eDir 8.8.6

Last year I've imported some users via C1's import/export interface
(ICE, isn't it?) and set the password using the

dn: cn=some-name,ou=some-ou,o=some-o
changetype: add
....
userpassword: cleartext

syntax.

After that users should be able to authenticate against a
webapplication, which uses LDAP to query the eDir (with the freshly
build user and password). That sometimes failed because of incorrect
build initial passwords. So users called me, told me the could'nt login
and I set their password in C1 again, to a new value. Now everything was
fine.

Last week I noticed the users in question could login with their
*initially* set password (the LDIF one) *and* their current one, which
by policy expires periodically and must be set to a new value (and that
was done a few times since last year)

What I found is that the users now have 1)a simple password, the
initially assigned via LDIF one, and 2)a current NDS password. But I
believe that could be expected, regarding the process described above,
right?

Some assumptions: The simple password, if available, is used for LDAP,
if not the NDS password will be used. If both are available, both are valid.

What confuses me is

1.
Tracing this behaviour (login to the WebApp with the simple password)
with *LDAP* and *NMAS* set to on shows errors I interpret as 'no login
allowed', but the user logs in fine into the WebApp. The WebApp
developer told me, from his point of view everything is allright, eDir
(LDAP) tells him the password is valid.

--SNIP--

13:06:40 ABC86080 -1 NMAS: 16: ERROR: -669 NDS password hash does not match
13:06:40 ABC86080 -1 NMAS: 16: ERROR: -669 Local password login shortcut
failed
13:06:40 ABC86080 -1 NMAS: 16: Proxy client address 192 168 222 118
13:06:40 ABC86080 -1 NMAS: 16: NMAS Client supplied user DN
CN=tbein.OU=admins.OU=EDV.O=Zentrale
13:06:40 ABC86080 -1 NMAS: 16: Create thread request
13:06:40 ABC86080 -1 NMAS: 16: Using thread 0x8fa72280
13:06:40 ABC86080 -1 NMAS: 16: Server thread started
13:06:40 ABC86080 -1 NMAS: 16: Proxy client started local server session
13:06:40 7EF08580 -1 NMAS: 16: Pool thread 0x8fa72280 awake with new work
13:06:40 7EF08580 -1 NMAS: 16: CanDo
13:06:40 7EF08580 -1 NMAS: 16: IP client network address
13:06:40 7EF08580 -1 NMAS: 16: Selected default login sequence == "NDS"
13:06:40 7EF08580 -1 NMAS: 16: Login Method 0x00000007
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000007 Get attribute AID: 1
13:06:40 7EF08580 -1 NMAS: 16: Begin Server Module 0x00000007
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000007 Get attribute
AID: 39
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000007 Get NDS Password
Hash
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000007 Write
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000007 XWrite
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000007 XRead
13:06:40 ABC86080 -1 NMAS: 16: Begin Client Module 0x00000007
13:06:40 ABC86080 -1 NMAS: 16: Client Module 0x00000007 Get attribute AID: 6
13:06:40 ABC86080 -1 NMAS: 16: Client Module 0x00000007 Get attribute
AID: 40
13:06:40 ABC86080 -1 NMAS: 16: Client Module 0x00000007 Read
13:06:40 ABC86080 -1 NMAS: 16: Client Module 0x00000007 XRead
13:06:40 ABC86080 -1 NMAS: 16: Client Module 0x00000007 XWrite
13:06:40 ABC86080 -1 NMAS: 16: Client Module 0x00000007 XRead
13:06:40 7EF08580 -1 NMAS: 16: ERROR: -1642 verifyPacket2V2
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000007 XWrite
13:06:40 7EF08580 -1 NMAS: 16: ERROR: -1642 Server Module 0x00000007 End
13:06:40 7EF08580 -1 NMAS: 16: ERROR: -1642 NDS Login Method Failed
13:06:40 ABC86080 -1 NMAS: 16: Client Module 0x00000007 Finished
13:06:40 7EF08580 -1 NMAS: 16: WhatNext
13:06:40 7EF08580 -1 NMAS: 16: Login Method 0x00000022
13:06:40 7EF08580 -1 NMAS: 16: Begin Server Module 0x00000022
13:06:40 7EF08580 -1 NMAS: 16: Server Module 0x00000022 Read
13:06:40 7EF08580 -1 NMAS: 16: ERROR: -1639 Server Module 0x00000022 End
13:06:40 7EF08580 -1 NMAS: 16: ERROR: -1639 WhatNext
13:06:40 7EF08580 -1 NMAS: 16: Failed login delay 3 seconds
13:06:43 7EF08580 -1 NMAS: 16: Failed login
13:06:43 7EF08580 -1 NMAS: 16: Acknowledge
13:06:43 7EF08580 -1 NMAS: 16: ERROR: -1639 NMAS Manager
13:06:43 7EF08580 -1 NMAS: 16: Server thread exited
13:06:43 7EF08580 -1 NMAS: 16: Pool thread 0x8fa72280 work complete
13:06:43 ABC86080 -1 NMAS: 16: Client Session Destroy Request
13:06:43 ABC86080 -1 LDAP: (192.168.222.118:60833)(0x0001:0x60) Failed
to authenticate local on connection 0xa7403b80, err = invalid request (-641)
13:06:43 ABC86080 -1 LDAP: (192.168.222.118:60833)(0x0001:0x60) Sending
operation result 80:"":"NDS error: invalid request (-641)" to connection
0xa7403b80
13:06:43 99F7A240 -1 LDAP: Monitor 0x1ce found connection 0xa7403b80
socket closed, err = -5871, 0 of 0 bytes read
13:06:43 99F7A240 -1 LDAP: Monitor 0x1ce initiating close for connection
0xa7403b80
13:06:43 ABC86080 -1 LDAP: Server closing connection 0xa7403b80, socket
error = -5871
13:06:43 ABC86080 -1 LDAP: Connection 0xa7403b80 closed

--SNIP--

2. Native LDAP logins in the same manner (e.g. ldapsearch)will fail as
SoftTerraLDAPbrowser does. Why will the WebApp authenticate the users
while all other methods using LDAP will fail (rights to browse to
objects are not the reason because I let them browse the theirselfs
and crosschecked via NDS password)

Sorry, I'm a NMAS/SASL and so on rookie, and any guidance will be
greatly appreciated.

Tom