were lucky we got it right.

               

              In your case I suspect you need to make the password lifetime greater than the AD/LDAP lifetime or turn off password lifetime completely for the ESM policy.

               

              We are seeing a few odd things around account management with AD/LDAP accounts in the ESM, when I get some time I'll document them and share with the community.

               

              Cheers,

              Andrew

              • 4. Re: Password expired on AD/LDAP accounts
                uzanatta

                Hi Andrew,

                 

                Infact, I worked out making password lifetime grather than AD but is not the requirement of the customer because he wants to set up the same password lifetime.

                 

                Just today support told me I need to update at the last hostfix 20130909 in order to get ldap working as I expected. I will try it.

                 

                Thank you,

                 

                Rgds,

                • 5. Re: Password expired on AD/LDAP accounts
                  acommons

                  Hi Umberto,

                   

                  Make sure you share your results with us.

                   

                  In your scenario I suspect you will need to have perfect two way synchronisation between the SIEM and AD/LDAP because the system on which the password change is forced cannot be controlled.

                   

                  I will check out the hotfix if it is generally available and see what else it might fix, thanks for the heads up.

                   

                  cheers,

                  Andrew

                  • 6. Re: Password expired on AD/LDAP accounts
                    uzanatta

                    Hi Andrew,

                     

                    I found the solution concerning McAfee ESM and AD/LDAP; this behavior happens when LDAP/AD account has granted the administrator rights. In such case works "Standard" policy so I do think you can't assign administration privileges to an external account because when password is goint to expire you can't log anymore.

                     

                    I will check with the support.

                     

                    Rgds,