SonicWALL Imported LDAP User Password Too Short

Question

(final) update: Dear friends, Dell support has transferred me to the dev team. They say its a bug. Too soon to tell if its fatal, but if I don's survive I want the bounty to go to .... ughhh

I'm attempting to add users on the SonicWALL from a Windows AD. I want the windows logon password to be the VPN password through the SonicWALL VPN functionality.

From Users > Local users > import from ldap > I pick the user and it creates it. However, I keep getting the below error:

Warning: Password is too short (new password has not been saved, please try again)

In the SonicWALL configurations the password policy options were set to 8 length, 1 upper, 1 lower, 1 number. I've since turned the password complexity requirements off within system > administration, set the password to a simple 8 character password with no special characters ("Qwerty12"), and I even recreated the user account but I still have the same issue.

The SonicWALL logs show the user account being created, but it doesn't show anything about the password at all when the issue arises that I see.

I'm not sure why it won't take a password as it should be perfectly valid complexity and special character wise, and typed in correctly too.

Other Detail

SonicWALL support spent an hour recreating my issue and they've been "researching" further for 2 days now supposedly.
My firmware has been updated to the latest.
- SonicOS Enhanced 5.9.1.6-5o
I am not using a RADIUS server.
I'm seeing the below warning message as well when I click some screens.

Note that LDAP authentication is selected with Active Directory, and it does not support CHAP authentication via LDAP. If L2TP users are to use CHAP then you should configure RADIUS so that it can be used for this, if you have not already done so.
My remote end-users are NOT using CHAP. I'm not sure if this in anyway applies to the SonicWALL <--> Active Directory LDAP communication.
The VPN connection works if I manually change the password.
See print screen below labeled as L2TP Server Configuration for what's set there but behind that windows it shows that I'm connected with MS-CHAP V2.
I also changed the schema to use full bind distinguished name so it's <Username>@<domain.com> and the LDAP test was successful still after re-importing the account but I still have the same issue otherwise.
Below is a print screen of the LDAP Test Results which is successful. My admin account can be read from LDAP as can the user tester2 both successfully.

LDAP Test Results

L2TP Server Configuration

sorry that was a typo on my question, there is a capitol. I made that user and password specifically to test...Why am I getting a too short message? — wlraider70, Jul 01 '16 at 19:54
Perhaps somewhere hidden in the system another stricter policy has been configured? Check group policy. — Paul Stelian, Jul 08 '16 at 12:48

score 2 · Accepted Answer · answered Jul 08 '16 at 23:52

I'm attempting to add users on the sonicwall from my windows AD. I want the windows logon password to be the VPN password.

Users>Local users> import from ldap > I pick the user and they are created.

I think you want to Select LDAP + Local Users and not just Local Users if you want to Integrate LDAP/Active Directory with Sonicwall UTM Appliance. I'd also follow the other steps in these instructions to ensure you are configuring it correctly for your need.

Integrating LDAP/Active Directory with Sonicwall UTM Appliance (With video tutorial)

Video Tutorial: Click here for the video tutorial of this topic.

Procedure:

Go to Users > Settings page

In the Authentication method for login drop-down list, select **LDAP

Local Users** and Click Configure

On the Settings tab of the LDAP Configuration window, configure the following fields

On the Directory tab, configure the following fields: Primary domain: The user domain used by your LDAP implementation

User tree for login to server: The location of where the tree is that the user specified in the settings tab

Click on Auto-configure

Select Append to Existing trees and Click OK

This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.

On the Schema tab, configure the following fields: LDAP Schema: Microsoft Active Directory

On the LDAP Users tab, configure the following fields:

Default LDAP User Group : Trusted Group

How to Test:

On the LDAP Test tab, Test a Username and Password in Active directory to make sure that the communication is successful.

_source

You also say . . .

I'm getting this "warning" when I click some screens. "Note that LDAP authentication is selected with Active Directory, and it does not support CHAP authentication via LDAP. If L2TP users are to use CHAP then you should configure RADIUS so that it can be used for this, if you have not already done so." It seems you may want to follow this path of navigation in the SonicWALL configuration to integrate LDAP/Active Directory with SonicWALL

My end remote users are NOT using chap. Does this in anyway apply to sonicwall <--> Active Directory communication?

According to SonicOS: Enabling RADIUS to LDAP Relay for L2TP Authentication on SonicOS Enhanced depending on your configuration you may need to either configure the the central SonicWALL to operate as a RADIUS server or else look into configuring a RADIUS Server and then configuring the SonicWALL and other applicable settings (e.g. LDAP Relay).

LDAP does not usually support CHAP/MSCHAP authentication (Microsoft Active Directory and Novell eDirectory do not). The SonicWALL will automatically divert CHAP/MSCHAP authentications to RADIUS if LDAP does not support it and RADIUS is configured, so configure RADIUS if that is the case and L2TP server or VPN client connections are to use CHAP/MSCHAP.

The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWALL with remote satellite sites connected into it via low-end SonicWALL security appliances that may not support LDAP. In that case the central SonicWALL can operate as a RADIUS server for the remote SonicWALLs, acting as a gateway between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server

_source

Additional Resources

SonicWALL - Configuring RADIUS Authentication

My setting all look just like this. I went through again to confirm. Same error. — wlraider70, Jul 09 '16 at 01:00
No radius server. NSA 250 M. SonicOS Enhanced 5.9.1.6-5o . Yes LDAP + local User. Schema is read from server. Looks like that to me, but I haven't check every single line. Logs show the creation of user. says nothing about the password. The error only appears in the footer of the page, its actually easy to miss. — wlraider70, Jul 09 '16 at 01:57
I don't think that user is in any groups. When I use my account it spits out all sorts of group info. This that screen shot slove the radius chap question. — wlraider70, Jul 09 '16 at 02:09
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/42233/discussion-between-wlraider70-and-pimp-juice-it). — wlraider70, Jul 09 '16 at 02:10
No update. Waiting on sonic wall support. Tried everything I could find. — wlraider70, Jul 12 '16 at 23:11
After almost 1 week of nothing from Sonicwall I get this: "I apologize for the inconvenience sir , i am still researching about this issue with my resources. If we could not find anything about this issue, we'll report this issue to the backend engineering team and get a solution for this issue." — wlraider70, Jul 13 '16 at 13:51
@wlraider70 Have they done a remote session with you yet to ensure they don't see anything obvious in the configuration setup? if there is something simple being overlooked, you'd think the people that work with that product everyday would notice something. Do you know what the support agreement says in terms of the support you're supposed to be provided? — Vomit IT - Chunky Mess Style, Jul 13 '16 at 19:57
I have a 2nd remote session tomorrow. The first time, they clicked around a bunch and had me repeat the error 10 times. — wlraider70, Jul 13 '16 at 20:00
@wlraider70 I guess I could've mentioned that it could potentially be a bug with SonicWALL and its software too. I tried to help as much as I could and I even added detail from our comments you answered to your post\question to try to get others to make suggestions for potential solutions. — Vomit IT - Chunky Mess Style, Jul 14 '16 at 18:53

score 0 · Answer 2 · answered Aug 22 '19 at 12:51

0

under System > Administration uncheck the box under "Apply the above password constraints for: other local users

answered Aug 22 '19 at 12:51

user1079312

1